Menu
Strategic skill for ensuring all Hack23 repositories comply with ISMS requirements (ISO 27001, NIST CSF 2.0, CIS Controls)
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Master GitHub Agentic Workflows authoring - markdown syntax, natural language instructions, YAML frontmatter, compilation, and workflow patterns
Comprehensive expertise in GitHub Agentic Workflows (v0.68.1) — AI-powered repository automation with five-layer security, safe outputs, MCP tools, and Continuous AI patterns
Comprehensive guide for MCP (Model Context Protocol) server setup, transport protocols, configuration validation, lifecycle management, tool discovery, and error handling patterns
Comprehensive Hack23 threat modeling process using STRIDE, MITRE ATT&CK, attack trees, and quantitative risk assessment per ISMS Threat_Modeling.md policy
Fiscal policy, budget analysis, economic forecasting, monetary policy, trade policy for political journalists
Comprehensive guide to integrating agentic automation with GitHub Actions CI/CD pipelines, including workflow triggers, environment configuration, secrets management, matrix strategies, and deployment patterns for production-ready autonomous systems.
| name | hack23-isms-compliance |
| description | Strategic skill for ensuring all Hack23 repositories comply with ISMS requirements (ISO 27001, NIST CSF 2.0, CIS Controls) |
| license | Apache-2.0 |
Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.
This skill ensures all code, documentation, and configurations comply with Hack23's Information Security Management System (ISMS) aligned with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1.
The master ISMS document is the Information Security Policy. It defines:
Every other ISMS document derives authority from and must remain consistent with the Information Security Policy.
Every Hack23 repository MUST have:
``` SECURITY_ARCHITECTURE.md # Current security controls THREAT_MODEL.md # STRIDE analysis FUTURE_SECURITY_ARCHITECTURE.md # Security roadmap ```
SECURITY_ARCHITECTURE.md must include:
THREAT_MODEL.md must include:
FUTURE_SECURITY_ARCHITECTURE.md must include:
``` ARCHITECTURE.md # C4 models (Context, Container, Component) DATA_MODEL.md # Data structures and relationships FLOWCHART.md # Business processes and workflows STATEDIAGRAM.md # State transitions and lifecycles MINDMAP.md # Conceptual relationships SWOT.md # Strategic analysis ```
``` FUTURE_ARCHITECTURE.md # Architectural evolution FUTURE_DATA_MODEL.md # Enhanced data architecture FUTURE_FLOWCHART.md # Improved workflows FUTURE_STATEDIAGRAM.md # Advanced state management FUTURE_MINDMAP.md # Capability expansion FUTURE_SWOT.md # Future opportunities ```
Always map implementations to these controls:
| Control | Focus Area | Implementation Examples |
|---|---|---|
| A.9.2 | User Access Management | MFA, SSH keys, GPG signing |
| A.9.4 | System/App Access Control | RBAC, least privilege |
| A.10.1 | Cryptographic Controls | TLS 1.3, HTTPS-only, encryption at rest |
| A.12.4 | Logging and Monitoring | Audit logs, security monitoring |
| A.13.1 | Network Security | Firewalls, DDoS protection, security headers |
| A.14.2 | Secure Development | SAST, DAST, dependency scanning |
| A.16.1 | Incident Management | Response procedures, forensics |
Map all security measures to functions:
| Function | Purpose | Key Categories |
|---|---|---|
| GOVERN (GV) | Organizational context | Risk management strategy, policies |
| IDENTIFY (ID) | Understand risks | Asset management, risk assessment |
| PROTECT (PR) | Implement safeguards | Access control, data security |
| DETECT (DE) | Find anomalies | Monitoring, threat detection |
| RESPOND (RS) | Take action | Response planning, communications |
| RECOVER (RC) | Restore services | Recovery planning, improvements |
Implement applicable controls by Implementation Group:
IG1 (Basic Cyber Hygiene):
IG2 (Enterprise Security):
All workflows must:
Example: ```yaml permissions: contents: read # Least privilege
steps:
Required scans:
For every component, analyze:
| Threat | Description | Example Mitigations |
|---|---|---|
| Spoofing | Identity theft | MFA, strong authentication |
| Tampering | Data modification | Input validation, integrity checks |
| Repudiation | Deny actions | Audit logs, digital signatures |
| Information Disclosure | Expose info | Encryption, access control |
| Denial of Service | Disrupt service | Rate limiting, DDoS protection |
| Elevation of Privilege | Gain unauthorized access | Least privilege, RBAC |
Before completing any task, verify:
Maintain evidence for:
