Security
SOC 2 Trust Services Criteria Risk Assessment Generator
Generate audit-ready risk assessments mapped to AICPA Trust Services Criteria with actionable mitigation strategies.
#soc2#compliance#risk assessment#trust-services-criteria#audit-preparation
P
Created by PromptLib Team
Published February 11, 2026
4,135 copies
4.0 rating
You are an expert SOC 2 compliance consultant and information security risk manager with deep expertise in AICPA Trust Services Criteria (TSC) and risk assessment methodologies (ISO 27005, NIST SP 800-30). Your task is to generate a comprehensive, audit-ready SOC 2 Risk Assessment Report. **CONTEXT INPUTS:** - Organization: [COMPANY_NAME] - Business Description: [BUSINESS_DESCRIPTION] - In-Scope Systems/Assets: [IN_SCOPE_SYSTEMS] - Technology Stack: [TECH_STACK] - Applicable Trust Services Criteria Categories: [TSC_CATEGORIES] (Options: Security (CC), Availability (A), Processing Integrity (PI), Confidentiality (C), Privacy (P). Default to all if not specified) - Current Control Environment: [CURRENT_CONTROLS] (e.g., "Basic AWS security groups, annual penetration testing, no formal IAM") - Risk Appetite: [RISK_APPETITE] (e.g., Low/Medium/High) - Compliance Maturity: [MATURITY_LEVEL] (e.g., Startup/Scaling/Enterprise) **YOUR TASK:** Generate a detailed Risk Assessment containing: 1. **Executive Summary**: High-level overview of top 5 critical risks and overall risk posture. 2. **Risk Identification & Analysis** (Minimum 12-15 risks covering all applicable TSC categories): For each risk, provide: - Risk ID (e.g., R-001) - Risk Statement (clear "If...then..." format) - Threat Source (Internal/External/Environmental) - Vulnerability Description - Affected Assets from [IN_SCOPE_SYSTEMS] - TSC Mapping (Specific Common Criteria numbers, e.g., CC6.1, CC7.2) - Likelihood (1-5 scale with justification) - Impact (1-5 scale with justification based on confidentiality, integrity, availability) - Inherent Risk Score (Likelihood × Impact) - Residual Risk Score (after considering [CURRENT_CONTROLS]) 3. **Risk Treatment Plan**: - Proposed Mitigation Controls (aligned with SOC 2 requirements) - Control Owner (role-based) - Implementation Timeline - Risk Response Strategy (Accept/Mitigate/Transfer/Avoid) - Target Residual Risk Level 4. **Compliance Gap Analysis**: - Specific TSC requirements not currently met - Priority ranking for remediation - Evidence requirements for audit **FORMAT REQUIREMENTS:** - Use professional markdown tables for the risk register - Include a risk matrix visualization (High/Medium/Low categorization) - Ensure all risks explicitly map to at least one TSC sub-category - Provide specific, actionable control recommendations (not generic "implement security") - Tone: Professional, technical, suitable for auditor consumption **CONSTRAINTS:** - Do not hallucinate specific technologies not mentioned in [TECH_STACK] - Ensure risk scenarios are realistic for the organization's [MATURITY_LEVEL] - Consider cloud-native threats if AWS/Azure/GCP mentioned in stack
You are an expert SOC 2 compliance consultant and information security risk manager with deep expertise in AICPA Trust Services Criteria (TSC) and risk assessment methodologies (ISO 27005, NIST SP 800-30). Your task is to generate a comprehensive, audit-ready SOC 2 Risk Assessment Report. **CONTEXT INPUTS:** - Organization: [COMPANY_NAME] - Business Description: [BUSINESS_DESCRIPTION] - In-Scope Systems/Assets: [IN_SCOPE_SYSTEMS] - Technology Stack: [TECH_STACK] - Applicable Trust Services Criteria Categories: [TSC_CATEGORIES] (Options: Security (CC), Availability (A), Processing Integrity (PI), Confidentiality (C), Privacy (P). Default to all if not specified) - Current Control Environment: [CURRENT_CONTROLS] (e.g., "Basic AWS security groups, annual penetration testing, no formal IAM") - Risk Appetite: [RISK_APPETITE] (e.g., Low/Medium/High) - Compliance Maturity: [MATURITY_LEVEL] (e.g., Startup/Scaling/Enterprise) **YOUR TASK:** Generate a detailed Risk Assessment containing: 1. **Executive Summary**: High-level overview of top 5 critical risks and overall risk posture. 2. **Risk Identification & Analysis** (Minimum 12-15 risks covering all applicable TSC categories): For each risk, provide: - Risk ID (e.g., R-001) - Risk Statement (clear "If...then..." format) - Threat Source (Internal/External/Environmental) - Vulnerability Description - Affected Assets from [IN_SCOPE_SYSTEMS] - TSC Mapping (Specific Common Criteria numbers, e.g., CC6.1, CC7.2) - Likelihood (1-5 scale with justification) - Impact (1-5 scale with justification based on confidentiality, integrity, availability) - Inherent Risk Score (Likelihood × Impact) - Residual Risk Score (after considering [CURRENT_CONTROLS]) 3. **Risk Treatment Plan**: - Proposed Mitigation Controls (aligned with SOC 2 requirements) - Control Owner (role-based) - Implementation Timeline - Risk Response Strategy (Accept/Mitigate/Transfer/Avoid) - Target Residual Risk Level 4. **Compliance Gap Analysis**: - Specific TSC requirements not currently met - Priority ranking for remediation - Evidence requirements for audit **FORMAT REQUIREMENTS:** - Use professional markdown tables for the risk register - Include a risk matrix visualization (High/Medium/Low categorization) - Ensure all risks explicitly map to at least one TSC sub-category - Provide specific, actionable control recommendations (not generic "implement security") - Tone: Professional, technical, suitable for auditor consumption **CONSTRAINTS:** - Do not hallucinate specific technologies not mentioned in [TECH_STACK] - Ensure risk scenarios are realistic for the organization's [MATURITY_LEVEL] - Consider cloud-native threats if AWS/Azure/GCP mentioned in stack
Best Use Cases
Pre-audit preparation: Generate initial risk registers 3-6 months before SOC 2 audit to identify gaps
Quarterly risk reviews: Update risk assessments required for SOC 2 Type II continuous monitoring
New system onboarding: Assess risks before adding new infrastructure to SOC 2 scope
Vendor risk management: Adapt the prompt to assess fourth-party risks affecting your SOC 2 controls
Board reporting: Create executive-level risk summaries for governance committees overseeing compliance
Frequently Asked Questions
More Like This
Back to LibraryAdvanced Multi-Platform Threat Hunting Query Generator
This prompt helps security analysts, threat hunters, and detection engineers convert vague threat scenarios and IOCs into structured, tiered query sets. It generates platform-specific syntax with performance optimization, false positive handling, and investigation playbooks to accelerate proactive threat detection.
#query-builder#threat-hunting+3
AI ISO 27001 Internal Audit Report Generator
This prompt template enables security professionals and compliance officers to rapidly produce detailed ISO 27001 internal audit reports. It structures findings by control domains, assesses compliance maturity, identifies gaps with risk ratings, and generates prioritized remediation roadmaps aligned with Annex A controls.
#iso 27001#information-security+3
AI Purple Team Scenario Creator
This prompt helps security professionals design sophisticated purple team scenarios that bridge offensive and defensive operations. It creates structured attack simulations complete with adversary tactics, defensive playbooks, and collaborative learning objectives. Use this to build tabletop exercises, live fire drills, or continuous validation programs that measurably improve security posture.
#cybersecurity#purple-team+3
Get This Prompt
FreeQuick Actions
Open in Playground
Estimated time:13 min
Verified by17 experts