Awesome-omni-skill compliance-frameworks
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
install
source · Clone the upstream repo
git clone https://github.com/diegosouzapw/awesome-omni-skill
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/testing-security/compliance-frameworks" ~/.claude/skills/diegosouzapw-awesome-omni-skill-compliance-frameworks && rm -rf "$T"
manifest:
skills/testing-security/compliance-frameworks/SKILL.mdsource content
Compliance Frameworks Skill
Context
This skill applies when:
- Mapping security controls to compliance frameworks
- Creating compliance documentation
- Conducting compliance audits
- Implementing EU Cyber Resilience Act (CRA) requirements
- Generating compliance evidence portfolios
- Responding to compliance questionnaires
- Preparing for security certifications
This skill enforces Hack23 ISMS policies for multi-standard compliance alignment.
Rules
1. ISO 27001:2022 (Secure Development Policy 📜)
- A.5: Organizational controls (policies, roles)
- A.8: Asset management (handling, classification, deletion)
- A.12: Operations security (change management, vulnerabilities)
- A.13: Communications security (network controls, encryption)
- A.14: System acquisition and development (secure SDLC)
2. NIST Cybersecurity Framework 2.0 (Secure Development Policy 📜)
- GOVERN: Risk management, policy, oversight
- IDENTIFY: Asset management, risk assessment
- PROTECT: Access control, data security, awareness
- DETECT: Continuous monitoring, anomaly detection
- RESPOND: Incident analysis, mitigation, communication
- RECOVER: Recovery planning, improvements, communications
3. CIS Controls v8.1 (Secure Development Policy 📜)
- IG1 (Implementation Group 1): Basic cyber hygiene (8 controls)
- IG2 (Implementation Group 2): Medium-sized organizations (56 additional controls)
- IG3 (Implementation Group 3): Large organizations/high security (additional 64 controls)
4. EU Cyber Resilience Act (Open Source Policy 🛡️)
- Conformity Assessment: CE marking for digital products
- Security Updates: Timely vulnerability patching
- Risk Management: Classification-based security requirements
- Documentation: Technical documentation for 10 years
- Incident Reporting: Report actively exploited vulnerabilities
Examples
✅ Good Pattern: ISO 27001:2022 Control Mapping
/** * ISO 27001:2022 Control Implementation Matrix * * ISMS Policy: Compliance Framework Integration * Evidence: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md#compliance-framework-integration */ const iso27001Controls = { // A.5 Organizational Controls 'A.5.1': { control: 'Policies for information security', implementation: 'SECURITY.md, Open_Source_Policy.md, Secure_Development_Policy.md', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/Open_Source_Policy.md' ], status: 'Implemented', lastReview: '2026-02-16' }, // A.8 Asset Management 'A.8.3': { control: 'Handling of assets', implementation: 'Input validation with Zod, data classification per Data_Classification_Policy.md', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/validation/', 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md' ], status: 'Implemented', lastReview: '2026-02-16' }, 'A.8.10': { control: 'Information deletion', implementation: 'LRU cache with TTL, GDPR right to erasure support', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/cache.ts', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/gdpr-compliance/SKILL.md' ], status: 'Implemented', lastReview: '2026-02-16' }, // A.12 Operations Security 'A.12.1.2': { control: 'Change management', implementation: 'GitHub PRs, code review, CI/CD pipeline', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/workflows/', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/PULL_REQUEST_TEMPLATE.md' ], status: 'Implemented', lastReview: '2026-02-16' }, 'A.12.6.1': { control: 'Management of technical vulnerabilities', implementation: 'Dependabot, npm audit, CodeQL, vulnerability remediation SLAs', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/security/dependabot', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/workflows/codeql.yml', 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#vulnerability-management' ], status: 'Implemented', lastReview: '2026-02-16' }, // A.13 Communications Security 'A.13.1.1': { control: 'Network controls', implementation: 'HTTPS only for EP API, TLS 1.3, no open network ports', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/api/client.ts', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY_HEADERS.md' ], status: 'Implemented', lastReview: '2026-02-16' }, // A.14 System Acquisition, Development and Maintenance 'A.14.2.1': { control: 'Secure development policy', implementation: 'Secure_Development_Policy.md, security by design, threat modeling', evidence: [ 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md' ], status: 'Implemented', lastReview: '2026-02-16' }, 'A.14.2.5': { control: 'Secure system engineering principles', implementation: 'Defense in depth, fail secure, input validation, least privilege', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/ARCHITECTURE.md', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/security-by-design/SKILL.md' ], status: 'Implemented', lastReview: '2026-02-16' } }; // Export for compliance reporting export function generateISO27001Report(): string { const implemented = Object.values(iso27001Controls).filter(c => c.status === 'Implemented').length; const total = Object.keys(iso27001Controls).length; return ` # ISO 27001:2022 Compliance Report **Project**: European Parliament MCP Server **Date**: ${new Date().toISOString()} **Status**: ${implemented}/${total} controls implemented (${Math.round(implemented/total*100)}%) ## Control Implementation Summary ${Object.entries(iso27001Controls).map(([id, control]) => ` ### ${id}: ${control.control} **Implementation**: ${control.implementation} **Status**: ${control.status} **Last Review**: ${control.lastReview} **Evidence**: ${control.evidence.map(e => `- ${e}`).join('\n')} `).join('\n')} ## Compliance Statement This system implements security controls aligned with ISO 27001:2022 standard, demonstrating commitment to information security management per [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC). `; }
Policy Reference: Secure Development Policy Section 📜
Evidence: CIA ISO 27001 Mapping
✅ Good Pattern: NIST CSF 2.0 Function Mapping
/** * NIST Cybersecurity Framework 2.0 Implementation * * Functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER */ const nistCSF2Mapping = { // GOVERN (GV) 'GV.OC-01': { function: 'GOVERN', category: 'Organizational Context', subcategory: 'Organizational mission, objectives, and activities are understood', implementation: 'ISMS policies define organizational security requirements', evidence: 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md' }, 'GV.RM-01': { function: 'GOVERN', category: 'Risk Management', subcategory: 'Risk management objectives are established', implementation: 'Threat modeling, risk register, classification framework', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md', 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md' ] }, // IDENTIFY (ID) 'ID.AM-01': { function: 'IDENTIFY', category: 'Asset Management', subcategory: 'Physical devices and systems are inventoried', implementation: 'SBOM generation, dependency tracking, asset inventory', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/releases', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/package-lock.json' ] }, 'ID.RA-01': { function: 'IDENTIFY', category: 'Risk Assessment', subcategory: 'Vulnerabilities are identified and documented', implementation: 'CodeQL scanning, Dependabot, npm audit, OSSF Scorecard', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/security/code-scanning', 'https://securityscorecards.dev/viewer/?uri=github.com/Hack23/European-Parliament-MCP-Server' ] }, // PROTECT (PR) 'PR.AC-01': { function: 'PROTECT', category: 'Access Control', subcategory: 'Identities and credentials are issued, managed, and verified', implementation: 'MCP stdio transport (process-level isolation), no network auth needed', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/index.ts' }, 'PR.DS-01': { function: 'PROTECT', category: 'Data Security', subcategory: 'Data-at-rest is protected', implementation: 'HTTPS for transit, no persistent storage of personal data', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/api/client.ts' }, // DETECT (DE) 'DE.CM-01': { function: 'DETECT', category: 'Continuous Monitoring', subcategory: 'Networks and network services are monitored', implementation: 'Audit logging, error monitoring, GDPR access logs', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts' }, // RESPOND (RS) 'RS.AN-01': { function: 'RESPOND', category: 'Analysis', subcategory: 'Notifications are investigated', implementation: 'Vulnerability disclosure process, security incident response', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md' }, // RECOVER (RC) 'RC.RP-01': { function: 'RECOVER', category: 'Recovery Planning', subcategory: 'Recovery plan is executed', implementation: 'Incident response procedures, backup and restore capabilities', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#incident-response' } };
Policy Reference: Secure Development Policy Section 📜
Evidence: Black Trigram NIST CSF Mapping
✅ Good Pattern: CIS Controls v8.1 Implementation
/** * CIS Controls v8.1 Safeguards * Implementation Groups: IG1 (Basic), IG2 (Foundational), IG3 (Organizational) */ const cisControlsMapping = { // CIS Control 1: Inventory and Control of Enterprise Assets '1.1': { control: 'Establish and Maintain Detailed Enterprise Asset Inventory', safeguard: 'Basic', ig: 'IG1', implementation: 'SBOM generation with CycloneDX, dependency tracking', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/releases/latest/download/sbom.json' }, // CIS Control 2: Inventory and Control of Software Assets '2.1': { control: 'Establish and Maintain Software Inventory', safeguard: 'Basic', ig: 'IG1', implementation: 'package.json, package-lock.json, SBOM', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/package.json' }, '2.3': { control: 'Address Unauthorized Software', safeguard: 'Basic', ig: 'IG1', implementation: 'License scanning with FOSSA, approved license list enforcement', evidence: [ 'https://app.fossa.com/projects/git%2Bgithub.com%2FHack23%2FEuropean-Parliament-MCP-Server', 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#approved-licenses' ] }, // CIS Control 3: Data Protection '3.1': { control: 'Establish and Maintain Data Management Process', safeguard: 'Basic', ig: 'IG1', implementation: 'Data classification, GDPR compliance, data minimization', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/gdpr-compliance/SKILL.md' }, '3.3': { control: 'Configure Data Access Control Lists', safeguard: 'Basic', ig: 'IG1', implementation: 'Least privilege, process-level isolation via stdio', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/index.ts' }, // CIS Control 8: Audit Log Management '8.2': { control: 'Collect Audit Logs', safeguard: 'Basic', ig: 'IG1', implementation: 'Structured audit logging for all security events', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts' }, '8.5': { control: 'Collect Detailed Audit Logs', safeguard: 'Foundational', ig: 'IG2', implementation: 'Detailed logs with timestamps, event types, actors, outcomes', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts' }, // CIS Control 16: Application Software Security '16.1': { control: 'Establish and Maintain Secure Application Development Process', safeguard: 'Basic', ig: 'IG1', implementation: 'Secure Development Policy, security by design, threat modeling', evidence: 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md' }, '16.10': { control: 'Apply Secure Design Principles in Application Architectures', safeguard: 'Foundational', ig: 'IG2', implementation: 'Defense in depth, fail secure, input validation, least privilege', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/ARCHITECTURE.md', 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/security-by-design/SKILL.md' ] } };
Policy Reference: Secure Development Policy Section 📜
✅ Good Pattern: EU Cyber Resilience Act (CRA) Compliance
/** * EU Cyber Resilience Act Conformity Assessment * * ISMS Policy: Open Source Policy Section 🛡️ * Evidence: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#cra-conformity-assessment-evidence */ const craCompliance = { product: 'European Parliament MCP Server', classification: 'Important (Class I)', // Based on risk assessment // Essential Requirements essentialRequirements: { security: { 'Art. 10': { requirement: 'Products with digital elements shall be delivered without known exploitable vulnerabilities', implementation: 'CodeQL scanning, Dependabot, npm audit, OSSF Scorecard ≥7.0', evidence: [ 'https://github.com/Hack23/European-Parliament-MCP-Server/security/code-scanning', 'https://securityscorecards.dev/viewer/?uri=github.com/Hack23/European-Parliament-MCP-Server' ] }, 'Art. 11': { requirement: 'Products shall be delivered with a secure by default configuration', implementation: 'Security by design, threat modeling, input validation mandatory', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md' } }, updates: { 'Art. 12': { requirement: 'Manufacturers shall provide security updates for the expected lifetime', implementation: 'Dependabot automated updates, 5-year support lifecycle', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#supported-versions' } }, documentation: { 'Art. 13': { requirement: 'Technical documentation shall be maintained for 10 years', implementation: 'SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, compliance mappings maintained in git', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server' } }, incidentReporting: { 'Art. 14': { requirement: 'Actively exploited vulnerabilities shall be reported within 24 hours', implementation: 'Vulnerability disclosure process, CSIRT coordination', evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#reporting-a-vulnerability' } } }, // Conformity Assessment conformityAssessment: { type: 'Module A (Internal Control)', // For Class I products ceMarking: false, // Not required for open source tools declarationOfConformity: true, technicalDocumentation: { description: 'European Parliament MCP Server - Model Context Protocol server for parliamentary data', architecture: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY_ARCHITECTURE.md', threatModel: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md', sbom: 'https://github.com/Hack23/European-Parliament-MCP-Server/releases/latest/download/sbom.json' } } };
Policy Reference: Open Source Policy Section 🛡️
Anti-Patterns
❌ Bad: No Compliance Mapping
// Just code, no compliance documentation
❌ Bad: Outdated Compliance Evidence
Last compliance review: 2022 // More than 1 year old!
Evidence Portfolio
Reference Implementations
-
Citizen Intelligence Agency (CIA)
-
Black Trigram Game
- Compliance Dashboard: https://github.com/Hack23/blacktrigram/blob/main/COMPLIANCE.md
-
CIA Compliance Manager
- Multi-Framework Mapping: https://github.com/Hack23/cia-compliance-manager/blob/main/COMPLIANCE_MAPPING.md
Policy Documents
- Secure Development Policy: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md
- Open Source Policy: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md
- ISMS-PUBLIC Repository: https://github.com/Hack23/ISMS-PUBLIC
ISMS Compliance
This skill enforces:
- CF-001: ISO 27001:2022 control mapping
- CF-002: NIST CSF 2.0 function alignment
- CF-003: CIS Controls v8.1 safeguards
- CF-004: EU CRA conformity assessment
Policy Reference: Hack23 ISMS-PUBLIC