Executive Summary
| Severity-weighted score | 0.0% |
|---|---|
| Total controls | 100 |
| Met | 0 |
| Partial | 0 |
| Gap | 100 |
Key Gaps
C1.1C1.1 Confidentiality Commitments readiness - gap - severity 5 - missing evidence 3C1.3C1.3 Confidentiality Commitments readiness - gap - severity 5 - missing evidence 3C1.5C1.5 Confidentiality Commitments readiness - gap - severity 5 - missing evidence 3C2.1C2.1 Confidential Data Lifecycle readiness - gap - severity 5 - missing evidence 3C2.3C2.3 Confidential Data Lifecycle readiness - gap - severity 5 - missing evidence 3C2.5C2.5 Confidential Data Lifecycle readiness - gap - severity 5 - missing evidence 3CC1.2CC1.2 Control Environment readiness - gap - severity 5 - missing evidence 3CC1.4CC1.4 Control Environment readiness - gap - severity 5 - missing evidence 3CC2.2CC2.2 Communication and Information readiness - gap - severity 5 - missing evidence 3CC2.4CC2.4 Communication and Information readiness - gap - severity 5 - missing evidence 3CC3.2CC3.2 Risk Assessment readiness - gap - severity 5 - missing evidence 3CC3.4CC3.4 Risk Assessment readiness - gap - severity 5 - missing evidence 3
Full Controls Table
| control_id | title | objective | evidence expectations | status | severity | evidence_count |
|---|---|---|---|---|---|---|
CC1.1 | CC1.1 Control Environment readiness | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC1.2 | CC1.2 Control Environment readiness | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC1.3 | CC1.3 Control Environment readiness | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC1.4 | CC1.4 Control Environment readiness | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC1.5 | CC1.5 Control Environment readiness | Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC2.1 | CC2.1 Communication and Information readiness | Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC2.2 | CC2.2 Communication and Information readiness | Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC2.3 | CC2.3 Communication and Information readiness | Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC2.4 | CC2.4 Communication and Information readiness | Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC2.5 | CC2.5 Communication and Information readiness | Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC3.1 | CC3.1 Risk Assessment readiness | Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC3.2 | CC3.2 Risk Assessment readiness | Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC3.3 | CC3.3 Risk Assessment readiness | Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC3.4 | CC3.4 Risk Assessment readiness | Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC3.5 | CC3.5 Risk Assessment readiness | Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC4.1 | CC4.1 Monitoring Activities readiness | Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC4.2 | CC4.2 Monitoring Activities readiness | Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC4.3 | CC4.3 Monitoring Activities readiness | Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC4.4 | CC4.4 Monitoring Activities readiness | Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC4.5 | CC4.5 Monitoring Activities readiness | Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC5.1 | CC5.1 Control Activities readiness | Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC5.2 | CC5.2 Control Activities readiness | Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC5.3 | CC5.3 Control Activities readiness | Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC5.4 | CC5.4 Control Activities readiness | Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC5.5 | CC5.5 Control Activities readiness | Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC6.1 | CC6.1 Logical and Physical Access readiness | Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC6.2 | CC6.2 Logical and Physical Access readiness | Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC6.3 | CC6.3 Logical and Physical Access readiness | Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC6.4 | CC6.4 Logical and Physical Access readiness | Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC6.5 | CC6.5 Logical and Physical Access readiness | Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC7.1 | CC7.1 System Operations readiness | Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC7.2 | CC7.2 System Operations readiness | Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC7.3 | CC7.3 System Operations readiness | Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC7.4 | CC7.4 System Operations readiness | Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC7.5 | CC7.5 System Operations readiness | Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC8.1 | CC8.1 Change Management readiness | Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC8.2 | CC8.2 Change Management readiness | Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC8.3 | CC8.3 Change Management readiness | Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC8.4 | CC8.4 Change Management readiness | Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC8.5 | CC8.5 Change Management readiness | Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC9.1 | CC9.1 Risk Mitigation readiness | Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC9.2 | CC9.2 Risk Mitigation readiness | Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC9.3 | CC9.3 Risk Mitigation readiness | Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
CC9.4 | CC9.4 Risk Mitigation readiness | Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
CC9.5 | CC9.5 Risk Mitigation readiness | Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
C1.1 | C1.1 Confidentiality Commitments readiness | Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
C1.2 | C1.2 Confidentiality Commitments readiness | Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
C1.3 | C1.3 Confidentiality Commitments readiness | Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
C1.4 | C1.4 Confidentiality Commitments readiness | Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
C1.5 | C1.5 Confidentiality Commitments readiness | Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
C1.6 | C1.6 Confidentiality Commitments readiness | Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
C2.1 | C2.1 Confidential Data Lifecycle readiness | Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
C2.2 | C2.2 Confidential Data Lifecycle readiness | Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
C2.3 | C2.3 Confidential Data Lifecycle readiness | Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
C2.4 | C2.4 Confidential Data Lifecycle readiness | Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
C2.5 | C2.5 Confidential Data Lifecycle readiness | Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 5 | 0 |
C2.6 | C2.6 Confidential Data Lifecycle readiness | Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A1.1 | A1.1 Availability Planning readiness | Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A1.2 | A1.2 Availability Planning readiness | Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
A1.3 | A1.3 Availability Planning readiness | Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A1.4 | A1.4 Availability Planning readiness | Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
A2.1 | A2.1 Backup and Recovery readiness | Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A2.2 | A2.2 Backup and Recovery readiness | Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
A2.3 | A2.3 Backup and Recovery readiness | Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A2.4 | A2.4 Backup and Recovery readiness | Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
A3.1 | A3.1 Resilience Testing readiness | Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A3.2 | A3.2 Resilience Testing readiness | Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
A3.3 | A3.3 Resilience Testing readiness | Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
A3.4 | A3.4 Resilience Testing readiness | Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI1.1 | PI1.1 Input Integrity readiness | Demonstrate that input integrity is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI1.2 | PI1.2 Input Integrity readiness | Demonstrate that input integrity is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
PI1.3 | PI1.3 Input Integrity readiness | Demonstrate that input integrity is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI2.1 | PI2.1 Processing Accuracy readiness | Demonstrate that processing accuracy is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI2.2 | PI2.2 Processing Accuracy readiness | Demonstrate that processing accuracy is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
PI2.3 | PI2.3 Processing Accuracy readiness | Demonstrate that processing accuracy is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI3.1 | PI3.1 Exception Handling readiness | Demonstrate that exception handling is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI3.2 | PI3.2 Exception Handling readiness | Demonstrate that exception handling is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
PI3.3 | PI3.3 Exception Handling readiness | Demonstrate that exception handling is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI4.1 | PI4.1 Job and Batch Control readiness | Demonstrate that job and batch control is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI4.2 | PI4.2 Job and Batch Control readiness | Demonstrate that job and batch control is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
PI4.3 | PI4.3 Job and Batch Control readiness | Demonstrate that job and batch control is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI5.1 | PI5.1 Output Review readiness | Demonstrate that output review is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
PI5.2 | PI5.2 Output Review readiness | Demonstrate that output review is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
PI5.3 | PI5.3 Output Review readiness | Demonstrate that output review is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P1.1 | P1.1 Notice and Transparency readiness | Demonstrate that notice and transparency is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for notice and transparency.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P1.2 | P1.2 Notice and Transparency readiness | Demonstrate that notice and transparency is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for notice and transparency.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P2.1 | P2.1 Collection and Use Limitation readiness | Demonstrate that collection and use limitation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for collection and use limitation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P2.2 | P2.2 Collection and Use Limitation readiness | Demonstrate that collection and use limitation is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for collection and use limitation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P3.1 | P3.1 Data Subject Rights readiness | Demonstrate that data subject rights is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for data subject rights.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P3.2 | P3.2 Data Subject Rights readiness | Demonstrate that data subject rights is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for data subject rights.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P4.1 | P4.1 Privacy Safeguards readiness | Demonstrate that privacy safeguards is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for privacy safeguards.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P4.2 | P4.2 Privacy Safeguards readiness | Demonstrate that privacy safeguards is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for privacy safeguards.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P5.1 | P5.1 Third-Party Privacy Management readiness | Demonstrate that third-party privacy management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for third-party privacy management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P5.2 | P5.2 Third-Party Privacy Management readiness | Demonstrate that third-party privacy management is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for third-party privacy management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P6.1 | P6.1 Privacy Monitoring readiness | Demonstrate that privacy monitoring is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for privacy monitoring.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P6.2 | P6.2 Privacy Monitoring readiness | Demonstrate that privacy monitoring is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for privacy monitoring.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P7.1 | P7.1 Privacy Incident Response readiness | Demonstrate that privacy incident response is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for privacy incident response.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P7.2 | P7.2 Privacy Incident Response readiness | Demonstrate that privacy incident response is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for privacy incident response.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
P8.1 | P8.1 Retention and Disposal readiness | Demonstrate that retention and disposal is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for retention and disposal.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 4 | 0 |
P8.2 | P8.2 Retention and Disposal readiness | Demonstrate that retention and disposal is defined, operated, and reviewable with reproducible local evidence. | Written policy or procedure showing ownership, approval, and review cadence for retention and disposal.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. | gap | 3 | 0 |
Gap Register
| control_id | title | status | severity | evidence_count | missing_evidence | evidence expectations |
|---|---|---|---|---|---|---|
CC1.1 | CC1.1 Control Environment readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC1.2 | CC1.2 Control Environment readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC1.3 | CC1.3 Control Environment readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC1.4 | CC1.4 Control Environment readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC1.5 | CC1.5 Control Environment readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC2.1 | CC2.1 Communication and Information readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC2.2 | CC2.2 Communication and Information readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC2.3 | CC2.3 Communication and Information readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC2.4 | CC2.4 Communication and Information readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC2.5 | CC2.5 Communication and Information readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC3.1 | CC3.1 Risk Assessment readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC3.2 | CC3.2 Risk Assessment readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC3.3 | CC3.3 Risk Assessment readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC3.4 | CC3.4 Risk Assessment readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC3.5 | CC3.5 Risk Assessment readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC4.1 | CC4.1 Monitoring Activities readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC4.2 | CC4.2 Monitoring Activities readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC4.3 | CC4.3 Monitoring Activities readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC4.4 | CC4.4 Monitoring Activities readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC4.5 | CC4.5 Monitoring Activities readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC5.1 | CC5.1 Control Activities readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC5.2 | CC5.2 Control Activities readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC5.3 | CC5.3 Control Activities readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC5.4 | CC5.4 Control Activities readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC5.5 | CC5.5 Control Activities readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC6.1 | CC6.1 Logical and Physical Access readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC6.2 | CC6.2 Logical and Physical Access readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC6.3 | CC6.3 Logical and Physical Access readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC6.4 | CC6.4 Logical and Physical Access readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC6.5 | CC6.5 Logical and Physical Access readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC7.1 | CC7.1 System Operations readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC7.2 | CC7.2 System Operations readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC7.3 | CC7.3 System Operations readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC7.4 | CC7.4 System Operations readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC7.5 | CC7.5 System Operations readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC8.1 | CC8.1 Change Management readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC8.2 | CC8.2 Change Management readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC8.3 | CC8.3 Change Management readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC8.4 | CC8.4 Change Management readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC8.5 | CC8.5 Change Management readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC9.1 | CC9.1 Risk Mitigation readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC9.2 | CC9.2 Risk Mitigation readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC9.3 | CC9.3 Risk Mitigation readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC9.4 | CC9.4 Risk Mitigation readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
CC9.5 | CC9.5 Risk Mitigation readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C1.1 | C1.1 Confidentiality Commitments readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C1.2 | C1.2 Confidentiality Commitments readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C1.3 | C1.3 Confidentiality Commitments readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C1.4 | C1.4 Confidentiality Commitments readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C1.5 | C1.5 Confidentiality Commitments readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C1.6 | C1.6 Confidentiality Commitments readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C2.1 | C2.1 Confidential Data Lifecycle readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C2.2 | C2.2 Confidential Data Lifecycle readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C2.3 | C2.3 Confidential Data Lifecycle readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C2.4 | C2.4 Confidential Data Lifecycle readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C2.5 | C2.5 Confidential Data Lifecycle readiness | gap | 5 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
C2.6 | C2.6 Confidential Data Lifecycle readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A1.1 | A1.1 Availability Planning readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A1.2 | A1.2 Availability Planning readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A1.3 | A1.3 Availability Planning readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A1.4 | A1.4 Availability Planning readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A2.1 | A2.1 Backup and Recovery readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A2.2 | A2.2 Backup and Recovery readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A2.3 | A2.3 Backup and Recovery readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A2.4 | A2.4 Backup and Recovery readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A3.1 | A3.1 Resilience Testing readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A3.2 | A3.2 Resilience Testing readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A3.3 | A3.3 Resilience Testing readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
A3.4 | A3.4 Resilience Testing readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI1.1 | PI1.1 Input Integrity readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI1.2 | PI1.2 Input Integrity readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI1.3 | PI1.3 Input Integrity readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI2.1 | PI2.1 Processing Accuracy readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI2.2 | PI2.2 Processing Accuracy readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI2.3 | PI2.3 Processing Accuracy readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI3.1 | PI3.1 Exception Handling readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI3.2 | PI3.2 Exception Handling readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI3.3 | PI3.3 Exception Handling readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI4.1 | PI4.1 Job and Batch Control readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI4.2 | PI4.2 Job and Batch Control readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI4.3 | PI4.3 Job and Batch Control readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI5.1 | PI5.1 Output Review readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI5.2 | PI5.2 Output Review readiness | gap | 4 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
PI5.3 | PI5.3 Output Review readiness | gap | 3 | 0 | 2 | Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P1.1 | P1.1 Notice and Transparency readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for notice and transparency.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P1.2 | P1.2 Notice and Transparency readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for notice and transparency.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P2.1 | P2.1 Collection and Use Limitation readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for collection and use limitation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P2.2 | P2.2 Collection and Use Limitation readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for collection and use limitation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P3.1 | P3.1 Data Subject Rights readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for data subject rights.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P3.2 | P3.2 Data Subject Rights readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for data subject rights.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P4.1 | P4.1 Privacy Safeguards readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for privacy safeguards.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P4.2 | P4.2 Privacy Safeguards readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for privacy safeguards.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P5.1 | P5.1 Third-Party Privacy Management readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for third-party privacy management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P5.2 | P5.2 Third-Party Privacy Management readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for third-party privacy management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P6.1 | P6.1 Privacy Monitoring readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for privacy monitoring.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P6.2 | P6.2 Privacy Monitoring readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for privacy monitoring.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P7.1 | P7.1 Privacy Incident Response readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for privacy incident response.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P7.2 | P7.2 Privacy Incident Response readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for privacy incident response.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P8.1 | P8.1 Retention and Disposal readiness | gap | 4 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for retention and disposal.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
P8.2 | P8.2 Retention and Disposal readiness | gap | 3 | 0 | 3 | Written policy or procedure showing ownership, approval, and review cadence for retention and disposal.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified. |
Evidence Appendix
CC1.1 - CC1.1 Control Environment readiness
gap | severity 4 | evidence_count 0
Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-001 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-002 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-003 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC1.2 - CC1.2 Control Environment readiness
gap | severity 5 | evidence_count 0
Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-002 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-003 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-004 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC1.3 - CC1.3 Control Environment readiness
gap | severity 4 | evidence_count 0
Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-003 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-004 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-001 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC1.4 - CC1.4 Control Environment readiness
gap | severity 5 | evidence_count 0
Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-004 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-001 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-002 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC1.5 - CC1.5 Control Environment readiness
gap | severity 4 | evidence_count 0
Demonstrate that control environment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control environment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-001 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-002 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-003 - control environment cc1 control_environment ethics tone policy owner evidence review log ticket control
tags: control_environment, ethics, tone, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC2.1 - CC2.1 Communication and Information readiness
gap | severity 4 | evidence_count 0
Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-005 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-006 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-007 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC2.2 - CC2.2 Communication and Information readiness
gap | severity 5 | evidence_count 0
Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-006 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-007 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-008 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC2.3 - CC2.3 Communication and Information readiness
gap | severity 4 | evidence_count 0
Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-007 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-008 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-005 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC2.4 - CC2.4 Communication and Information readiness
gap | severity 5 | evidence_count 0
Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-008 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-005 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-006 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC2.5 - CC2.5 Communication and Information readiness
gap | severity 4 | evidence_count 0
Demonstrate that communication and information is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for communication and information.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-005 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-006 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-007 - communication and information cc2 communication reporting governance policy owner evidence review log ticket control
tags: communication, reporting, governance, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC3.1 - CC3.1 Risk Assessment readiness
gap | severity 4 | evidence_count 0
Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-009 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-010 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-011 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC3.2 - CC3.2 Risk Assessment readiness
gap | severity 5 | evidence_count 0
Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-010 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-011 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-012 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC3.3 - CC3.3 Risk Assessment readiness
gap | severity 4 | evidence_count 0
Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-011 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-012 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-009 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC3.4 - CC3.4 Risk Assessment readiness
gap | severity 5 | evidence_count 0
Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-012 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-009 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-010 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC3.5 - CC3.5 Risk Assessment readiness
gap | severity 4 | evidence_count 0
Demonstrate that risk assessment is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk assessment.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-009 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-010 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-011 - risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control
tags: risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC4.1 - CC4.1 Monitoring Activities readiness
gap | severity 4 | evidence_count 0
Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-013 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-014 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-015 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC4.2 - CC4.2 Monitoring Activities readiness
gap | severity 5 | evidence_count 0
Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-014 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-015 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-016 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC4.3 - CC4.3 Monitoring Activities readiness
gap | severity 4 | evidence_count 0
Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-015 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-016 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-013 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC4.4 - CC4.4 Monitoring Activities readiness
gap | severity 5 | evidence_count 0
Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-016 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-013 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-014 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC4.5 - CC4.5 Monitoring Activities readiness
gap | severity 4 | evidence_count 0
Demonstrate that monitoring activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for monitoring activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-013 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-014 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-015 - monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control
tags: monitoring, metrics, audit, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC5.1 - CC5.1 Control Activities readiness
gap | severity 4 | evidence_count 0
Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-017 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-018 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-019 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC5.2 - CC5.2 Control Activities readiness
gap | severity 5 | evidence_count 0
Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-018 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-019 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-020 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC5.3 - CC5.3 Control Activities readiness
gap | severity 4 | evidence_count 0
Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-019 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-020 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-017 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC5.4 - CC5.4 Control Activities readiness
gap | severity 5 | evidence_count 0
Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-020 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-017 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-018 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC5.5 - CC5.5 Control Activities readiness
gap | severity 4 | evidence_count 0
Demonstrate that control activities is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for control activities.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-017 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-018 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-019 - control activities cc5 control_activities review segregation policy owner evidence review log ticket control
tags: control_activities, review, segregation, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC6.1 - CC6.1 Logical and Physical Access readiness
gap | severity 4 | evidence_count 0
Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-021 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-022 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-023 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC6.2 - CC6.2 Logical and Physical Access readiness
gap | severity 5 | evidence_count 0
Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-022 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-023 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-024 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC6.3 - CC6.3 Logical and Physical Access readiness
gap | severity 4 | evidence_count 0
Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-023 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-024 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-021 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC6.4 - CC6.4 Logical and Physical Access readiness
gap | severity 5 | evidence_count 0
Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-024 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-021 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-022 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC6.5 - CC6.5 Logical and Physical Access readiness
gap | severity 4 | evidence_count 0
Demonstrate that logical and physical access is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for logical and physical access.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-021 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-022 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-023 - logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control
tags: logical_access, identity, mfa, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC7.1 - CC7.1 System Operations readiness
gap | severity 4 | evidence_count 0
Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-025 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-026 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-027 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC7.2 - CC7.2 System Operations readiness
gap | severity 5 | evidence_count 0
Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-026 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-027 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-028 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC7.3 - CC7.3 System Operations readiness
gap | severity 4 | evidence_count 0
Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-027 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-028 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-025 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC7.4 - CC7.4 System Operations readiness
gap | severity 5 | evidence_count 0
Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-028 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-025 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-026 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC7.5 - CC7.5 System Operations readiness
gap | severity 4 | evidence_count 0
Demonstrate that system operations is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for system operations.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-025 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-026 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-027 - system operations cc7 system_operations logging alerting policy owner evidence review log ticket control
tags: system_operations, logging, alerting, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC8.1 - CC8.1 Change Management readiness
gap | severity 4 | evidence_count 0
Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-029 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-030 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-031 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC8.2 - CC8.2 Change Management readiness
gap | severity 5 | evidence_count 0
Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-030 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-031 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-032 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC8.3 - CC8.3 Change Management readiness
gap | severity 4 | evidence_count 0
Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-031 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-032 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-029 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC8.4 - CC8.4 Change Management readiness
gap | severity 5 | evidence_count 0
Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-032 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-029 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-030 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC8.5 - CC8.5 Change Management readiness
gap | severity 4 | evidence_count 0
Demonstrate that change management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for change management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-029 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-030 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-031 - change management cc8 change_management sdlc release policy owner evidence review log ticket control
tags: change_management, sdlc, release, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC9.1 - CC9.1 Risk Mitigation readiness
gap | severity 4 | evidence_count 0
Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-033 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-034 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-035 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC9.2 - CC9.2 Risk Mitigation readiness
gap | severity 5 | evidence_count 0
Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-034 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-035 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-036 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC9.3 - CC9.3 Risk Mitigation readiness
gap | severity 4 | evidence_count 0
Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-035 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-036 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-033 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC9.4 - CC9.4 Risk Mitigation readiness
gap | severity 5 | evidence_count 0
Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-036 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-033 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-034 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
CC9.5 - CC9.5 Risk Mitigation readiness
gap | severity 4 | evidence_count 0
Demonstrate that risk mitigation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for risk mitigation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-033 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-034 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
SOC2-Q-035 - risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control
tags: risk_mitigation, incident_response, resilience, soc2, readiness, security | hits: 0
No direct evidence hits for this query.
C1.1 - C1.1 Confidentiality Commitments readiness
gap | severity 5 | evidence_count 0
Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-037 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-038 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-039 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
C1.2 - C1.2 Confidentiality Commitments readiness
gap | severity 4 | evidence_count 0
Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-038 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-039 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-037 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
C1.3 - C1.3 Confidentiality Commitments readiness
gap | severity 5 | evidence_count 0
Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-039 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-037 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-038 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
C1.4 - C1.4 Confidentiality Commitments readiness
gap | severity 4 | evidence_count 0
Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-037 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-038 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-039 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
C1.5 - C1.5 Confidentiality Commitments readiness
gap | severity 5 | evidence_count 0
Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-038 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-039 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-037 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
C1.6 - C1.6 Confidentiality Commitments readiness
gap | severity 4 | evidence_count 0
Demonstrate that confidentiality commitments is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidentiality commitments.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-039 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-037 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-038 - confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control
tags: confidentiality, data_classification, encryption, soc2, readiness | hits: 0
No direct evidence hits for this query.
C2.1 - C2.1 Confidential Data Lifecycle readiness
gap | severity 5 | evidence_count 0
Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-040 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-041 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-042 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
C2.2 - C2.2 Confidential Data Lifecycle readiness
gap | severity 4 | evidence_count 0
Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-041 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-042 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-040 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
C2.3 - C2.3 Confidential Data Lifecycle readiness
gap | severity 5 | evidence_count 0
Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-042 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-040 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-041 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
C2.4 - C2.4 Confidential Data Lifecycle readiness
gap | severity 4 | evidence_count 0
Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-040 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-041 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-042 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
C2.5 - C2.5 Confidential Data Lifecycle readiness
gap | severity 5 | evidence_count 0
Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-041 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-042 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-040 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
C2.6 - C2.6 Confidential Data Lifecycle readiness
gap | severity 4 | evidence_count 0
Demonstrate that confidential data lifecycle is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for confidential data lifecycle.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-042 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-040 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-041 - confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control
tags: confidentiality, data_handling, retention, soc2, readiness | hits: 0
No direct evidence hits for this query.
A1.1 - A1.1 Availability Planning readiness
gap | severity 4 | evidence_count 0
Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-043 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-044 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
A1.2 - A1.2 Availability Planning readiness
gap | severity 3 | evidence_count 0
Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-044 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-043 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
A1.3 - A1.3 Availability Planning readiness
gap | severity 4 | evidence_count 0
Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-043 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-044 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
A1.4 - A1.4 Availability Planning readiness
gap | severity 3 | evidence_count 0
Demonstrate that availability planning is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for availability planning.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-044 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-043 - availability planning a1 availability capacity sla policy owner evidence review log ticket control
tags: availability, capacity, sla, soc2, readiness | hits: 0
No direct evidence hits for this query.
A2.1 - A2.1 Backup and Recovery readiness
gap | severity 4 | evidence_count 0
Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-045 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-046 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
A2.2 - A2.2 Backup and Recovery readiness
gap | severity 3 | evidence_count 0
Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-046 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-045 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
A2.3 - A2.3 Backup and Recovery readiness
gap | severity 4 | evidence_count 0
Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-045 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-046 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
A2.4 - A2.4 Backup and Recovery readiness
gap | severity 3 | evidence_count 0
Demonstrate that backup and recovery is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for backup and recovery.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-046 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-045 - backup and recovery a2 availability backup restore policy owner evidence review log ticket control
tags: availability, backup, restore, soc2, readiness | hits: 0
No direct evidence hits for this query.
A3.1 - A3.1 Resilience Testing readiness
gap | severity 4 | evidence_count 0
Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-047 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-048 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
A3.2 - A3.2 Resilience Testing readiness
gap | severity 3 | evidence_count 0
Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-048 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-047 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
A3.3 - A3.3 Resilience Testing readiness
gap | severity 4 | evidence_count 0
Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-047 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-048 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
A3.4 - A3.4 Resilience Testing readiness
gap | severity 3 | evidence_count 0
Demonstrate that resilience testing is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for resilience testing.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-048 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
SOC2-Q-047 - resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control
tags: availability, dr_testing, continuity, soc2, readiness | hits: 0
No direct evidence hits for this query.
PI1.1 - PI1.1 Input Integrity readiness
gap | severity 3 | evidence_count 0
Demonstrate that input integrity is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-049 - input integrity pi1 processing_integrity input_validation completeness policy owner evidence review log ticket control
tags: processing_integrity, input_validation, completeness, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI1.2 - PI1.2 Input Integrity readiness
gap | severity 4 | evidence_count 0
Demonstrate that input integrity is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-049 - input integrity pi1 processing_integrity input_validation completeness policy owner evidence review log ticket control
tags: processing_integrity, input_validation, completeness, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI1.3 - PI1.3 Input Integrity readiness
gap | severity 3 | evidence_count 0
Demonstrate that input integrity is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for input integrity.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-049 - input integrity pi1 processing_integrity input_validation completeness policy owner evidence review log ticket control
tags: processing_integrity, input_validation, completeness, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI2.1 - PI2.1 Processing Accuracy readiness
gap | severity 3 | evidence_count 0
Demonstrate that processing accuracy is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-050 - processing accuracy pi2 processing_integrity accuracy reconciliation policy owner evidence review log ticket control
tags: processing_integrity, accuracy, reconciliation, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI2.2 - PI2.2 Processing Accuracy readiness
gap | severity 4 | evidence_count 0
Demonstrate that processing accuracy is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-050 - processing accuracy pi2 processing_integrity accuracy reconciliation policy owner evidence review log ticket control
tags: processing_integrity, accuracy, reconciliation, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI2.3 - PI2.3 Processing Accuracy readiness
gap | severity 3 | evidence_count 0
Demonstrate that processing accuracy is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for processing accuracy.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-050 - processing accuracy pi2 processing_integrity accuracy reconciliation policy owner evidence review log ticket control
tags: processing_integrity, accuracy, reconciliation, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI3.1 - PI3.1 Exception Handling readiness
gap | severity 3 | evidence_count 0
Demonstrate that exception handling is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-051 - exception handling pi3 processing_integrity exceptions workflow policy owner evidence review log ticket control
tags: processing_integrity, exceptions, workflow, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI3.2 - PI3.2 Exception Handling readiness
gap | severity 4 | evidence_count 0
Demonstrate that exception handling is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-051 - exception handling pi3 processing_integrity exceptions workflow policy owner evidence review log ticket control
tags: processing_integrity, exceptions, workflow, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI3.3 - PI3.3 Exception Handling readiness
gap | severity 3 | evidence_count 0
Demonstrate that exception handling is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for exception handling.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-051 - exception handling pi3 processing_integrity exceptions workflow policy owner evidence review log ticket control
tags: processing_integrity, exceptions, workflow, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI4.1 - PI4.1 Job and Batch Control readiness
gap | severity 3 | evidence_count 0
Demonstrate that job and batch control is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-052 - job and batch control pi4 processing_integrity job_control batch policy owner evidence review log ticket control
tags: processing_integrity, job_control, batch, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI4.2 - PI4.2 Job and Batch Control readiness
gap | severity 4 | evidence_count 0
Demonstrate that job and batch control is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-052 - job and batch control pi4 processing_integrity job_control batch policy owner evidence review log ticket control
tags: processing_integrity, job_control, batch, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI4.3 - PI4.3 Job and Batch Control readiness
gap | severity 3 | evidence_count 0
Demonstrate that job and batch control is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for job and batch control.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-052 - job and batch control pi4 processing_integrity job_control batch policy owner evidence review log ticket control
tags: processing_integrity, job_control, batch, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI5.1 - PI5.1 Output Review readiness
gap | severity 3 | evidence_count 0
Demonstrate that output review is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-053 - output review pi5 processing_integrity output_review traceability policy owner evidence review log ticket control
tags: processing_integrity, output_review, traceability, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI5.2 - PI5.2 Output Review readiness
gap | severity 4 | evidence_count 0
Demonstrate that output review is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-053 - output review pi5 processing_integrity output_review traceability policy owner evidence review log ticket control
tags: processing_integrity, output_review, traceability, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
PI5.3 - PI5.3 Output Review readiness
gap | severity 3 | evidence_count 0
Demonstrate that output review is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for output review.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-053 - output review pi5 processing_integrity output_review traceability policy owner evidence review log ticket control
tags: processing_integrity, output_review, traceability, soc2, readiness, processingintegrity | hits: 0
No direct evidence hits for this query.
P1.1 - P1.1 Notice and Transparency readiness
gap | severity 4 | evidence_count 0
Demonstrate that notice and transparency is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for notice and transparency.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-054 - notice and transparency p1 privacy notice consent policy owner evidence review log ticket control
tags: privacy, notice, consent, soc2, readiness | hits: 0
No direct evidence hits for this query.
P1.2 - P1.2 Notice and Transparency readiness
gap | severity 3 | evidence_count 0
Demonstrate that notice and transparency is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for notice and transparency.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-054 - notice and transparency p1 privacy notice consent policy owner evidence review log ticket control
tags: privacy, notice, consent, soc2, readiness | hits: 0
No direct evidence hits for this query.
P2.1 - P2.1 Collection and Use Limitation readiness
gap | severity 4 | evidence_count 0
Demonstrate that collection and use limitation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for collection and use limitation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-055 - collection and use limitation p2 privacy collection purpose_limitation policy owner evidence review log ticket control
tags: privacy, collection, purpose_limitation, soc2, readiness | hits: 0
No direct evidence hits for this query.
P2.2 - P2.2 Collection and Use Limitation readiness
gap | severity 3 | evidence_count 0
Demonstrate that collection and use limitation is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for collection and use limitation.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-055 - collection and use limitation p2 privacy collection purpose_limitation policy owner evidence review log ticket control
tags: privacy, collection, purpose_limitation, soc2, readiness | hits: 0
No direct evidence hits for this query.
P3.1 - P3.1 Data Subject Rights readiness
gap | severity 4 | evidence_count 0
Demonstrate that data subject rights is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for data subject rights.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-056 - data subject rights p3 privacy data_subject_rights request_handling policy owner evidence review log ticket control
tags: privacy, data_subject_rights, request_handling, soc2, readiness | hits: 0
No direct evidence hits for this query.
P3.2 - P3.2 Data Subject Rights readiness
gap | severity 3 | evidence_count 0
Demonstrate that data subject rights is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for data subject rights.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-056 - data subject rights p3 privacy data_subject_rights request_handling policy owner evidence review log ticket control
tags: privacy, data_subject_rights, request_handling, soc2, readiness | hits: 0
No direct evidence hits for this query.
P4.1 - P4.1 Privacy Safeguards readiness
gap | severity 4 | evidence_count 0
Demonstrate that privacy safeguards is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for privacy safeguards.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-057 - privacy safeguards p4 privacy safeguards confidentiality policy owner evidence review log ticket control
tags: privacy, safeguards, confidentiality, soc2, readiness | hits: 0
No direct evidence hits for this query.
P4.2 - P4.2 Privacy Safeguards readiness
gap | severity 3 | evidence_count 0
Demonstrate that privacy safeguards is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for privacy safeguards.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-057 - privacy safeguards p4 privacy safeguards confidentiality policy owner evidence review log ticket control
tags: privacy, safeguards, confidentiality, soc2, readiness | hits: 0
No direct evidence hits for this query.
P5.1 - P5.1 Third-Party Privacy Management readiness
gap | severity 4 | evidence_count 0
Demonstrate that third-party privacy management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for third-party privacy management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-058 - third-party privacy management p5 privacy third_party contracts policy owner evidence review log ticket control
tags: privacy, third_party, contracts, soc2, readiness | hits: 0
No direct evidence hits for this query.
P5.2 - P5.2 Third-Party Privacy Management readiness
gap | severity 3 | evidence_count 0
Demonstrate that third-party privacy management is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for third-party privacy management.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-058 - third-party privacy management p5 privacy third_party contracts policy owner evidence review log ticket control
tags: privacy, third_party, contracts, soc2, readiness | hits: 0
No direct evidence hits for this query.
P6.1 - P6.1 Privacy Monitoring readiness
gap | severity 4 | evidence_count 0
Demonstrate that privacy monitoring is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for privacy monitoring.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-059 - privacy monitoring p6 privacy monitoring compliance policy owner evidence review log ticket control
tags: privacy, monitoring, compliance, soc2, readiness | hits: 0
No direct evidence hits for this query.
P6.2 - P6.2 Privacy Monitoring readiness
gap | severity 3 | evidence_count 0
Demonstrate that privacy monitoring is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for privacy monitoring.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-059 - privacy monitoring p6 privacy monitoring compliance policy owner evidence review log ticket control
tags: privacy, monitoring, compliance, soc2, readiness | hits: 0
No direct evidence hits for this query.
P7.1 - P7.1 Privacy Incident Response readiness
gap | severity 4 | evidence_count 0
Demonstrate that privacy incident response is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for privacy incident response.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-060 - privacy incident response p7 privacy incident_response breach policy owner evidence review log ticket control
tags: privacy, incident_response, breach, soc2, readiness | hits: 0
No direct evidence hits for this query.
P7.2 - P7.2 Privacy Incident Response readiness
gap | severity 3 | evidence_count 0
Demonstrate that privacy incident response is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for privacy incident response.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-060 - privacy incident response p7 privacy incident_response breach policy owner evidence review log ticket control
tags: privacy, incident_response, breach, soc2, readiness | hits: 0
No direct evidence hits for this query.
P8.1 - P8.1 Retention and Disposal readiness
gap | severity 4 | evidence_count 0
Demonstrate that retention and disposal is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for retention and disposal.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-061 - retention and disposal p8 privacy retention deletion policy owner evidence review log ticket control
tags: privacy, retention, deletion, soc2, readiness | hits: 0
No direct evidence hits for this query.
P8.2 - P8.2 Retention and Disposal readiness
gap | severity 3 | evidence_count 0
Demonstrate that retention and disposal is defined, operated, and reviewable with reproducible local evidence.
Expected evidence: Written policy or procedure showing ownership, approval, and review cadence for retention and disposal.; Operational records (logs, tickets, reports, or dashboards) demonstrating the control is performed consistently.; Evidence of exception handling and remediation tracking when control failures or gaps are identified.
SOC2-Q-061 - retention and disposal p8 privacy retention deletion policy owner evidence review log ticket control
tags: privacy, retention, deletion, soc2, readiness | hits: 0
No direct evidence hits for this query.
Query Log
| query_id | query_text | tags | hits |
|---|---|---|---|
SOC2-Q-001 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-002 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-003 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-004 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-005 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-006 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-007 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-008 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-009 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-010 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-011 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-012 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-013 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-014 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-015 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-016 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-017 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-018 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-019 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-020 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-021 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-022 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-023 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-024 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-025 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-026 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-027 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-028 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-029 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-030 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-031 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-032 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-033 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-034 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-035 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-036 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-037 | confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control | confidentiality, data_classification, encryption, soc2, readiness | 0 |
SOC2-Q-038 | confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control | confidentiality, data_classification, encryption, soc2, readiness | 0 |
SOC2-Q-039 | confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control | confidentiality, data_classification, encryption, soc2, readiness | 0 |
SOC2-Q-040 | confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control | confidentiality, data_handling, retention, soc2, readiness | 0 |
SOC2-Q-041 | confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control | confidentiality, data_handling, retention, soc2, readiness | 0 |
SOC2-Q-042 | confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control | confidentiality, data_handling, retention, soc2, readiness | 0 |
SOC2-Q-043 | availability planning a1 availability capacity sla policy owner evidence review log ticket control | availability, capacity, sla, soc2, readiness | 0 |
SOC2-Q-044 | availability planning a1 availability capacity sla policy owner evidence review log ticket control | availability, capacity, sla, soc2, readiness | 0 |
SOC2-Q-045 | backup and recovery a2 availability backup restore policy owner evidence review log ticket control | availability, backup, restore, soc2, readiness | 0 |
SOC2-Q-046 | backup and recovery a2 availability backup restore policy owner evidence review log ticket control | availability, backup, restore, soc2, readiness | 0 |
SOC2-Q-047 | resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control | availability, dr_testing, continuity, soc2, readiness | 0 |
SOC2-Q-048 | resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control | availability, dr_testing, continuity, soc2, readiness | 0 |
SOC2-Q-049 | input integrity pi1 processing_integrity input_validation completeness policy owner evidence review log ticket control | processing_integrity, input_validation, completeness, soc2, readiness, processingintegrity | 0 |
SOC2-Q-050 | processing accuracy pi2 processing_integrity accuracy reconciliation policy owner evidence review log ticket control | processing_integrity, accuracy, reconciliation, soc2, readiness, processingintegrity | 0 |
SOC2-Q-051 | exception handling pi3 processing_integrity exceptions workflow policy owner evidence review log ticket control | processing_integrity, exceptions, workflow, soc2, readiness, processingintegrity | 0 |
SOC2-Q-052 | job and batch control pi4 processing_integrity job_control batch policy owner evidence review log ticket control | processing_integrity, job_control, batch, soc2, readiness, processingintegrity | 0 |
SOC2-Q-053 | output review pi5 processing_integrity output_review traceability policy owner evidence review log ticket control | processing_integrity, output_review, traceability, soc2, readiness, processingintegrity | 0 |
SOC2-Q-054 | notice and transparency p1 privacy notice consent policy owner evidence review log ticket control | privacy, notice, consent, soc2, readiness | 0 |
SOC2-Q-055 | collection and use limitation p2 privacy collection purpose_limitation policy owner evidence review log ticket control | privacy, collection, purpose_limitation, soc2, readiness | 0 |
SOC2-Q-056 | data subject rights p3 privacy data_subject_rights request_handling policy owner evidence review log ticket control | privacy, data_subject_rights, request_handling, soc2, readiness | 0 |
SOC2-Q-057 | privacy safeguards p4 privacy safeguards confidentiality policy owner evidence review log ticket control | privacy, safeguards, confidentiality, soc2, readiness | 0 |
SOC2-Q-058 | third-party privacy management p5 privacy third_party contracts policy owner evidence review log ticket control | privacy, third_party, contracts, soc2, readiness | 0 |
SOC2-Q-059 | privacy monitoring p6 privacy monitoring compliance policy owner evidence review log ticket control | privacy, monitoring, compliance, soc2, readiness | 0 |
SOC2-Q-060 | privacy incident response p7 privacy incident_response breach policy owner evidence review log ticket control | privacy, incident_response, breach, soc2, readiness | 0 |
SOC2-Q-061 | retention and disposal p8 privacy retention deletion policy owner evidence review log ticket control | privacy, retention, deletion, soc2, readiness | 0 |
Query Log
| query_id | query_text | tags | hits |
|---|---|---|---|
SOC2-Q-001 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-002 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-003 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-004 | control environment cc1 control_environment ethics tone policy owner evidence review log ticket control | control_environment, ethics, tone, soc2, readiness, security | 0 |
SOC2-Q-005 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-006 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-007 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-008 | communication and information cc2 communication reporting governance policy owner evidence review log ticket control | communication, reporting, governance, soc2, readiness, security | 0 |
SOC2-Q-009 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-010 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-011 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-012 | risk assessment cc3 risk_assessment threat_modeling enterprise_risk policy owner evidence review log ticket control | risk_assessment, threat_modeling, enterprise_risk, soc2, readiness, security | 0 |
SOC2-Q-013 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-014 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-015 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-016 | monitoring activities cc4 monitoring metrics audit policy owner evidence review log ticket control | monitoring, metrics, audit, soc2, readiness, security | 0 |
SOC2-Q-017 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-018 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-019 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-020 | control activities cc5 control_activities review segregation policy owner evidence review log ticket control | control_activities, review, segregation, soc2, readiness, security | 0 |
SOC2-Q-021 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-022 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-023 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-024 | logical and physical access cc6 logical_access identity mfa policy owner evidence review log ticket control | logical_access, identity, mfa, soc2, readiness, security | 0 |
SOC2-Q-025 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-026 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-027 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-028 | system operations cc7 system_operations logging alerting policy owner evidence review log ticket control | system_operations, logging, alerting, soc2, readiness, security | 0 |
SOC2-Q-029 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-030 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-031 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-032 | change management cc8 change_management sdlc release policy owner evidence review log ticket control | change_management, sdlc, release, soc2, readiness, security | 0 |
SOC2-Q-033 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-034 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-035 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-036 | risk mitigation cc9 risk_mitigation incident_response resilience policy owner evidence review log ticket control | risk_mitigation, incident_response, resilience, soc2, readiness, security | 0 |
SOC2-Q-037 | confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control | confidentiality, data_classification, encryption, soc2, readiness | 0 |
SOC2-Q-038 | confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control | confidentiality, data_classification, encryption, soc2, readiness | 0 |
SOC2-Q-039 | confidentiality commitments c1 confidentiality data_classification encryption policy owner evidence review log ticket control | confidentiality, data_classification, encryption, soc2, readiness | 0 |
SOC2-Q-040 | confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control | confidentiality, data_handling, retention, soc2, readiness | 0 |
SOC2-Q-041 | confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control | confidentiality, data_handling, retention, soc2, readiness | 0 |
SOC2-Q-042 | confidential data lifecycle c2 confidentiality data_handling retention policy owner evidence review log ticket control | confidentiality, data_handling, retention, soc2, readiness | 0 |
SOC2-Q-043 | availability planning a1 availability capacity sla policy owner evidence review log ticket control | availability, capacity, sla, soc2, readiness | 0 |
SOC2-Q-044 | availability planning a1 availability capacity sla policy owner evidence review log ticket control | availability, capacity, sla, soc2, readiness | 0 |
SOC2-Q-045 | backup and recovery a2 availability backup restore policy owner evidence review log ticket control | availability, backup, restore, soc2, readiness | 0 |
SOC2-Q-046 | backup and recovery a2 availability backup restore policy owner evidence review log ticket control | availability, backup, restore, soc2, readiness | 0 |
SOC2-Q-047 | resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control | availability, dr_testing, continuity, soc2, readiness | 0 |
SOC2-Q-048 | resilience testing a3 availability dr_testing continuity policy owner evidence review log ticket control | availability, dr_testing, continuity, soc2, readiness | 0 |
SOC2-Q-049 | input integrity pi1 processing_integrity input_validation completeness policy owner evidence review log ticket control | processing_integrity, input_validation, completeness, soc2, readiness, processingintegrity | 0 |
SOC2-Q-050 | processing accuracy pi2 processing_integrity accuracy reconciliation policy owner evidence review log ticket control | processing_integrity, accuracy, reconciliation, soc2, readiness, processingintegrity | 0 |
SOC2-Q-051 | exception handling pi3 processing_integrity exceptions workflow policy owner evidence review log ticket control | processing_integrity, exceptions, workflow, soc2, readiness, processingintegrity | 0 |
SOC2-Q-052 | job and batch control pi4 processing_integrity job_control batch policy owner evidence review log ticket control | processing_integrity, job_control, batch, soc2, readiness, processingintegrity | 0 |
SOC2-Q-053 | output review pi5 processing_integrity output_review traceability policy owner evidence review log ticket control | processing_integrity, output_review, traceability, soc2, readiness, processingintegrity | 0 |
SOC2-Q-054 | notice and transparency p1 privacy notice consent policy owner evidence review log ticket control | privacy, notice, consent, soc2, readiness | 0 |
SOC2-Q-055 | collection and use limitation p2 privacy collection purpose_limitation policy owner evidence review log ticket control | privacy, collection, purpose_limitation, soc2, readiness | 0 |
SOC2-Q-056 | data subject rights p3 privacy data_subject_rights request_handling policy owner evidence review log ticket control | privacy, data_subject_rights, request_handling, soc2, readiness | 0 |
SOC2-Q-057 | privacy safeguards p4 privacy safeguards confidentiality policy owner evidence review log ticket control | privacy, safeguards, confidentiality, soc2, readiness | 0 |
SOC2-Q-058 | third-party privacy management p5 privacy third_party contracts policy owner evidence review log ticket control | privacy, third_party, contracts, soc2, readiness | 0 |
SOC2-Q-059 | privacy monitoring p6 privacy monitoring compliance policy owner evidence review log ticket control | privacy, monitoring, compliance, soc2, readiness | 0 |
SOC2-Q-060 | privacy incident response p7 privacy incident_response breach policy owner evidence review log ticket control | privacy, incident_response, breach, soc2, readiness | 0 |
SOC2-Q-061 | retention and disposal p8 privacy retention deletion policy owner evidence review log ticket control | privacy, retention, deletion, soc2, readiness | 0 |