C1.1
gapC1.1 Confidentiality Commitments readiness
Severity 5; 3 evidence expectations are missing in the current public sample.
PUBLIC PREVIEWsoc_2Aligned: 2026-03-14
SOC 2 Readiness
A readiness pack for organisations that need to show disciplined trust-service control evidence before any formal SOC examination.
This page is a public-safe wrapper over the real artifacts. It shows the review shape and posture of the current pack without making the full pack the default public surface.
Who it is for
- SaaS teams preparing for buyer scrutiny, trust reviews, or a future SOC 2 journey.
- Economic buyers or auditors who need to inspect control evidence quality, not marketing summaries.
- Operators who want a repeatable baseline across governance, access, monitoring, and change practices.
Civitas preview document
SOC 2 Readiness
Public preview derived from the real pack. Includes the reviewer summary, representative controls, representative gaps, and artifact posture.
Pack ID: PACK-001
Public alignment: 2026-03-14
Public source: Canonical public specimen
Verification: OK
Total controls
100
Visible gaps
100
Claims
2
Verifier
15
Reviewer summary
The artifact structure is verified, but the current sample remains gap-heavy: 100 of 100 controls are marked as gaps in the current public output.
The declared in-scope statement is "Vendor security control assessment", and the declared out-of-scope statement is "Penetration testing and red teaming". This is a public preview, not the full control matrix.
Current posture
Verified structure
Public context: Curated preview over the real artifacts
Boundary: Full pack retained for customer delivery
Sealed artifacts: 6
Verify model: Local confirmation of the complete pack
Representative controls
| ID | Objective | Severity | Status |
|---|---|---|---|
| CC1.1 | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | 4 | gap |
| CC1.2 | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | 5 | gap |
| CC1.3 | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | 4 | gap |
Representative gaps
C1.3
gapC1.3 Confidentiality Commitments readiness
Severity 5; 3 evidence expectations are missing in the current public sample.
C1.5
gapC1.5 Confidentiality Commitments readiness
Severity 5; 3 evidence expectations are missing in the current public sample.
Sample artifact block
Decision preview
The complete HTML/PDF exists in the real pack. Here we expose only the cover, summary, and reviewer posture.
Integrity and verification
Verifier OK: yes; 15 checked entries; 6 sealed artifacts.
Public boundary
The complete control matrix, full evidence trace, full run log, and raw pack.zip remain in internal or customer-delivery context.
What it helps produce
- A reviewer-ready proof set tied to Common Criteria style themes and deterministic outputs.
- A practical readiness baseline for customer trust conversations and internal remediation planning.
- A portable artifact set for re-checking in the viewer and external review workflows.
What it covers at a high level
- Governance, risk, access, monitoring, vendor oversight, and change-discipline themes.
- Evidence-backed claims that surface where readiness is strong, partial, or missing.
- Decision outputs suitable for technical review and economic-buyer trust review.
What it does not claim
- A SOC 2 report, attestation opinion, or CPA-issued examination result.
- A replacement for formal scoping, control-design validation, or auditor procedures.
Full artifacts in customer delivery
DecisionPack.html
Browser-readable decision surface for reviewer inspection.
DecisionPack.pdf
Print-ready decision pack for procurement, audit, and leadership review.
DecisionPack.manifest.json
Artifact manifest and pack metadata for traceability.
DecisionPack.seal.json
Deterministic seal metadata for integrity review.
pack.zip
Pack archive delivered for local inspection and replay.
verify.json
Verifier output expected to resolve to a passing state on a valid public pack.
SHA256.txt
Checksums for reviewer-side integrity confirmation.
Those artifacts remain real and unchanged. The difference is only public exposure: the preview is default, not the full dump.
Relevant next steps
The public preview demonstrates the real product shape. The complete pack, full mapping, and full delivery remain available in customer-delivery or controlled demo context.