| title |
summary |
permalink |
| Compliance Readiness Checklist |
Self-assessment checklist for SOC2 Type II and ISO 27001 compliance readiness. |
/compliance/readiness-checklist/ |
Compliance Readiness Checklist
This checklist helps assess readiness for SOC2 Type II and ISO 27001 compliance audits. Use it to identify gaps and collect evidence.
How to Use This Checklist
- Run automated checks:
clawdbot security audit --deep
- Review each section: Verify controls are implemented
- Collect evidence: Document artifacts for each control
- Track remediation: Address any gaps identified
- Schedule reviews: Re-assess quarterly
SOC2 Trust Services Criteria
CC1: Control Environment
| Req |
Control |
Verification |
Evidence |
| CC1.1 |
Security policies documented |
Review /compliance/* docs exist |
Policy documents |
| CC1.2 |
Roles and responsibilities defined |
Check RBAC config |
clawdbot config get rbac |
| CC1.3 |
Security training provided |
N/A (organizational) |
Training records |
| CC1.4 |
Competence evaluated |
N/A (organizational) |
Performance records |
Automated Check:
# Verify RBAC is enabled and configured
clawdbot config get rbac.enabled
clawdbot config get rbac.roles
CC2: Communication and Information
| Req |
Control |
Verification |
Evidence |
| CC2.1 |
Security policies communicated |
Policies accessible |
Documentation links |
| CC2.2 |
External party communications |
Disclosure policy exists |
Vulnerability Disclosure |
| CC2.3 |
Incident communication |
Incident response documented |
Incident Response |
CC3: Risk Assessment
| Req |
Control |
Verification |
Evidence |
| CC3.1 |
Risk objectives defined |
Threat model documented |
Threat Model |
| CC3.2 |
Risk identification |
Security audit identifies risks |
clawdbot security audit --deep |
| CC3.3 |
Fraud risk considered |
Prompt injection risks documented |
Threat model attack vectors |
| CC3.4 |
Change risk assessed |
Change management documented |
Change Management |
Automated Check:
# Run full security audit
clawdbot security audit --deep
# Check for critical findings
clawdbot security audit --summary
CC4: Monitoring Activities
| Req |
Control |
Verification |
Evidence |
| CC4.1 |
Ongoing monitoring |
Audit logging enabled |
Check audit.jsonl exists |
| CC4.2 |
Control effectiveness evaluated |
Security metrics tracked |
Security Metrics |
Automated Check:
# Verify audit logging is working
ls -la ~/.clawdbot/audit.jsonl
# Check recent audit events
tail -10 ~/.clawdbot/audit.jsonl | jq .type
# Verify Prometheus metrics available (if configured)
curl -s http://localhost:18789/metrics | head -20
CC5: Control Activities
| Req |
Control |
Verification |
Evidence |
| CC5.1 |
Controls mitigate risks |
Security controls documented |
Security hardening guide |
| CC5.2 |
Technology controls |
Automated checks implemented |
Security audit CLI |
| CC5.3 |
Policies deployed |
Configuration enforces policy |
Config validation |
CC6: Logical and Physical Access
| Req |
Control |
Verification |
Evidence |
| CC6.1 |
Access rights defined |
RBAC roles documented |
Access Control Policy |
| CC6.2 |
Access provisioned |
Assignment process defined |
Access policy procedures |
| CC6.3 |
Access removed |
Revocation process defined |
Access policy procedures |
| CC6.4 |
Access reviewed |
Review schedule exists |
Quarterly review records |
| CC6.5 |
Physical access |
N/A (software system) |
- |
| CC6.6 |
Authentication mechanisms |
Token/password/Tailscale configured |
Gateway auth config |
| CC6.7 |
Access credentials managed |
Token rotation guidance |
Security hardening guide |
| CC6.8 |
Transmission protected |
Rate limiting implemented |
Rate limit config |
Automated Check:
# Verify authentication is configured
clawdbot security audit --deep | grep -i "auth"
# Check RBAC is enabled
clawdbot config get rbac.enabled
# Verify no wildcard allowlists
clawdbot security audit --deep | grep -i "wildcard"
CC7: System Operations
| Req |
Control |
Verification |
Evidence |
| CC7.1 |
Vulnerabilities detected |
Security audit runs |
Audit output |
| CC7.2 |
Anomalies monitored |
Alerting configured |
Prometheus alerts |
| CC7.3 |
Incidents evaluated |
Incident response defined |
Incident Response |
| CC7.4 |
Incidents responded to |
Response procedures exist |
Incident response phases |
| CC7.5 |
Recovery activities |
Recovery procedures exist |
Incident response Phase 4 |
Automated Check:
# Run vulnerability scan
clawdbot security audit --deep
# Check for security findings
clawdbot security audit --summary
CC8: Change Management
| Req |
Control |
Verification |
Evidence |
| CC8.1 |
Changes authorized |
Change process documented |
Change Management |
Automated Check:
# Check config change audit events
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change")' | tail -5
CC9: Risk Mitigation
| Req |
Control |
Verification |
Evidence |
| CC9.1 |
Risk mitigation |
Controls reduce risk |
Threat model mitigations |
| CC9.2 |
Vendor risk |
Provider risks documented |
Data handling policy |
ISO 27001 Annex A Controls
A.5: Information Security Policies
| Control |
Requirement |
Evidence |
| A.5.1.1 |
Policies for information security |
Compliance documentation suite |
| A.5.1.2 |
Review of policies |
Review dates on policy documents |
A.6: Organization of Information Security
| Control |
Requirement |
Evidence |
| A.6.1.1 |
Information security roles |
RBAC role definitions |
| A.6.1.2 |
Segregation of duties |
Role separation (admin vs user) |
A.9: Access Control
| Control |
Requirement |
Evidence |
| A.9.1.1 |
Access control policy |
Access Control Policy |
| A.9.1.2 |
Access to networks |
Gateway bind configuration |
| A.9.2.1 |
User registration |
Pairing procedures |
| A.9.2.2 |
Access provisioning |
Role assignment procedures |
| A.9.2.3 |
Privileged access |
Admin/operator role restrictions |
| A.9.2.4 |
Secret authentication |
Token generation guidance |
| A.9.2.5 |
Access rights review |
Quarterly review schedule |
| A.9.2.6 |
Access removal |
Revocation procedures |
| A.9.4.1 |
Access restriction |
RBAC permission checks |
| A.9.4.2 |
Secure log-on |
Rate limiting, exponential backoff |
| A.9.4.3 |
Password management |
Token/password requirements |
Automated Check:
# Full access control verification
clawdbot security audit --deep | grep -E "(rbac|auth|pairing|allowlist)"
A.12: Operations Security
| Control |
Requirement |
Evidence |
| A.12.1.1 |
Documented procedures |
CLI documentation |
| A.12.1.2 |
Change management |
Change Management |
| A.12.1.4 |
Separation of environments |
Config isolation per agent |
| A.12.4.1 |
Event logging |
Audit log implementation |
| A.12.4.2 |
Protection of logs |
File permissions (0o600) |
| A.12.4.3 |
Admin/operator logs |
Auth events logged |
| A.12.6.1 |
Technical vulnerabilities |
Security audit CLI |
A.14: System Development
| Control |
Requirement |
Evidence |
| A.14.2.2 |
Change control |
Change management procedures |
| A.14.2.3 |
Technical review |
Security audit after changes |
A.16: Incident Management
| Control |
Requirement |
Evidence |
| A.16.1.1 |
Responsibilities defined |
Incident response roles |
| A.16.1.2 |
Reporting events |
Detection procedures |
| A.16.1.3 |
Reporting weaknesses |
Vulnerability disclosure |
| A.16.1.4 |
Assessment of events |
Severity classification |
| A.16.1.5 |
Response to incidents |
Response phases |
| A.16.1.6 |
Learning from incidents |
Post-incident review |
| A.16.1.7 |
Collection of evidence |
Evidence collection guidance |
A.18: Compliance
| Control |
Requirement |
Evidence |
| A.18.2.2 |
Compliance with policies |
Security audit verification |
| A.18.2.3 |
Technical compliance |
Automated compliance checks |
Evidence Collection Guide
Automated Evidence
| Evidence Type |
Collection Method |
Frequency |
| Security audit report |
clawdbot security audit --deep > audit-$(date +%Y%m%d).txt |
Weekly |
| Configuration snapshot |
clawdbot config show > config-$(date +%Y%m%d).yaml |
After changes |
| Audit log export |
cp ~/.clawdbot/audit*.jsonl evidence/ |
Daily |
| Metrics snapshot |
curl localhost:18789/metrics > metrics-$(date +%Y%m%d).txt |
Weekly |
Manual Evidence
| Evidence Type |
Collection Method |
Frequency |
| Access review records |
Document review meetings |
Quarterly |
| Incident records |
Completed incident templates |
Per incident |
| Training records |
Training completion certificates |
Annually |
| Policy acknowledgments |
Signed policy forms |
At hire, annually |
Evidence Retention
| Evidence Type |
Retention Period |
Storage |
| Audit logs |
1 year |
Secure backup |
| Security audits |
2 years |
Document management |
| Incident records |
3 years |
Secure archive |
| Configuration history |
1 year |
Version control |
Gap Remediation
Priority Matrix
| Severity |
Example |
Remediation Timeframe |
| Critical |
No gateway auth, wildcard allowlists |
Immediate (24 hours) |
| High |
RBAC disabled, weak tokens |
1 week |
| Medium |
Missing documentation, review overdue |
30 days |
| Low |
Informational findings |
90 days |
Common Gaps and Remediation
| Gap |
Finding |
Remediation |
| No RBAC |
rbac.enabled: false |
Enable RBAC, assign roles |
| Weak auth |
Token < 24 chars |
Generate strong token |
| Open DMs |
dmPolicy: "open" |
Use pairing or allowlist |
| No audit |
Audit file missing |
Verify audit logging config |
| Wildcard access |
allowFrom: ["*"] |
Replace with explicit IDs |
Compliance Summary Dashboard
Run this script to generate a compliance status summary:
#!/bin/bash
echo "=== Moltbot Compliance Status ==="
echo "Date: $(date)"
echo ""
echo "--- Security Audit Summary ---"
clawdbot security audit --summary 2>/dev/null || echo "Security audit failed"
echo ""
echo "--- RBAC Status ---"
clawdbot config get rbac.enabled 2>/dev/null || echo "RBAC config unavailable"
echo ""
echo "--- Gateway Auth ---"
clawdbot config get gateway.auth.mode 2>/dev/null || echo "Auth config unavailable"
echo ""
echo "--- Audit Log Status ---"
if [ -f ~/.clawdbot/audit.jsonl ]; then
echo "Audit log exists"
echo "Last entry: $(tail -1 ~/.clawdbot/audit.jsonl | jq -r '.ts')"
echo "Total events: $(wc -l < ~/.clawdbot/audit.jsonl)"
else
echo "WARNING: No audit log found"
fi
echo ""
echo "--- Critical Findings ---"
clawdbot security audit --deep 2>/dev/null | grep -i "critical" || echo "No critical findings"
Review Schedule
| Review Type |
Frequency |
Participants |
Output |
| Access review |
Quarterly |
Security, HR |
Updated assignments |
| Policy review |
Semi-annually |
Security, Legal |
Updated policies |
| Security audit |
Weekly (automated) |
Security |
Audit report |
| Full compliance assessment |
Annually |
Security, Audit |
Readiness report |
Certification Path
SOC2 Type II
- Gap assessment (this checklist)
- Remediation (address critical/high gaps)
- Control operation (3-12 month observation period)
- Auditor engagement
- Evidence collection (automated + manual)
- Audit examination
- Report issuance
ISO 27001
- Gap assessment (this checklist)
- ISMS documentation
- Control implementation
- Internal audit
- Management review
- Certification audit (Stage 1)
- Certification audit (Stage 2)
- Certification
- Surveillance audits (annually)
Related Documentation
Checklist owner: Security Team
Last updated: 2026-01-27
Next review: 2026-04-27