A CLI tool for assessing SOC 2 compliance gaps against the AICPA Trust Services Criteria (TSC). Built for security consultants, compliance teams, and auditors who need a structured, repeatable assessment workflow.
- Full TSC coverage — All 5 Trust Services Criteria categories (Common Criteria, Availability, Processing Integrity, Confidentiality, Privacy) with 50+ individual controls
- Gap prioritization — Auto-classifies gaps by Critical/High/Medium/Low priority with effort hour estimates
- Remediation roadmap — Generates a phased remediation plan sorted by priority and effort
- JSON state files — Assessments are portable, version-controllable JSON files
- Markdown reports — Professional assessment reports ready for client delivery
- Zero dependencies — Pure Node.js, no npm install required
# Global install (use the `soc2-assess` command)
npm install -g soc2-gap-assessment-tool
# Or run directly with npx (no install needed)
npx soc2-gap-assessment-tool init "Acme Corp"
# Or clone and run locally
git clone https://github.com/Vuln-Z/soc2-gap-assessment-tool.git
cd soc2-gap-assessment-tool
node cli.js init "Acme Corp"# Create a new assessment
soc2-assess init "Acme Corp" --scope CC,A --type "Type II"
# — or without install —
npx soc2-gap-assessment-tool init "Acme Corp" --scope CC,A --type "Type II"
# List all Common Criteria controls
soc2-assess list CC
# Assess individual controls
soc2-assess assess acme-corp-assessment.json CC6.1 not_implemented -p C -n "No SSO configured"
soc2-assess assess acme-corp-assessment.json CC7.4 not_implemented -p C -n "No IR plan"
soc2-assess assess acme-corp-assessment.json CC6.3 partial -p H -n "Reviews annual, needs quarterly"
# Check progress
soc2-assess progress acme-corp-assessment.json
# Generate full report
soc2-assess report acme-corp-assessment.json| Category | Code | Controls | Description |
|---|---|---|---|
| Common Criteria | CC1–CC9 | 37 | Security foundation (required for all SOC 2) |
| Availability | A1 | 3 | System uptime and recovery |
| Processing Integrity | PI1 | 3 | Accurate, complete processing |
| Confidentiality | C1 | 2 | Protect confidential data |
| Privacy | P1–P7 | 11 | Personal information handling |
## Executive Summary
- **Assessment Completion:** 85% (43/50 controls)
- **Compliance Score:** 62%
- **Gaps Identified:** 8
- **Estimated Remediation Effort:** 72 hours
## Remediation Roadmap
### Phase 1 — Critical (Week 1-2, ~16h)
- [ ] CC6.1: No centralized identity provider (IdP) or SSO
- [ ] CC7.4: No documented incident response plan
### Phase 2 — High (Week 3-6, ~24h)
- [ ] CC6.3: Access reviews not performed quarterly
- [ ] CC8.1: No formal change management process- Consultants — Run structured SOC 2 readiness assessments for clients
- Internal teams — Self-assess before engaging an auditor
- Auditors — Standardize gap analysis across engagements
- Training — Learn TSC controls through hands-on assessment
├── cli.js # CLI entry point (npx / global bin: soc2-assess)
├── assessor.js # Core assessment engine
├── tsc-controls.js # TSC controls database + common gaps + effort estimates
├── test.js # Test suite (22 tests)
└── README.md
- Interactive guided assessment mode
- Export to CSV / Excel for spreadsheet users
- Evidence collection reminders per control
- Multi-framework mapping (SOC 2 → ISO 27001, NIST CSF)
MIT — see LICENSE for details.
Built by Vuln Z — cybersecurity professional focused on cloud security and compliance automation.