ISMS Copilot
SOC 2 prompt library

SOC 2 prompt library overview

What you'll find in this library

This SOC 2 prompt library provides ready-to-use prompts for every phase of your SOC 2 compliance journey. Each prompt is designed to help you work with ISMS Copilot to generate audit-ready outputs aligned with the Trust Services Criteria.

How to use these prompts

Copy and customize: All prompts use [brackets] to indicate where you should insert your specific details. Replace these placeholders with your organization's information.

Iterate for depth: Start with overview prompts, then drill down into specific criteria or controls. Ask follow-up questions to expand sections or refine outputs.

Upload context: For best results, upload your existing policies, system descriptions, or previous audit reports to your workspace before using these prompts.

Create a dedicated workspace for your SOC 2 project to keep all conversations, files, and generated documents organized in one place.

Prompt categories

The library is organized to match the SOC 2 compliance lifecycle:

Trust Services Criteria Analysis

Prompts for understanding and scoping which Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) apply to your services and how to meet each requirement.

Policy and procedure development

Generate SOC 2-compliant policies and procedures covering security governance, change management, incident response, and data protection that map directly to TSC requirements.

Control design and implementation

Design and document controls for each applicable Trust Services Criterion, including control objectives, activities, frequency, and responsible parties.

Audit preparation

Prepare for Type I or Type II audits with prompts for evidence collection, system descriptions, control matrices, and auditor walkthroughs.

Documentation and reporting

Create comprehensive SOC 2 documentation including system descriptions, control narratives, gap analysis reports, and remediation plans.

Best practices for SOC 2 prompts

Be specific about your service: SOC 2 is service-specific. Always specify which system or service you're addressing (e.g., "our cloud-based CRM platform").

Specify your report type: Clarify whether you're preparing for a Type I (point-in-time) or Type II (period of time) examination, as evidence requirements differ.

Reference criteria explicitly: Use official TSC notation (e.g., "CC6.1" for Security criterion 6.1) to ensure accurate, framework-aligned responses.

Validate with standards: Always cross-reference generated content with the official AICPA Trust Services Criteria and your auditor's guidance.

ISMS Copilot generates draft content to accelerate your SOC 2 work. All outputs should be reviewed by your compliance team and auditor to ensure they accurately reflect your systems and controls.

Workflow example

Here's how to use this library for a complete SOC 2 implementation:

  1. Start with scoping: Use Trust Services Criteria prompts to determine which criteria apply to your service

  2. Design controls: Generate a control matrix mapping your controls to applicable TSC requirements

  3. Develop policies: Create supporting policies and procedures using the policy development prompts

  4. Document your system: Build your system description and control narratives with documentation prompts

  5. Prepare for audit: Use audit preparation prompts to organize evidence and create auditor-ready materials

  6. Iterate and refine: Review auditor feedback and use prompts to address gaps or questions

Combine prompts from multiple categories in the same conversation to build comprehensive, interconnected documentation that flows naturally.

Was this helpful?