BusinessChatGPTClaudeGemini

SOC 2 Evidence Collection Plan Builder

Create a practical SOC 2 evidence collection plan that maps controls, owners, artifacts, deadlines, and audit readiness gaps.

Prompt Template

Act as a compliance operations lead preparing a company for SOC 2. Build an evidence collection plan for [company name], a [company type/stage] with [team size] employees.

Audit context:
- SOC 2 type: [Type I / Type II]
- Trust Services Criteria in scope: [Security, Availability, Confidentiality, Processing Integrity, Privacy]
- Audit target date or observation window: [timeline]
- Core systems: [cloud provider, IdP, HRIS, ticketing, code repo, monitoring, MDM, vendor tools]
- Current compliance tooling: [none / Vanta / Drata / Secureframe / custom spreadsheets / other]
- Known concerns: [access reviews, change management, vendor risk, incident response, backups, asset inventory]

Produce:
1. **Readiness summary** with assumptions and immediate risks
2. **Control-to-evidence matrix** with control area, evidence artifact, source system, owner, frequency, and auditor-friendly notes
3. **Collection calendar** for the next [time period]
4. **Owner assignment plan** for security, engineering, people ops, legal, and leadership
5. **Evidence quality checklist** so screenshots, exports, policies, and tickets are audit-ready
6. **Gap remediation backlog** ranked by audit risk and effort
7. **Auditor request tracker template**
8. **Internal kickoff message** explaining responsibilities and deadlines

Add a note that this is operational planning, not legal or audit advice, and should be reviewed with the auditor or compliance advisor.

Example Output

SOC 2 Evidence Plan โ€” Type II Readiness

High-Risk Gaps

1. Quarterly access reviews are informal and not ticketed.

2. Change approvals happen in Slack but are not linked to pull requests.

3. Vendor review evidence exists, but ownership is unclear.

Control-to-Evidence Matrix

| Control Area | Evidence | Source | Owner | Frequency |

|---|---|---|---|---|

| Logical access | User export + access review sign-off | Okta, Jira | IT Lead | Quarterly |

| Change management | PR approvals + deployment logs | GitHub, CI | Eng Manager | Per release |

| Incident response | Policy, tabletop notes, incident tickets | Notion, Linear | Security Lead | Annual + as needed |

Next 30 Days

- Create access review ticket template

- Export current employee/app roster

- Run evidence dry-run with auditor sample requests

Tips for Best Results

  • ๐Ÿ’กList your actual systems; evidence plans are only useful when tied to real source tools.
  • ๐Ÿ’กSpecify whether you are preparing for Type I or Type II because the evidence cadence differs.
  • ๐Ÿ’กAsk for spreadsheet-ready tables if you plan to paste the output into compliance tooling.
  • ๐Ÿ’กHave an auditor or compliance expert review final control language before relying on it.

Try it with

ChatGPTClaudeGemini

Related Prompts

Business

One-Page Business Plan

Generate a concise, investor-ready one-page business plan covering all critical aspects of your venture.

ChatGPTClaudeGemini
Business

SWOT Analysis Framework

Conduct a thorough SWOT analysis with actionable strategies derived from each quadrant.

ChatGPTClaudeGemini
Business

Customer Persona Builder

Create detailed, research-backed customer personas that drive product and marketing decisions.

ChatGPTClaudeGemini