Gap
data/frameworks/soc2-tsc.json declares an 11-criterion subset under scoring.criteria (CC5, CC6.1, CC6.2, …, CC8.1) — but only the criteria that are M365-automatable. Plus a nonAutomatableCriteria block for CC1–CC4, CC9. The top-level axis — the 5 SOC 2 Trust Services Categories — is not declared at all:
| Code |
Category |
| CC |
Common Criteria (Security) |
| A |
Availability |
| C |
Confidentiality |
| PI |
Processing Integrity |
| P |
Privacy |
Every SOC 2 controlId in data/registry.json carries this prefix: CC6.1, CC1.1-POF3, A1.2, PI1.2-POF1, etc. Today CheckID forces consumers to either flatten everything to the criterion level or invent the category axis themselves.
Proposed axes
After spike resolution, soc2-tsc.json would declare two (or three) axes:
- Trust Services Category (5 values: CC, A, C, PI, P) — top-level grouping
- Criterion — current
scoring.criteria block, expanded to cover all numbered criteria across all 5 categories (CC1–CC9, A1, C1, PI1, P1–P8)
- Point of Focus (optional, 3rd axis) — the
-POFn suffix that some controlIds carry (e.g. CC6.1-POF3)
nonAutomatableCriteria would either fold into the automatable: false flag on values, or stay as a sibling annotation block — TBD by spike.
Extraction
- Category:
^([A-Z]+) → letters at start (CC1.1 → CC, PI1.2-POF1 → PI).
- Criterion:
^([A-Z]+\d+) → letters + first digit run (CC1.1-POF3 → CC1).
- Point of Focus:
-(POF\d+) from end (where present).
Acceptance criteria
Blocked by
Spike #317.
Source
AICPA TSP Section 100 (2017, with 2022 points of focus revision).
Gap
data/frameworks/soc2-tsc.jsondeclares an 11-criterion subset underscoring.criteria(CC5, CC6.1, CC6.2, …, CC8.1) — but only the criteria that are M365-automatable. Plus anonAutomatableCriteriablock for CC1–CC4, CC9. The top-level axis — the 5 SOC 2 Trust Services Categories — is not declared at all:Every SOC 2 controlId in
data/registry.jsoncarries this prefix:CC6.1,CC1.1-POF3,A1.2,PI1.2-POF1, etc. Today CheckID forces consumers to either flatten everything to the criterion level or invent the category axis themselves.Proposed axes
After spike resolution, soc2-tsc.json would declare two (or three) axes:
scoring.criteriablock, expanded to cover all numbered criteria across all 5 categories (CC1–CC9, A1, C1, PI1, P1–P8)-POFnsuffix that some controlIds carry (e.g.CC6.1-POF3)nonAutomatableCriteriawould either fold into theautomatable: falseflag on values, or stay as a sibling annotation block — TBD by spike.Extraction
^([A-Z]+)→ letters at start (CC1.1→CC,PI1.2-POF1→PI).^([A-Z]+\d+)→ letters + first digit run (CC1.1-POF3→CC1).-(POF\d+)from end (where present).Acceptance criteria
data/frameworks/soc2-tsc.jsondeclares category + criterion axes per agreed shapeOther)data/registry.jsonresolves to a declared category and criterionnonAutomatableCriteriasemantics preserved (either as values metadata or sibling block)Blocked by
Spike #317.
Source
AICPA TSP Section 100 (2017, with 2022 points of focus revision).