| name | isms-compliance |
| description | ISMS policy alignment and compliance verification for Hack23 AB security standards (ISO 27001, NIST CSF 2.0, CIS Controls v8.1) |
| license | MIT |
ISMS Compliance Skill
Context
This skill applies when:
- Adding new features, dependencies, or security controls
- Documenting security practices or policies
- Conducting security reviews or audits
- Implementing authentication, authorization, or cryptography
- Handling sensitive data or user information
- Creating security documentation or policy references
All security practices in this repository align with Hack23 AB's Information Security Management System (ISMS) implementing ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1.
Rules
- Reference ISMS Policies: Every security-related code change must reference applicable ISMS policies in comments or documentation
- Follow Defense in Depth: Implement multiple layers of security controls (input validation + rate limiting + audit logging + access control)
- Document Security Decisions: All security architecture decisions must be documented with ISMS policy references
- Verify Dependencies: All new dependencies must be checked for known vulnerabilities before addition
- Maintain Security Headers: Always configure security headers for HTTP responses (when applicable)
- Implement Secure Defaults: All configurations must be secure by default (disable unused features, minimize attack surface)
- Apply Least Privilege: Grant minimal permissions required for functionality
- Validate All Inputs: Never trust user input - validate, sanitize, and encode on both client and server
- Encrypt Sensitive Data: Use strong encryption (AES-256) for data at rest and TLS 1.3+ for data in transit
- Log Security Events: Log authentication attempts, authorization failures, and security-relevant events
- Follow Secure SDLC: Integrate security at every phase (design, development, testing, deployment)
- Conduct Code Reviews: All security-related code requires peer review before merge
- Test Security Controls: Write tests for authentication, authorization, input validation, and encryption
- Document Threat Model: Identify and document threats, vulnerabilities, and mitigations
- Maintain Audit Trail: Keep immutable logs of security events for compliance and forensics
Examples
✅ Good Pattern: ISMS Policy Reference in Code
export class InputValidationService {
private readonly MAX_QUERY_LENGTH = 200;
private readonly ALLOWED_CHARS = /^[a-zA-Z0-9\s\-_.]+$/;
validateSearchQuery(query: string): string {
if (typeof query !== 'string') {
throw new ValidationError('Query must be a string');
}
if (query.length > this.MAX_QUERY_LENGTH) {
throw new ValidationError(`Query exceeds maximum length of ${this.MAX_QUERY_LENGTH}`);
}
if (!this.ALLOWED_CHARS.test(query)) {
throw new ValidationError('Query contains invalid characters');
}
return query.trim();
}
}
✅ Good Pattern: Security Documentation
## Security Architecture
### Authentication & Authorization
- **Policy**: [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md)
- **Implementation**: API key authentication with rate limiting
- **Compliance**: ISO 27001:2022 A.5.15, NIST CSF PR.AC-1
### Data Protection
- **Policy**: [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) + [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md)
- **Encryption**: TLS 1.3 for all API communications
- **Compliance**: ISO 27001:2022 A.8.24, NIST CSF PR.DS-1
### Input Validation
- **Policy**: [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)
- **Implementation**: Zod whitelist validation for all inputs
- **Compliance**: OWASP API Security Top 10 (API1:2023)
✅ Good Pattern: Input Validation with ISMS Reference
export function validateDocumentId(id: string): string {
if (typeof id !== 'string') {
throw new ValidationError('Document ID must be a string');
}
const documentIdPattern = /^EP-\d{8}-\d{5}$/;
if (!documentIdPattern.test(id)) {
throw new ValidationError('Invalid document ID format');
}
return id;
}
✅ Good Pattern: Dependency Security Check
{
"scripts": {
"preinstall": "npm audit --audit-level=moderate",
"test:security": "npm audit && npm run test:licenses",
"test:licenses": "license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;ISC'",
"prepare": "npm run build && npm run test:security"
}
}
✅ Good Pattern: Rate Limiting for MCP Tools
export class RateLimiter {
private readonly requests: Map<string, number[]> = new Map();
private readonly MAX_REQUESTS = 100;
private readonly WINDOW_MS = 15 * 60 * 1000;
async checkLimit(clientId: string): Promise<void> {
const now = Date.now();
const clientRequests = this.requests.get(clientId) || [];
const recentRequests = clientRequests.filter(
timestamp => now - timestamp < this.WINDOW_MS
);
if (recentRequests.length >= this.MAX_REQUESTS) {
const oldestRequest = Math.min(...recentRequests);
const retryAfter = Math.ceil((oldestRequest + this.WINDOW_MS - now) / 1000);
throw new RateLimitError(
`Rate limit exceeded. Try again in ${retryAfter} seconds.`,
retryAfter
);
}
recentRequests.push(now);
this.requests.set(clientId, recentRequests);
}
}
❌ Bad Pattern: No ISMS Reference
export class ApiService {
async queryDocuments(query: string) {
return fetch(`/api/search?q=${query}`);
}
}
❌ Bad Pattern: Weak Input Validation
function validateInput(input: string): boolean {
return input.length > 0;
}
async function search(query: string): Promise<Results> {
return await db.query(`SELECT * FROM docs WHERE title LIKE '%${query}%'`);
}
❌ Bad Pattern: Missing Security Logging
async function handleToolRequest(request: ToolRequest): Promise<ToolResponse> {
try {
return await processRequest(request);
} catch (error) {
return { error: error.message };
}
}
❌ Bad Pattern: No Rate Limiting
export async function searchDocuments(query: SearchQuery): Promise<Results> {
return await europeanParliamentApi.search(query);
}
References
ISMS Policies
Security Standards
Tools
npm audit - Dependency vulnerability scanning
license-checker - License compliance verification
- Dependabot - Automated dependency updates
- Snyk - Continuous security monitoring
Remember
- Security is not optional: Every feature must consider security implications and align with ISMS policies
- Document everything: Security decisions, threat models, and policy references must be documented
- Defense in depth: Implement multiple overlapping security controls
- Fail securely: Systems must fail to a secure state, not an insecure one
- Assume breach: Design systems assuming attackers will get in - limit blast radius
- Compliance is continuous: Security compliance is not a one-time activity but an ongoing process
- Test security controls: Security features must be tested as rigorously as functional features
- Keep dependencies updated: Regularly update dependencies to patch known vulnerabilities
- Encrypt sensitive data: Never store or transmit sensitive data in plaintext
- Principle of least privilege: Grant only the minimum permissions required
- Validate all inputs: Never trust user input - validate and sanitize everything
- Audit everything: Log security-relevant events for compliance and incident response
- European Parliament context: Respect data protection regulations and European Parliament data policies