Claude-Skills information-security-manager-iso27001

install

source · Clone the upstream repo

git clone https://github.com/borghei/Claude-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/ra-qm-team/information-security-manager-iso27001" ~/.claude/skills/borghei-claude-skills-information-security-manager-iso27001 && rm -rf "$T"

manifest: ra-qm-team/information-security-manager-iso27001/SKILL.md

source content

Information Security Manager - ISO 27001

Implement and manage Information Security Management Systems (ISMS) aligned with ISO 27001:2022 and healthcare regulatory requirements.

Trigger Phrases
Quick Start
Tools
Workflows
Reference Guides
Validation Checkpoints

Trigger Phrases

Use this skill when you hear:

"implement ISO 27001"
"ISMS implementation"
"security risk assessment"
"information security policy"
"ISO 27001 certification"
"security controls implementation"
"incident response plan"
"healthcare data security"
"medical device cybersecurity"
"security compliance audit"

Quick Start

Run Security Risk Assessment

python scripts/risk_assessment.py --scope "patient-data-system" --output risk_register.json

Check Compliance Status

python scripts/compliance_checker.py --standard iso27001 --controls-file controls.csv

Generate Gap Analysis Report

python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output gaps.md

Tools

risk_assessment.py

Automated security risk assessment following ISO 27001 Clause 6.1.2 methodology.

Usage:

# Full risk assessment
python scripts/risk_assessment.py --scope "cloud-infrastructure" --output risks.json

# Healthcare-specific assessment
python scripts/risk_assessment.py --scope "ehr-system" --template healthcare --output risks.json

# Quick asset-based assessment
python scripts/risk_assessment.py --assets assets.csv --output risks.json

Parameters:

Parameter	Required	Description
`--scope`	Yes	System or area to assess
`--template`	No	Assessment template: `general` , `healthcare` , `cloud`
`--assets`	No	CSV file with asset inventory
`--output`	No	Output file (default: stdout)
`--format`	No	Output format: `json` , `csv` , `markdown`

Output:

Asset inventory with classification
Threat and vulnerability mapping
Risk scores (likelihood × impact)
Treatment recommendations
Residual risk calculations

compliance_checker.py

Verify ISO 27001/27002 control implementation status.

Usage:

# Check all ISO 27001 controls
python scripts/compliance_checker.py --standard iso27001

# Gap analysis with recommendations
python scripts/compliance_checker.py --standard iso27001 --gap-analysis

# Check specific control domains
python scripts/compliance_checker.py --standard iso27001 --domains "access-control,cryptography"

# Export compliance report
python scripts/compliance_checker.py --standard iso27001 --output compliance_report.md

Parameters:

Parameter	Required	Description
`--standard`	Yes	Standard to check: `iso27001` , `iso27002` , `hipaa`
`--controls-file`	No	CSV with current control status
`--gap-analysis`	No	Include remediation recommendations
`--domains`	No	Specific control domains to check
`--output`	No	Output file path

Output:

Control implementation status
Compliance percentage by domain
Gap analysis with priorities
Remediation recommendations

Workflows

Workflow 1: ISMS Implementation

Step 1: Define Scope and Context

Document organizational context and ISMS boundaries:

Identify interested parties and requirements
Define ISMS scope and boundaries
Document internal/external issues

Validation: Scope statement reviewed and approved by management.

Step 2: Conduct Risk Assessment

python scripts/risk_assessment.py --scope "full-organization" --template general --output initial_risks.json

Identify information assets
Assess threats and vulnerabilities
Calculate risk levels
Determine risk treatment options

Validation: Risk register contains all critical assets with assigned owners.

Step 3: Select and Implement Controls

Map risks to ISO 27002 controls:

python scripts/compliance_checker.py --standard iso27002 --gap-analysis --output control_gaps.md

Control categories:

Organizational (policies, roles, responsibilities)
People (screening, awareness, training)
Physical (perimeters, equipment, media)
Technological (access, crypto, network, application)

Validation: Statement of Applicability (SoA) documents all controls with justification.

Step 4: Establish Monitoring

Define security metrics:

Incident count and severity trends
Control effectiveness scores
Training completion rates
Audit findings closure rate

Validation: Dashboard shows real-time compliance status.

Workflow 2: Security Risk Assessment

Step 1: Asset Identification

Create asset inventory:

Asset Type	Examples	Classification
Information	Patient records, source code	Confidential
Software	EHR system, APIs	Critical
Hardware	Servers, medical devices	High
Services	Cloud hosting, backup	High
People	Admin accounts, developers	Varies

Validation: All assets have assigned owners and classifications.

Step 2: Threat Analysis

Identify threats per asset category:

Asset	Threats	Likelihood
Patient data	Unauthorized access, breach	High
Medical devices	Malware, tampering	Medium
Cloud services	Misconfiguration, outage	Medium
Credentials	Phishing, brute force	High

Validation: Threat model covers top-10 industry threats.

Step 3: Vulnerability Assessment

python scripts/risk_assessment.py --scope "network-infrastructure" --output vuln_risks.json

Document vulnerabilities:

Technical (unpatched systems, weak configs)
Process (missing procedures, gaps)
People (lack of training, insider risk)

Validation: Vulnerability scan results mapped to risk register.

Step 4: Risk Evaluation and Treatment

Calculate risk:

Risk = Likelihood × Impact

Risk Level	Score	Treatment
Critical	20-25	Immediate action required
High	15-19	Treatment plan within 30 days
Medium	10-14	Treatment plan within 90 days
Low	5-9	Accept or monitor
Minimal	1-4	Accept

Validation: All high/critical risks have approved treatment plans.

Workflow 3: Incident Response

Step 1: Detection and Reporting

Incident categories:

Security breach (unauthorized access)
Malware infection
Data leakage
System compromise
Policy violation

Validation: Incident logged within 15 minutes of detection.

Step 2: Triage and Classification

Severity	Criteria	Response Time
Critical	Data breach, system down	Immediate
High	Active threat, significant risk	1 hour
Medium	Contained threat, limited impact	4 hours
Low	Minor violation, no impact	24 hours

Validation: Severity assigned and escalation triggered if needed.

Step 3: Containment and Eradication

Immediate actions:

Isolate affected systems
Preserve evidence
Block threat vectors
Remove malicious artifacts

Validation: Containment confirmed, no ongoing compromise.

Step 4: Recovery and Lessons Learned

Post-incident activities:

Restore systems from clean backups
Verify integrity before reconnection
Document timeline and actions
Conduct post-incident review
Update controls and procedures

Validation: Post-incident report completed within 5 business days.

Reference Guides

When to Use Each Reference

references/iso27001-controls.md

Control selection for SoA
Implementation guidance
Evidence requirements
Audit preparation

references/risk-assessment-guide.md

Risk methodology selection
Asset classification criteria
Threat modeling approaches
Risk calculation methods

references/incident-response.md

Response procedures
Escalation matrices
Communication templates
Recovery checklists

Validation Checkpoints

ISMS Implementation Validation

Phase	Checkpoint	Evidence Required
Scope	Scope approved	Signed scope document
Risk	Register complete	Risk register with owners
Controls	SoA approved	Statement of Applicability
Operation	Metrics active	Dashboard screenshots
Audit	Internal audit done	Audit report

Certification Readiness

Before Stage 1 audit:

ISMS scope documented and approved
Information security policy published
Risk assessment completed
Statement of Applicability finalized
Internal audit conducted
Management review completed
Nonconformities addressed

Before Stage 2 audit:

Controls implemented and operational
Evidence of effectiveness available
Staff trained and aware
Incidents logged and managed
Metrics collected for 3+ months

Compliance Verification

Run periodic checks:

# Monthly compliance check
python scripts/compliance_checker.py --standard iso27001 --output monthly_$(date +%Y%m).md

# Quarterly gap analysis
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output quarterly_gaps.md

Worked Example: Healthcare Risk Assessment

Scenario: Assess security risks for a patient data management system.

Step 1: Define Assets

python scripts/risk_assessment.py --scope "patient-data-system" --template healthcare

Asset inventory output:

Asset ID	Asset	Type	Owner	Classification
A001	Patient database	Information	DBA Team	Confidential
A002	EHR application	Software	App Team	Critical
A003	Database server	Hardware	Infra Team	High
A004	Admin credentials	Access	Security	Critical

Step 2: Identify Risks

Risk register output:

Risk ID	Asset	Threat	Vulnerability	L	I	Score
R001	A001	Data breach	Weak encryption	3	5	15
R002	A002	SQL injection	Input validation	4	4	16
R003	A004	Credential theft	No MFA	4	5	20

Step 3: Determine Treatment

Risk	Treatment	Control	Timeline
R001	Mitigate	Implement AES-256 encryption	30 days
R002	Mitigate	Add input validation, WAF	14 days
R003	Mitigate	Enforce MFA for all admins	7 days

Step 4: Verify Implementation

python scripts/compliance_checker.py --controls-file implemented_controls.csv

Verification output:

Control Implementation Status
=============================
Cryptography (A.8.24): IMPLEMENTED
  - AES-256 at rest: YES
  - TLS 1.3 in transit: YES

Access Control (A.8.5): IMPLEMENTED
  - MFA enabled: YES
  - Admin accounts: 100% coverage

Application Security (A.8.26): PARTIAL
  - Input validation: YES
  - WAF deployed: PENDING

Overall Compliance: 87%

ISO 27001:2022 Annex A Controls — Complete Reference

The 2022 revision restructured controls from 14 domains (114 controls) to 4 themes (93 controls). All organizations must update their Statement of Applicability (SoA) accordingly.

Theme 1: Organizational Controls (37 controls)

Control	Title	Priority
A.5.1	Policies for information security	High
A.5.2	Information security roles and responsibilities	High
A.5.3	Segregation of duties	High
A.5.4	Management responsibilities	Medium
A.5.5	Contact with authorities	Medium
A.5.6	Contact with special interest groups	Low
A.5.7	Threat intelligence	High
A.5.8	Information security in project management	Medium
A.5.9	Inventory of information and other associated assets	High
A.5.10	Acceptable use of information and other associated assets	Medium
A.5.11	Return of assets	Low
A.5.12	Classification of information	High
A.5.13	Labelling of information	Medium
A.5.14	Information transfer	High
A.5.15	Access control	High
A.5.16	Identity management	High
A.5.17	Authentication information	High
A.5.18	Access rights	High
A.5.19	Information security in supplier relationships	High
A.5.20	Addressing information security within supplier agreements	High
A.5.21	Managing information security in the ICT supply chain	High
A.5.22	Monitoring, review and change management of supplier services	Medium
A.5.23	Information security for use of cloud services	High
A.5.24	Information security incident management planning and preparation	High
A.5.25	Assessment and decision on information security events	Medium
A.5.26	Response to information security incidents	High
A.5.27	Learning from information security incidents	Medium
A.5.28	Collection of evidence	Medium
A.5.29	Information security during disruption	High
A.5.30	ICT readiness for business continuity	High
A.5.31	Legal, statutory, regulatory and contractual requirements	High
A.5.32	Intellectual property rights	Medium
A.5.33	Protection of records	Medium
A.5.34	Privacy and protection of PII	High
A.5.35	Independent review of information security	Medium
A.5.36	Compliance with policies, rules and standards for information security	Medium
A.5.37	Documented operating procedures	Medium

Theme 2: People Controls (8 controls)

Control	Title	Priority
A.6.1	Screening	High
A.6.2	Terms and conditions of employment	High
A.6.3	Information security awareness, education and training	High
A.6.4	Disciplinary process	Medium
A.6.5	Responsibilities after termination or change of employment	Medium
A.6.6	Confidentiality or non-disclosure agreements	High
A.6.7	Remote working	High
A.6.8	Information security event reporting	High

Theme 3: Physical Controls (14 controls)

Control	Title	Priority
A.7.1	Physical security perimeters	High
A.7.2	Physical entry	High
A.7.3	Securing offices, rooms and facilities	Medium
A.7.4	Physical security monitoring	Medium
A.7.5	Protecting against physical and environmental threats	Medium
A.7.6	Working in secure areas	Medium
A.7.7	Clear desk and clear screen	Medium
A.7.8	Equipment siting and protection	Medium
A.7.9	Security of assets off-premises	Medium
A.7.10	Storage media	High
A.7.11	Supporting utilities	Medium
A.7.12	Cabling security	Low
A.7.13	Equipment maintenance	Medium
A.7.14	Secure disposal or re-use of equipment	High

Theme 4: Technological Controls (34 controls)

Control	Title	Priority
A.8.1	User endpoint devices	High
A.8.2	Privileged access rights	High
A.8.3	Information access restriction	High
A.8.4	Access to source code	Medium
A.8.5	Secure authentication	High
A.8.6	Capacity management	Medium
A.8.7	Protection against malware	High
A.8.8	Management of technical vulnerabilities	High
A.8.9	Configuration management	High
A.8.10	Information deletion	Medium
A.8.11	Data masking	Medium
A.8.12	Data leakage prevention	High
A.8.13	Information backup	High
A.8.14	Redundancy of information processing facilities	Medium
A.8.15	Logging	High
A.8.16	Monitoring activities	High
A.8.17	Clock synchronization	Low
A.8.18	Use of privileged utility programs	Medium
A.8.19	Installation of software on operational systems	Medium
A.8.20	Networks security	High
A.8.21	Security of network services	High
A.8.22	Segregation of networks	High
A.8.23	Web filtering	Medium
A.8.24	Use of cryptography	High
A.8.25	Secure development life cycle	High
A.8.26	Application security requirements	High
A.8.27	Secure system architecture and engineering principles	High
A.8.28	Secure coding	High
A.8.29	Security testing in development and acceptance	High
A.8.30	Outsourced development	Medium
A.8.31	Separation of development, test and production environments	High
A.8.32	Change management	High
A.8.33	Test information	Medium
A.8.34	Protection of information systems during audit testing	Low

New Controls in ISO 27001:2022

11 controls are entirely new in the 2022 revision:

Control	Title	Why It Was Added
A.5.7	Threat intelligence	Proactive threat awareness
A.5.23	Information security for use of cloud services	Cloud adoption governance
A.5.30	ICT readiness for business continuity	IT-specific continuity planning
A.7.4	Physical security monitoring	Enhanced surveillance requirements
A.8.9	Configuration management	Baseline security configurations
A.8.10	Information deletion	Data lifecycle and privacy
A.8.11	Data masking	Privacy-preserving techniques
A.8.12	Data leakage prevention	DLP as explicit requirement
A.8.16	Monitoring activities	Active security monitoring
A.8.23	Web filtering	Web-based threat mitigation
A.8.28	Secure coding	Development security practices

Cross-Reference: SOC 2 Control Mapping

Map ISO 27001:2022 controls to SOC 2 Trust Services Criteria for organizations requiring both certifications:

SOC 2 Trust Criteria	ISO 27001:2022 Controls	Notes
CC1 — Control Environment	A.5.1, A.5.2, A.5.4, A.6.2	Governance and organizational structure
CC2 — Communication and Information	A.5.14, A.6.3, A.6.8, A.5.37	Internal/external communication
CC3 — Risk Assessment	A.5.7, Clause 6.1.2 (risk assessment)	Threat identification and analysis
CC4 — Monitoring Activities	A.8.15, A.8.16, A.5.35, A.5.36	Logging, monitoring, compliance
CC5 — Control Activities	A.5.15-A.5.18, A.8.1-A.8.5	Access control and authentication
CC6 — Logical and Physical Access	A.5.15, A.7.1, A.7.2, A.8.2, A.8.3	Access management
CC7 — System Operations	A.8.7, A.8.8, A.8.9, A.8.32	Change management, malware, vulnerability management
CC8 — Change Management	A.8.25, A.8.32, A.8.31	SDLC, change control, environment separation
CC9 — Risk Mitigation	A.5.19-A.5.22, A.8.30	Vendor/supplier risk management
Availability	A.5.29, A.5.30, A.8.6, A.8.14	Business continuity, capacity, redundancy
Confidentiality	A.5.12, A.5.13, A.8.11, A.8.12, A.8.24	Classification, DLP, encryption
Processing Integrity	A.8.25-A.8.29, A.8.33	Secure development, testing
Privacy	A.5.34, A.8.10, A.8.11	PII protection, deletion, masking

See also:
../soc2-compliance-specialist/SKILL.md
for full SOC 2 compliance workflows.

Cross-Reference: NIS2 Directive Alignment

The NIS2 Directive (EU 2022/2555) mandates cybersecurity measures for essential and important entities, including healthcare organizations. ISO 27001 provides a strong foundation for NIS2 compliance:

NIS2 Requirement (Art. 21)	ISO 27001:2022 Controls	Gap Analysis
(a) Risk analysis and IS policies	Clause 6.1.2, A.5.1	Fully covered
(b) Incident handling	A.5.24-A.5.28	Add NIS2 reporting timelines (24h/72h)
(c) Business continuity and crisis management	A.5.29, A.5.30	Add crisis management procedures
(d) Supply chain security	A.5.19-A.5.22	Strengthen ICT supply chain assessment
(e) Security in network and IS acquisition	A.8.25-A.8.29	Add vulnerability handling and disclosure
(f) Policies for assessing cybersecurity effectiveness	A.5.35, A.5.36	Add metrics-based effectiveness measurement
(g) Basic cyber hygiene and training	A.6.3, A.6.8	Covered
(h) Policies on use of cryptography and encryption	A.8.24	Covered
(i) Human resources security and access control	A.5.15-A.5.18, A.6.1-A.6.8	Covered
(j) Multi-factor authentication and secure communications	A.8.5, A.8.20-A.8.22	Ensure MFA enforced for all critical systems

NIS2-specific additions beyond ISO 27001:

Incident reporting: 24-hour early warning to CSIRT, 72-hour incident notification, 1-month final report
Management accountability: Senior management must approve cybersecurity measures and undergo training
Penalties: Up to EUR 10M or 2% of global turnover for essential entities
Supply chain: Must assess each direct supplier's cybersecurity practices

See also:
../nis2-compliance-specialist/SKILL.md
for complete NIS2 implementation workflows.

Cloud Security Controls

AWS-Specific Controls

ISO 27001 Control	AWS Implementation	Service
A.5.23 Cloud services	AWS Organizations, SCPs	AWS Organizations
A.8.2 Privileged access	IAM roles, permission boundaries	AWS IAM
A.8.3 Access restriction	Resource policies, VPC endpoints	IAM, VPC
A.8.5 Secure authentication	IAM Identity Center, MFA	IAM
A.8.9 Configuration management	AWS Config rules, conformance packs	AWS Config
A.8.12 Data leakage prevention	Macie, S3 Block Public Access	Macie
A.8.13 Information backup	AWS Backup, cross-region replication	AWS Backup
A.8.15 Logging	CloudTrail, CloudWatch Logs	CloudTrail
A.8.16 Monitoring	GuardDuty, Security Hub	GuardDuty
A.8.20 Network security	Security Groups, NACLs, WAF	VPC, WAF
A.8.22 Network segregation	VPC subnets, Transit Gateway	VPC
A.8.24 Cryptography	KMS, CloudHSM, ACM	KMS

Azure-Specific Controls

ISO 27001 Control	Azure Implementation	Service
A.5.23 Cloud services	Management Groups, Azure Policy	Azure Policy
A.8.2 Privileged access	PIM, RBAC, Conditional Access	Entra ID
A.8.5 Secure authentication	Entra ID MFA, passwordless	Entra ID
A.8.9 Configuration management	Azure Policy, Blueprints	Azure Policy
A.8.12 Data leakage prevention	Microsoft Purview DLP	Purview
A.8.15 Logging	Azure Monitor, Log Analytics	Monitor
A.8.16 Monitoring	Microsoft Defender for Cloud	Defender
A.8.20 Network security	NSGs, Azure Firewall, Front Door WAF	Network
A.8.24 Cryptography	Azure Key Vault, Managed HSM	Key Vault

GCP-Specific Controls

ISO 27001 Control	GCP Implementation	Service
A.5.23 Cloud services	Organization policies, Resource Manager	Resource Manager
A.8.2 Privileged access	IAM, Workload Identity	Cloud IAM
A.8.5 Secure authentication	Identity Platform, 2-Step Verification	Identity
A.8.9 Configuration management	Security Health Analytics, Assured Workloads	SCC
A.8.12 Data leakage prevention	Cloud DLP (Sensitive Data Protection)	DLP
A.8.15 Logging	Cloud Audit Logs, Cloud Logging	Logging
A.8.16 Monitoring	Security Command Center, Chronicle SIEM	SCC
A.8.20 Network security	VPC firewall rules, Cloud Armor	VPC, Cloud Armor
A.8.24 Cryptography	Cloud KMS, Cloud HSM, CMEK	Cloud KMS

Zero Trust Architecture Integration

Align ISO 27001 controls with Zero Trust principles (NIST SP 800-207):

Zero Trust Pillars Mapped to ISO 27001

Zero Trust Pillar	Principle	ISO 27001 Controls	Implementation
Identity	Verify explicitly	A.5.16, A.5.17, A.8.5	MFA everywhere, continuous authentication, identity governance
Devices	Validate device health	A.8.1, A.8.7, A.8.9	Endpoint detection and response (EDR), device compliance checks
Networks	Segment and encrypt	A.8.20-A.8.22, A.8.24	Microsegmentation, mTLS, encrypted tunnels
Applications	Secure by design	A.8.25-A.8.29	SAST/DAST, runtime protection, API security
Data	Classify and protect	A.5.12, A.5.13, A.8.11, A.8.12	Data classification, DLP, rights management
Visibility	Monitor and analyze	A.8.15, A.8.16, A.5.7	SIEM/SOAR, threat intelligence, behavioral analytics

Zero Trust Implementation Roadmap

Phase 1: Foundation (0-6 months)
├── Implement identity provider with MFA for all users
├── Deploy EDR on all endpoints
├── Enable centralized logging and SIEM
└── Classify critical data assets

Phase 2: Enhancement (6-12 months)
├── Implement network microsegmentation
├── Deploy conditional access policies
├── Enable continuous device compliance monitoring
└── Implement DLP for classified data

Phase 3: Maturation (12-18 months)
├── Deploy zero-trust network access (ZTNA) replacing VPN
├── Implement just-in-time (JIT) privileged access
├── Enable automated threat response (SOAR)
└── Continuous verification with behavioral analytics

Hardware Security Key Requirements

FIDO2/WebAuthn Implementation

For high-assurance authentication per A.5.17 and A.8.5:

Requirement	Specification	Priority
Admin accounts	Hardware security key (YubiKey 5, Titan) mandatory	Critical
Developer accounts	Hardware key or platform authenticator	High
All employees	Hardware key recommended; MFA minimum	Medium
Service accounts	Certificate-based or workload identity	High

Supported standards:

FIDO2 / WebAuthn (passwordless primary authentication)
FIDO U2F (second-factor authentication)
PIV/Smart Card (legacy enterprise systems)
TOTP (fallback only — hardware keys preferred)

Deployment checklist:

Procure minimum 2 hardware keys per critical user (primary + backup)
Register keys with identity provider (Entra ID, Okta, Google Workspace)
Enforce phishing-resistant MFA policy for privileged access
Disable SMS/voice MFA for admin accounts
Document key recovery procedures
Test break-glass procedures with backup keys

Supply Chain Security Controls

ICT Supply Chain Risk Management (A.5.19-A.5.22)

Control Area	Requirements	Evidence
Supplier assessment	Security questionnaire + evidence review	Completed assessment scorecard
Contractual requirements	Security clauses in all vendor agreements	Signed agreements with security schedule
Software supply chain	SBOM requirements, dependency scanning	SBOM in CycloneDX/SPDX format
Continuous monitoring	Monitor supplier security posture changes	Quarterly supplier security reviews
Incident notification	Require supplier breach notification within 24 hours	Contractual clause + test exercises

Software Bill of Materials (SBOM) Requirements

Element	Description	Standard
Component inventory	All direct and transitive dependencies	CycloneDX or SPDX
Vulnerability tracking	Map components to known CVEs	OSV, NVD integration
License compliance	Track all open-source licenses	SPDX license identifiers
Update cadence	Regenerate SBOM on every release	CI/CD integration
Sharing	Provide SBOM to customers on request	Machine-readable format

Third-Party Risk Tiers

Tier	Access Level	Assessment Frequency	Assessment Depth
Critical	Processes/stores sensitive data, system access	Annual on-site + continuous monitoring	Full security audit, penetration test review
High	Access to internal systems or non-sensitive data	Annual questionnaire + evidence	Security questionnaire + SOC 2 report review
Medium	Limited access, SaaS tools	Biennial questionnaire	Security questionnaire
Low	No data access, no system access	On onboarding	Basic due diligence

Cross-Framework Mapping Table

Requirement Area	ISO 27001:2022	SOC 2 TSC	NIST CSF 2.0	NIS2 (Art. 21)
Governance	A.5.1-A.5.4	CC1.1-CC1.5	GV.OC, GV.RM	Art. 20
Risk management	Clause 6.1.2, A.5.7	CC3.1-CC3.4	ID.RA	Art. 21(2)(a)
Access control	A.5.15-A.5.18, A.8.2-A.8.5	CC6.1-CC6.8	PR.AA	Art. 21(2)(i)
Incident management	A.5.24-A.5.28	CC7.3-CC7.5	RS.MA, RS.AN	Art. 21(2)(b), Art. 23
Business continuity	A.5.29-A.5.30	A1.1-A1.3	RC.RP	Art. 21(2)(c)
Supply chain	A.5.19-A.5.22	CC9.1-CC9.2	GV.SC	Art. 21(2)(d)
Cryptography	A.8.24	CC6.1, CC6.7	PR.DS	Art. 21(2)(h)
Network security	A.8.20-A.8.22	CC6.6	PR.IR	Art. 21(2)(e)
Vulnerability management	A.8.8	CC7.1	ID.RA-01	Art. 21(2)(e)
Awareness and training	A.6.3	CC1.4	PR.AT	Art. 21(2)(g)
Logging and monitoring	A.8.15-A.8.16	CC7.2	DE.CM, DE.AE	Art. 21(2)(f)
Data protection	A.5.34, A.8.10-A.8.12	P1-P8	PR.DS	Art. 21(2)(e)
Secure development	A.8.25-A.8.29	CC8.1	PR.DS	Art. 21(2)(e)
Asset management	A.5.9-A.5.11	CC6.1	ID.AM	Art. 21(2)(a)

Cross-references: See
../gdpr-dsgvo-expert/SKILL.md
for GDPR privacy controls mapping, and
../risk-management-specialist/SKILL.md
for ISO 14971 risk management integration with ISO 27001.

ISO 27001:2022 Enhanced Controls & Cross-Framework Integration

Annex A Control Themes (93 Controls)

Theme	Controls	Key Areas
Organizational (37)	A.5.1-A.5.37	Policies, roles, threat intelligence, asset management, access, supplier security
People (8)	A.6.1-A.6.8	Screening, T&C, awareness, disciplinary, termination, remote work, reporting
Physical (14)	A.7.1-A.7.14	Perimeters, entry, offices, monitoring, utilities, cabling, equipment, storage media
Technological (34)	A.8.1-A.8.34	Endpoints, access, authentication, code, config, data, backup, logging, networks, web

Hardware Security Key Requirements

YubiKey 5 Series: Required for admin accounts, cloud console access, VPN, code signing
FIDO2/WebAuthn: Phishing-resistant MFA for all users within 90 days of ISMS deployment
Policy: SMS/voice MFA PROHIBITED (SIM swapping risk). TOTP acceptable as interim for non-admin
Backup Keys: Minimum 2 hardware keys per user (primary + backup stored securely)
Recovery: Manager approval + identity verification required for key replacement

Zero Trust Architecture Integration

Never Trust, Always Verify: All access decisions based on identity, device, and context
Microsegmentation: Network segmentation at workload level, not just network perimeter
Least Privilege: Just-in-time access, time-bounded permissions, automated deprovisioning
Continuous Verification: Session-level authentication, device health checks, behavioral analytics

Cross-Framework Mapping (ISO 27001 ↔ SOC 2 ↔ NIST CSF ↔ NIS2)

ISO 27001	SOC 2 TSC	NIST CSF 2.0	NIS2 Art.21
A.5.1 Policies	CC1.1	GV.PO	Art.21.2.a
A.5.23 Cloud security	CC6.7	PR.DS	Art.21.2.e
A.5.24 Incident mgmt	CC7.4	RS.MA	Art.21.2.b
A.6.3 Awareness	CC1.4	PR.AT	Art.21.2.g
A.8.5 Authentication	CC6.1	PR.AA	Art.21.2.j
A.8.9 Config mgmt	CC8.1	PR.PS	Art.21.2.e
A.8.15 Logging	CC7.2	DE.CM	Art.21.2.b
A.8.24 Cryptography	CC6.7	PR.DS	Art.21.2.h

Supply Chain Security Controls

Supplier Risk Assessment: Due diligence before onboarding, annual reassessment
Contractual Security Clauses: Data protection, incident reporting, audit rights, exit terms
Continuous Monitoring: Vendor security ratings, certificate expiry alerts, breach notifications
SBOM Requirements: Software Bill of Materials for all third-party software components

Troubleshooting

Problem	Possible Cause	Resolution
Compliance checker shows low score despite documented policies	Controls documented but not implemented or operating effectively; evidence of operation missing	Focus on evidence of control operation (logs, reports, screenshots) rather than just policy documents; run `compliance_checker.py --gap-analysis` to identify implementation gaps
Risk assessment generates excessive number of high/critical risks	Asset classification overly conservative or threat likelihood ratings not calibrated to organization context	Calibrate likelihood and impact scales to actual organizational experience; review threat catalog against industry benchmarks; use `--template healthcare` or `--template cloud` for context-appropriate threat catalogs
Stage 1 audit identifies significant documentation gaps	ISMS documentation not aligned with ISO 27001:2022 clause structure or missing mandatory documented information	Review the 2022 mandatory documentation list (information security policy, SoA, risk assessment methodology, risk treatment plan); ensure clause 4-10 documentation uses the 2022 structure
Transitioning from ISO 27001:2013 -- controls do not map	2022 revision restructured 114 controls into 93 across 4 themes; some controls merged or renamed	Use the 11 new controls list as starting point; map merged controls; update Statement of Applicability to reflect 4-theme structure (Organizational, People, Physical, Technological)
Cloud security controls insufficient for multi-cloud environment	Generic controls applied without cloud-provider-specific implementation	Map ISO 27001 controls to provider-specific services (AWS: GuardDuty, Config; Azure: Defender, Policy; GCP: SCC, DLP); use the cloud-specific control tables in this skill
Zero Trust implementation conflicts with existing network architecture	Legacy perimeter-based security model incompatible with microsegmentation	Follow the phased Zero Trust roadmap (Foundation 0-6mo, Enhancement 6-12mo, Maturation 12-18mo); start with identity and MFA before network changes
Supply chain security assessment overwhelmed by vendor count	No vendor risk tiering applied; all vendors assessed at same depth	Apply the Third-Party Risk Tiers (Critical, High, Medium, Low); focus full security audits on Critical tier; use questionnaires for Medium/Low

Success Criteria

Overall compliance score above 85% -- as measured by
```
compliance_checker.py
```
, with all high-priority controls implemented and operating effectively
Risk register complete with assigned owners for all high/critical risks -- every risk assessed using Likelihood x Impact methodology with documented treatment plans and target remediation dates
Statement of Applicability current and approved -- covering all 93 Annex A controls with justification for inclusion/exclusion, aligned with the 2022 four-theme structure
Internal audit conducted annually -- covering all ISMS clauses (4-10) and all Annex A controls within the 3-year certification cycle, with findings documented and corrective actions tracked
Management review completed with documented outputs -- including ISMS performance metrics, audit findings, risk treatment status, and improvement decisions
Security awareness training completion rate above 95% -- all personnel trained annually with records maintained; specialized training for security and IT staff
Incident response tested and validated -- at least one tabletop exercise or simulation annually; post-incident reviews conducted for all actual incidents; lessons learned documented and implemented

Scope & Limitations

In Scope:

ISO 27001:2022 ISMS implementation guidance including all 93 Annex A controls across 4 themes
Security risk assessment following ISO 27001 Clause 6.1.2 methodology with configurable threat catalogs (general, healthcare, cloud)
Compliance checking and gap analysis against ISO 27001 and ISO 27002 controls
Cross-framework mapping to SOC 2 TSC, NIST CSF 2.0, and NIS2 Directive
Cloud-specific security controls for AWS, Azure, and GCP
Zero Trust architecture integration with phased implementation roadmap
Hardware security key (FIDO2/WebAuthn) requirements and deployment guidance
Supply chain security controls including SBOM requirements and vendor risk tiering

Out of Scope:

ISO 27001 certification audit execution -- this skill provides preparation guidance, not audit services
Implementation of specific security tools (SIEM, EDR, DLP, WAF) -- this skill maps requirements to tool categories
Penetration testing or vulnerability scanning execution -- use
```
infrastructure-compliance-auditor
```
for technical checks
ISO 27701 (privacy information management), ISO 27017 (cloud security), or ISO 27018 (cloud privacy) implementation beyond cross-reference
Physical security system design or installation beyond control requirements

Important Notes:

The ISO 27001:2013 to 2022 transition deadline was October 2025; all certifications must now conform to the 2022 edition
The 2022 revision introduced 11 entirely new controls, notably A.5.7 (Threat intelligence), A.5.23 (Cloud services), A.8.9 (Configuration management), A.8.16 (Monitoring activities), and A.8.28 (Secure coding)
Integration with other standards (ISO 27701, ISO 42001, ISO 9001) via the harmonized Annex SL structure is becoming standard practice

Integration Points

Skill	Integration	When to Use
`isms-audit-expert`	Internal and external ISMS audit management; control testing and finding management	When planning or executing ISO 27001 audits and tracking corrective actions
`infrastructure-compliance-auditor`	Technical infrastructure checks validate ISO 27001 Annex A technological controls	When assessing actual infrastructure security posture against ISO 27001 requirements
`soc2-compliance-expert`	SOC 2 Trust Services Criteria mapped to ISO 27001 controls for dual compliance	When organization requires both ISO 27001 certification and SOC 2 Type II report
`gdpr-dsgvo-expert`	GDPR Art. 32 security of processing aligned with ISO 27001 controls; A.5.34 PII protection	When ISMS must support GDPR compliance requirements
`nist-csf-specialist`	NIST CSF 2.0 functions mapped to ISO 27001 for organizations with US operations	When building unified security framework across ISO 27001 and NIST CSF
`dora-compliance-expert`	ISO 27001 controls support DORA Pillar 1 (ICT Risk Management) requirements for financial entities	When financial entity uses ISO 27001 as foundation for DORA compliance

Tool Reference

risk_assessment.py

Automated security risk assessment following ISO 27001 Clause 6.1.2 methodology.

Flag	Required	Description
`--scope <name>`	Yes (unless `--assets` )	System or area to assess (e.g., `cloud-infrastructure` , `ehr-system` , `patient-data-system` )
`--template <type>`	No	Assessment template: `general` (default), `healthcare` , `cloud` -- each provides context-appropriate threat catalogs
`--assets <file>`	No	CSV file with asset inventory (columns: asset_id, name, type, owner, classification)
`--output <file>`	No	Output file path (default: stdout)
`--format <fmt>`	No	Output format: `json` (default), `csv` , `markdown`

Output: Asset inventory with classification, threat and vulnerability mapping, risk scores (Likelihood x Impact on 1-5 scale), treatment recommendations per risk level, and residual risk calculations.

compliance_checker.py

Verifies ISO 27001/27002 control implementation status with gap analysis and remediation recommendations.

Flag	Required	Description
`--standard <std>`	Yes	Standard to check: `iso27001` , `iso27002` , `hipaa`
`--controls-file <file>`	No	CSV file with current control implementation status
`--gap-analysis`	No	Include detailed remediation recommendations in output
`--domains <domains>`	No	Comma-separated specific control domains to check (e.g., `access-control,cryptography` )
`--output <file>`	No	Output file path for compliance report

Output: Control implementation status per domain, compliance percentage by theme/domain, gap analysis with priorities (when

--gap-analysis

flag used), and remediation recommendations mapped to ISO 27002 control guidance.

Claude-Skills information-security-manager-iso27001

Information Security Manager - ISO 27001

Table of Contents

Trigger Phrases

Quick Start

Run Security Risk Assessment

Check Compliance Status

Generate Gap Analysis Report

Tools

risk_assessment.py

compliance_checker.py

Workflows

Workflow 1: ISMS Implementation

Workflow 2: Security Risk Assessment

Workflow 3: Incident Response

Reference Guides

When to Use Each Reference

Validation Checkpoints

ISMS Implementation Validation

Certification Readiness

Compliance Verification

Worked Example: Healthcare Risk Assessment

Step 1: Define Assets

Step 2: Identify Risks

Step 3: Determine Treatment

Step 4: Verify Implementation

ISO 27001:2022 Annex A Controls — Complete Reference

Theme 1: Organizational Controls (37 controls)

Theme 2: People Controls (8 controls)

Theme 3: Physical Controls (14 controls)

Theme 4: Technological Controls (34 controls)

New Controls in ISO 27001:2022

Cross-Reference: SOC 2 Control Mapping

Cross-Reference: NIS2 Directive Alignment

Cloud Security Controls

AWS-Specific Controls

Azure-Specific Controls

GCP-Specific Controls

Zero Trust Architecture Integration

Zero Trust Pillars Mapped to ISO 27001

Zero Trust Implementation Roadmap

Hardware Security Key Requirements

FIDO2/WebAuthn Implementation

Supply Chain Security Controls

ICT Supply Chain Risk Management (A.5.19-A.5.22)

Software Bill of Materials (SBOM) Requirements

Third-Party Risk Tiers

Cross-Framework Mapping Table

ISO 27001:2022 Enhanced Controls & Cross-Framework Integration

Annex A Control Themes (93 Controls)

Hardware Security Key Requirements

Zero Trust Architecture Integration

Cross-Framework Mapping (ISO 27001 ↔ SOC 2 ↔ NIST CSF ↔ NIS2)

Supply Chain Security Controls

Troubleshooting

Success Criteria

Scope & Limitations

Integration Points

Tool Reference

risk_assessment.py

compliance_checker.py