Prompts zur Analyse der Trust Services Criteria

I'm preparing for a SOC 2 audit for [describe your service/system]. Help me determine which Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) are applicable based on:
- Service type: [e.g., cloud-based HR platform]
- Data handled: [e.g., employee PII, payroll data]
- Customer expectations: [e.g., 99.9% uptime guarantee]
- Regulatory requirements: [e.g., GDPR, HIPAA]

Provide a recommendation with justification for each criterion.

Help me define the scope boundaries for my SOC 2 Type [I/II] audit of [service name]. Include:
- In-scope systems and applications: [list key systems]
- Out-of-scope components: [list exclusions]
- Third-party services: [list vendors]
- Physical locations: [list data centers/offices]
- Time period: [for Type II]

Generate a scope statement suitable for inclusion in my system description.

Explain the Security Common Criteria (CC1.0 through CC9.0) requirements for SOC 2. For each criterion, provide:
- The control objective
- Key requirements and points of focus
- Typical controls organizations implement
- Common audit evidence

Provide detailed guidance on SOC 2 criterion [CC6.1] including:
- Full requirement text and points of focus
- How this applies to [describe your environment]
- Example controls that satisfy this criterion
- Evidence auditors typically request
- Common gaps organizations face

I offer [service description] with [uptime SLA/commitment]. Should I include the Availability criteria in my SOC 2 scope? Consider:
- Our uptime commitment: [percentage or description]
- System architecture: [e.g., multi-region cloud, single data center]
- Customer contracts: [uptime guarantees]
- Incident history: [recent availability issues]

Provide a recommendation and list the specific Availability criteria I'd need to address.

List all SOC 2 Availability criteria (A1.1, A1.2, A1.3) and for each one, suggest specific controls for [your service type]. Include:
- Monitoring and alerting controls
- Capacity planning processes
- Incident response procedures
- Backup and recovery mechanisms

Help me determine if Processing Integrity criteria apply to my SOC 2 scope. My service:
- Type: [e.g., payment processing, data transformation, reporting]
- Processing activities: [describe key data processing]
- Accuracy requirements: [customer expectations or regulatory requirements]
- Quality controls: [existing validation processes]

Should I include Processing Integrity? What specific criteria would apply?

For SOC 2 Processing Integrity criterion [PI1.1], help me identify controls for [your processing activity]. Address:
- Input validation and data quality checks
- Processing logic verification
- Output accuracy monitoring
- Error detection and correction
- Reconciliation processes

I handle [types of confidential information] in my service. Analyze whether Confidentiality criteria should be in scope considering:
- Data types: [customer proprietary data, trade secrets, etc.]
- Contractual obligations: [NDAs, customer agreements]
- Access controls: [who can access what]
- Encryption practices: [at rest and in transit]

Provide a recommendation and list applicable Confidentiality criteria.

Design controls to meet SOC 2 Confidentiality criteria for [your service]. Cover:
- Data classification scheme
- Access control policies
- Encryption requirements (at rest, in transit, in use)
- Secure disposal procedures
- Third-party confidentiality agreements

Determine if Privacy criteria apply to my SOC 2 scope. We process:
- Personal information types: [list PII collected]
- Data subjects: [customers, employees, end users]
- Privacy regulations: [GDPR, CCPA, etc.]
- Privacy commitments: [privacy policy, consent mechanisms]
- Geographic scope: [regions where data subjects are located]

Should Privacy be included? Which specific Privacy criteria are most relevant?

Map the Generally Accepted Privacy Principles (GAPP) to our privacy practices for [your service]:
- Notice: [how we inform data subjects]
- Choice and consent: [opt-in/opt-out mechanisms]
- Collection: [what we collect and why]
- Use and retention: [how we use data and retention periods]
- Access: [data subject access rights]
- Disclosure to third parties: [who we share with]
- Security: [privacy-specific security controls]
- Quality: [data accuracy measures]
- Monitoring and enforcement: [compliance oversight]

Generate a Privacy criteria mapping table.

I'm including [list selected criteria] in my SOC 2 scope. Identify where these criteria overlap and how I can design controls that satisfy multiple criteria simultaneously. Provide:
- Common control objectives across criteria
- Shared evidence opportunities
- Integrated control recommendations
- Efficiency tips for audit preparation

Conduct a gap analysis for [specific Trust Services Criterion] against our current state:

Current controls in place:
[Describe your existing controls]

Current documentation:
[List policies, procedures you have]

Known weaknesses:
[List any known gaps]

Provide a detailed gap assessment with prioritized remediation recommendations.