원클릭으로
hack23-isms-compliance
Hack23 ISMS organization-wide compliance requirements, policy enforcement, audit preparation
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Hack23 ISMS organization-wide compliance requirements, policy enforcement, audit preparation
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | hack23-isms-compliance |
| description | Hack23 ISMS organization-wide compliance requirements, policy enforcement, audit preparation |
| license | Apache-2.0 |
Ensure all Hack23 organization projects comply with the Information Security Management System (ISMS) requirements. Covers ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, NIS2, and GDPR compliance across the development lifecycle. Provides actionable guidance for audit preparation and policy enforcement.
Do NOT use for:
┌─────────────────────────────────────────────────────────┐
│ Hack23 ISMS Framework │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ ISO 27001 │ │ NIST CSF 2.0 │ │ CIS Controls │ │
│ │ :2022 │ │ │ │ v8 │ │
│ │ 93 Controls │ │ 6 Functions │ │ 18 Controls │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ NIS2 │ │ GDPR │ │ EU CRA │ │
│ │ Directive │ │ │ │ │ │
│ │ │ │ Data Privacy │ │ Cyber │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ Reference: github.com/Hack23/ISMS-PUBLIC │
└─────────────────────────────────────────────────────────┘
| Document | Status | Description |
|---|---|---|
SECURITY.md | Required | Security policy and vulnerability reporting |
SECURITY_ARCHITECTURE.md | Required | Security architecture documentation |
THREAT_MODEL.md | Required | Threat model using STRIDE framework |
LICENSE.txt | Required | Apache 2.0 license file |
CODEOWNERS | Required | Code ownership and review requirements |
CODE_OF_CONDUCT.md | Required | Community standards |
main — require PR reviews| Control ID | Control Name | Implementation |
|---|---|---|
| A.5.1 | Policies for information security | SECURITY.md, ISMS policies |
| A.8.4 | Access to source code | GitHub branch protection, CODEOWNERS |
| A.8.9 | Configuration management | Infrastructure as Code, version control |
| A.8.25 | Secure development lifecycle | CI/CD pipeline with security gates |
| A.8.26 | Application security requirements | Input validation, OWASP Top 10 |
| A.8.28 | Secure coding | Code review, SAST scanning |
| A.8.31 | Separation of environments | Dev/staging/prod separation |
| A.8.33 | Test information | No production data in test environments |
| Function | Category | CIA Platform Implementation |
|---|---|---|
| Identify | Asset Management | Repository inventory, SBOM |
| Protect | Access Control | Spring Security, RBAC |
| Protect | Data Security | Encryption, input validation |
| Detect | Continuous Monitoring | CodeQL, Dependabot, OSSF |
| Respond | Incident Response | SECURITY.md reporting process |
| Recover | Recovery Planning | Backup procedures, DR plans |
| Category | Examples | Handling |
|---|---|---|
| Public political data | Votes, speeches, motions | Open access, no restrictions |
| Politician profiles | Name, party, committee | Public figure exception applies |
| User accounts | Email, preferences | Minimize, encrypt, consent required |
| Analytics data | Usage patterns | Anonymize, aggregate |
Documentation Review
Technical Controls Verification
Evidence Collection
# Generate compliance evidence
mvn dependency-check:check # Vulnerability scan
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom # SBOM
mvn site # Project reports
Metrics Preparation
# Branch protection rules (enforce via GitHub API)
protection:
required_reviews: 1
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_status_checks:
- "build"
- "codeql"
- "dependency-check"
enforce_admins: true
| Change Type | Reviewer | Approval |
|---|---|---|
| Security policy | Security lead | Required |
| Architecture change | Tech lead | Required |
| New dependency | Any reviewer | Required + security scan |
| CI/CD pipeline | DevOps + Security | Both required |
| Data model change | Tech lead | Required |
When a security incident occurs:
SECURITY.mdThe authoritative ISMS documentation is maintained at:
github.com/Hack23/ISMS-PUBLICSecure_Development_Policy.mdKey_Management_Policy.mdAccess_Control_Policy.mdAll Hack23 projects must align with these organization-wide policies.