| name | isms-compliance |
| description | Hack23 ISMS alignment — ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, EU CRA — with policy citations |
| license | MIT |
ISMS Compliance Skill
Context
Applies when adding features, dependencies, or security controls; editing security code; documenting architecture; touching CI/CD; or handling any sensitive data.
All practices align with Hack23 AB's ISMS-PUBLIC, implementing ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, and EU CRA readiness.
Policy Catalogue (cite the one that applies)
Rules
- Reference ISMS Policies — security-relevant code, docs, and PRs must cite the applicable policy (e.g., "ISMS: SDP §Phase 3")
- Defense in Depth — stack validation + sanitization + encoding + CSP + headers
- Document Decisions — ADRs and threat models cite ISMS policies
- Verify Dependencies —
npm audit + npm run test:licenses + GitHub Advisory DB before adding
- Security Headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options (see
SECURITY_HEADERS.md)
- Secure Defaults — unused features off; risky options explicit opt-in
- Least Privilege — minimum token scopes, minimum workflow permissions, minimum tool scopes
- Validate All Inputs — never trust user input (validate / sanitize / encode)
- Encrypt Sensitive Data — AES-256 at rest, TLS 1.3+ in transit, SHA-256+ hashing
- Log Security Events — auth, authorization failures, security-relevant events; never secrets/PII
- Secure SDLC — security baked into design → dev → test → deploy → operate
- Test Security Controls — ≥ 95 % coverage on security-sensitive paths
- Patch within SLA — Critical ≤ 7 d, High ≤ 30 d, Medium ≤ 90 d
- No Production Data in Tests — anonymize / synthesize
Secure SDLC Phase Gates (per SDP)
| Phase | Gate |
|---|
| Plan & Design | Classification (CIA triad) + threat model + policy links |
| Develop | OWASP-aligned, typed, no hardcoded secrets, least-privilege tokens |
| Test | CodeQL clean, npm audit clean, coverage ≥ 80 / 70 (≥ 95 % security) |
| Deploy | SHA-pinned Actions, SLSA L3 attestations, SBOM + SBOMQS ≥ 7.0 |
| Operate | Scorecard ≥ 8.0, Dependabot green, patch SLAs honored, incident drills |
Compliance Framework Mapping
ISO 27001:2022 — A.5.23, A.5.30, A.8.25, A.8.28, A.8.29, A.8.30, A.8.31, A.8.32
NIST CSF 2.0 — GV (govern), ID.AM, PR.DS, PR.IR, DE.CM, RS.AN, RC.RP
CIS Controls v8.1 — 2, 3, 4, 6, 7, 8, 11, 16, 18
EU CRA — SBOM, CVE handling, security updates, conformity self-assessment
Example: ISMS-Cited Code
export function saveHighScore(score: number): void {
if (!Number.isFinite(score) || score < 0) {
throw new RangeError('Invalid score value');
}
localStorage.setItem('highScore', String(Math.floor(score)));
}
Validation Checklist