openclaw/docs/compliance/readiness-checklist.md

13 KiB

title summary permalink
Compliance Readiness Checklist Self-assessment checklist for SOC2 Type II and ISO 27001 compliance readiness. /compliance/readiness-checklist/

Compliance Readiness Checklist

This checklist helps assess readiness for SOC2 Type II and ISO 27001 compliance audits. Use it to identify gaps and collect evidence.

How to Use This Checklist

  1. Run automated checks: clawdbot security audit --deep
  2. Review each section: Verify controls are implemented
  3. Collect evidence: Document artifacts for each control
  4. Track remediation: Address any gaps identified
  5. Schedule reviews: Re-assess quarterly

SOC2 Trust Services Criteria

CC1: Control Environment

Req Control Verification Evidence
CC1.1 Security policies documented Review /compliance/* docs exist Policy documents
CC1.2 Roles and responsibilities defined Check RBAC config clawdbot config get rbac
CC1.3 Security training provided N/A (organizational) Training records
CC1.4 Competence evaluated N/A (organizational) Performance records

Automated Check:

# Verify RBAC is enabled and configured
clawdbot config get rbac.enabled
clawdbot config get rbac.roles

CC2: Communication and Information

Req Control Verification Evidence
CC2.1 Security policies communicated Policies accessible Documentation links
CC2.2 External party communications Disclosure policy exists Vulnerability Disclosure
CC2.3 Incident communication Incident response documented Incident Response

CC3: Risk Assessment

Req Control Verification Evidence
CC3.1 Risk objectives defined Threat model documented Threat Model
CC3.2 Risk identification Security audit identifies risks clawdbot security audit --deep
CC3.3 Fraud risk considered Prompt injection risks documented Threat model attack vectors
CC3.4 Change risk assessed Change management documented Change Management

Automated Check:

# Run full security audit
clawdbot security audit --deep

# Check for critical findings
clawdbot security audit --summary

CC4: Monitoring Activities

Req Control Verification Evidence
CC4.1 Ongoing monitoring Audit logging enabled Check audit.jsonl exists
CC4.2 Control effectiveness evaluated Security metrics tracked Security Metrics

Automated Check:

# Verify audit logging is working
ls -la ~/.clawdbot/audit.jsonl

# Check recent audit events
tail -10 ~/.clawdbot/audit.jsonl | jq .type

# Verify Prometheus metrics available (if configured)
curl -s http://localhost:18789/metrics | head -20

CC5: Control Activities

Req Control Verification Evidence
CC5.1 Controls mitigate risks Security controls documented Security hardening guide
CC5.2 Technology controls Automated checks implemented Security audit CLI
CC5.3 Policies deployed Configuration enforces policy Config validation

CC6: Logical and Physical Access

Req Control Verification Evidence
CC6.1 Access rights defined RBAC roles documented Access Control Policy
CC6.2 Access provisioned Assignment process defined Access policy procedures
CC6.3 Access removed Revocation process defined Access policy procedures
CC6.4 Access reviewed Review schedule exists Quarterly review records
CC6.5 Physical access N/A (software system) -
CC6.6 Authentication mechanisms Token/password/Tailscale configured Gateway auth config
CC6.7 Access credentials managed Token rotation guidance Security hardening guide
CC6.8 Transmission protected Rate limiting implemented Rate limit config

Automated Check:

# Verify authentication is configured
clawdbot security audit --deep | grep -i "auth"

# Check RBAC is enabled
clawdbot config get rbac.enabled

# Verify no wildcard allowlists
clawdbot security audit --deep | grep -i "wildcard"

CC7: System Operations

Req Control Verification Evidence
CC7.1 Vulnerabilities detected Security audit runs Audit output
CC7.2 Anomalies monitored Alerting configured Prometheus alerts
CC7.3 Incidents evaluated Incident response defined Incident Response
CC7.4 Incidents responded to Response procedures exist Incident response phases
CC7.5 Recovery activities Recovery procedures exist Incident response Phase 4

Automated Check:

# Run vulnerability scan
clawdbot security audit --deep

# Check for security findings
clawdbot security audit --summary

CC8: Change Management

Req Control Verification Evidence
CC8.1 Changes authorized Change process documented Change Management

Automated Check:

# Check config change audit events
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change")' | tail -5

CC9: Risk Mitigation

Req Control Verification Evidence
CC9.1 Risk mitigation Controls reduce risk Threat model mitigations
CC9.2 Vendor risk Provider risks documented Data handling policy

ISO 27001 Annex A Controls

A.5: Information Security Policies

Control Requirement Evidence
A.5.1.1 Policies for information security Compliance documentation suite
A.5.1.2 Review of policies Review dates on policy documents

A.6: Organization of Information Security

Control Requirement Evidence
A.6.1.1 Information security roles RBAC role definitions
A.6.1.2 Segregation of duties Role separation (admin vs user)

A.9: Access Control

Control Requirement Evidence
A.9.1.1 Access control policy Access Control Policy
A.9.1.2 Access to networks Gateway bind configuration
A.9.2.1 User registration Pairing procedures
A.9.2.2 Access provisioning Role assignment procedures
A.9.2.3 Privileged access Admin/operator role restrictions
A.9.2.4 Secret authentication Token generation guidance
A.9.2.5 Access rights review Quarterly review schedule
A.9.2.6 Access removal Revocation procedures
A.9.4.1 Access restriction RBAC permission checks
A.9.4.2 Secure log-on Rate limiting, exponential backoff
A.9.4.3 Password management Token/password requirements

Automated Check:

# Full access control verification
clawdbot security audit --deep | grep -E "(rbac|auth|pairing|allowlist)"

A.12: Operations Security

Control Requirement Evidence
A.12.1.1 Documented procedures CLI documentation
A.12.1.2 Change management Change Management
A.12.1.4 Separation of environments Config isolation per agent
A.12.4.1 Event logging Audit log implementation
A.12.4.2 Protection of logs File permissions (0o600)
A.12.4.3 Admin/operator logs Auth events logged
A.12.6.1 Technical vulnerabilities Security audit CLI

A.14: System Development

Control Requirement Evidence
A.14.2.2 Change control Change management procedures
A.14.2.3 Technical review Security audit after changes

A.16: Incident Management

Control Requirement Evidence
A.16.1.1 Responsibilities defined Incident response roles
A.16.1.2 Reporting events Detection procedures
A.16.1.3 Reporting weaknesses Vulnerability disclosure
A.16.1.4 Assessment of events Severity classification
A.16.1.5 Response to incidents Response phases
A.16.1.6 Learning from incidents Post-incident review
A.16.1.7 Collection of evidence Evidence collection guidance

A.18: Compliance

Control Requirement Evidence
A.18.2.2 Compliance with policies Security audit verification
A.18.2.3 Technical compliance Automated compliance checks

Evidence Collection Guide

Automated Evidence

Evidence Type Collection Method Frequency
Security audit report clawdbot security audit --deep > audit-$(date +%Y%m%d).txt Weekly
Configuration snapshot clawdbot config show > config-$(date +%Y%m%d).yaml After changes
Audit log export cp ~/.clawdbot/audit*.jsonl evidence/ Daily
Metrics snapshot curl localhost:18789/metrics > metrics-$(date +%Y%m%d).txt Weekly

Manual Evidence

Evidence Type Collection Method Frequency
Access review records Document review meetings Quarterly
Incident records Completed incident templates Per incident
Training records Training completion certificates Annually
Policy acknowledgments Signed policy forms At hire, annually

Evidence Retention

Evidence Type Retention Period Storage
Audit logs 1 year Secure backup
Security audits 2 years Document management
Incident records 3 years Secure archive
Configuration history 1 year Version control

Gap Remediation

Priority Matrix

Severity Example Remediation Timeframe
Critical No gateway auth, wildcard allowlists Immediate (24 hours)
High RBAC disabled, weak tokens 1 week
Medium Missing documentation, review overdue 30 days
Low Informational findings 90 days

Common Gaps and Remediation

Gap Finding Remediation
No RBAC rbac.enabled: false Enable RBAC, assign roles
Weak auth Token < 24 chars Generate strong token
Open DMs dmPolicy: "open" Use pairing or allowlist
No audit Audit file missing Verify audit logging config
Wildcard access allowFrom: ["*"] Replace with explicit IDs

Compliance Summary Dashboard

Run this script to generate a compliance status summary:

#!/bin/bash
echo "=== Moltbot Compliance Status ==="
echo "Date: $(date)"
echo ""

echo "--- Security Audit Summary ---"
clawdbot security audit --summary 2>/dev/null || echo "Security audit failed"
echo ""

echo "--- RBAC Status ---"
clawdbot config get rbac.enabled 2>/dev/null || echo "RBAC config unavailable"
echo ""

echo "--- Gateway Auth ---"
clawdbot config get gateway.auth.mode 2>/dev/null || echo "Auth config unavailable"
echo ""

echo "--- Audit Log Status ---"
if [ -f ~/.clawdbot/audit.jsonl ]; then
    echo "Audit log exists"
    echo "Last entry: $(tail -1 ~/.clawdbot/audit.jsonl | jq -r '.ts')"
    echo "Total events: $(wc -l < ~/.clawdbot/audit.jsonl)"
else
    echo "WARNING: No audit log found"
fi
echo ""

echo "--- Critical Findings ---"
clawdbot security audit --deep 2>/dev/null | grep -i "critical" || echo "No critical findings"

Review Schedule

Review Type Frequency Participants Output
Access review Quarterly Security, HR Updated assignments
Policy review Semi-annually Security, Legal Updated policies
Security audit Weekly (automated) Security Audit report
Full compliance assessment Annually Security, Audit Readiness report

Certification Path

SOC2 Type II

  1. Gap assessment (this checklist)
  2. Remediation (address critical/high gaps)
  3. Control operation (3-12 month observation period)
  4. Auditor engagement
  5. Evidence collection (automated + manual)
  6. Audit examination
  7. Report issuance

ISO 27001

  1. Gap assessment (this checklist)
  2. ISMS documentation
  3. Control implementation
  4. Internal audit
  5. Management review
  6. Certification audit (Stage 1)
  7. Certification audit (Stage 2)
  8. Certification
  9. Surveillance audits (annually)

Checklist owner: Security Team Last updated: 2026-01-27 Next review: 2026-04-27