Run any Skill in Manus with one click

$pwd:

compliance-frameworks

Name: Compliance Frameworks
Author: Hack23

// ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies

Run Skill in Manus

$ git log --oneline --stat

stars:14

forks:8

updated:April 17, 2026 at 17:00

SKILL.md

readonly

related-skills.json

same repository

architecture-documentation.md

from "Hack23/European-Parliament-MCP-Server"

C4 architecture model, security architecture, Mermaid diagrams, SECURITY_ARCHITECTURE.md, and comprehensive documentation per Hack23 Secure Development Policy

2026-05-2414

ai-development-governance.md

from "Hack23/European-Parliament-MCP-Server"

AI-augmented development controls, GitHub Copilot governance, LLM security, AI-generated code review per Hack23 Secure Development Policy

2026-04-1714

ai-governance.md

from "Hack23/European-Parliament-MCP-Server"

EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications

2026-04-1714

code-quality-excellence.md

from "Hack23/European-Parliament-MCP-Server"

Enforce code quality with ESLint, TypeScript strict mode, Knip unused detection, and quality gates for MCP servers

2026-04-1714

contribution-guidelines.md

from "Hack23/European-Parliament-MCP-Server"

Contribution process with PR workflow, code review standards, commit conventions, and open source best practices

2026-04-1714

documentation-standards.md

from "Hack23/European-Parliament-MCP-Server"

Clear technical documentation with JSDoc, READMEs, Mermaid diagrams, ISMS policy references, and comprehensive code examples

2026-04-1714

package.json

"author": "Hack23"

"repository": "Hack23/European-Parliament-MCP-Server"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Compliance OfficersBusiness and Financial Operations Occupations13-1041L4

Run any Skill with one click

name	compliance-frameworks
description	ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
license	MIT

Compliance Frameworks Skill

Context

This skill applies when:

Mapping security controls to compliance frameworks
Creating compliance documentation
Conducting compliance audits
Implementing EU Cyber Resilience Act (CRA) requirements
Generating compliance evidence portfolios
Responding to compliance questionnaires
Preparing for security certifications

This skill enforces Hack23 ISMS policies for multi-standard compliance alignment.

Rules

1. ISO 27001:2022 (Secure Development Policy 📜)

A.5: Organizational controls (policies, roles)
A.8: Asset management (handling, classification, deletion)
A.12: Operations security (change management, vulnerabilities)
A.13: Communications security (network controls, encryption)
A.14: System acquisition and development (secure SDLC)

2. NIST Cybersecurity Framework 2.0 (Secure Development Policy 📜)

GOVERN: Risk management, policy, oversight
IDENTIFY: Asset management, risk assessment
PROTECT: Access control, data security, awareness
DETECT: Continuous monitoring, anomaly detection
RESPOND: Incident analysis, mitigation, communication
RECOVER: Recovery planning, improvements, communications

3. CIS Controls v8.1 (Secure Development Policy 📜)

IG1 (Implementation Group 1): Basic cyber hygiene (8 controls)
IG2 (Implementation Group 2): Medium-sized organizations (56 additional controls)
IG3 (Implementation Group 3): Large organizations/high security (additional 64 controls)

4. EU Cyber Resilience Act (Open Source Policy 🛡️)

Conformity Assessment: CE marking for digital products
Security Updates: Timely vulnerability patching
Risk Management: Classification-based security requirements
Documentation: Technical documentation for 10 years
Incident Reporting: Report actively exploited vulnerabilities

Examples

✅ Good Pattern: ISO 27001:2022 Control Mapping

/**
 * ISO 27001:2022 Control Implementation Matrix
 * 
 * ISMS Policy: Compliance Framework Integration
 * Evidence: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md#compliance-framework-integration
 */

const iso27001Controls = {
  // A.5 Organizational Controls
  'A.5.1': {
    control: 'Policies for information security',
    implementation: 'SECURITY.md, Open_Source_Policy.md, Secure_Development_Policy.md',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/Open_Source_Policy.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.8 Asset Management
  'A.8.3': {
    control: 'Handling of assets',
    implementation: 'Input validation with Zod, data classification per Data_Classification_Policy.md',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/validation/',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  'A.8.10': {
    control: 'Information deletion',
    implementation: 'LRU cache with TTL, GDPR right to erasure support',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/cache.ts',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/gdpr-compliance/SKILL.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.12 Operations Security
  'A.12.1.2': {
    control: 'Change management',
    implementation: 'GitHub PRs, code review, CI/CD pipeline',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/workflows/',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/PULL_REQUEST_TEMPLATE.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  'A.12.6.1': {
    control: 'Management of technical vulnerabilities',
    implementation: 'Dependabot, npm audit, CodeQL, vulnerability remediation SLAs',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/security/dependabot',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/workflows/codeql.yml',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#vulnerability-management'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.13 Communications Security
  'A.13.1.1': {
    control: 'Network controls',
    implementation: 'HTTPS only for EP API, TLS 1.3, no open network ports',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/api/client.ts',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY_HEADERS.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.14 System Acquisition, Development and Maintenance
  'A.14.2.1': {
    control: 'Secure development policy',
    implementation: 'Secure_Development_Policy.md, security by design, threat modeling',
    evidence: [
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  'A.14.2.5': {
    control: 'Secure system engineering principles',
    implementation: 'Defense in depth, fail secure, input validation, least privilege',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/ARCHITECTURE.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/security-by-design/SKILL.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  }
};

// Export for compliance reporting
export function generateISO27001Report(): string {
  const implemented = Object.values(iso27001Controls).filter(c => c.status === 'Implemented').length;
  const total = Object.keys(iso27001Controls).length;
  
  return `
# ISO 27001:2022 Compliance Report

**Project**: European Parliament MCP Server  
**Date**: ${new Date().toISOString()}  
**Status**: ${implemented}/${total} controls implemented (${Math.round(implemented/total*100)}%)

## Control Implementation Summary

${Object.entries(iso27001Controls).map(([id, control]) => `
### ${id}: ${control.control}

**Implementation**: ${control.implementation}  
**Status**: ${control.status}  
**Last Review**: ${control.lastReview}

**Evidence**:
${control.evidence.map(e => `- ${e}`).join('\n')}
`).join('\n')}

## Compliance Statement

This system implements security controls aligned with ISO 27001:2022 standard, demonstrating commitment to information security management per [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC).
  `;
}

Policy Reference: Secure Development Policy Section 📜

Evidence: CIA ISO 27001 Mapping

✅ Good Pattern: NIST CSF 2.0 Function Mapping

/**
 * NIST Cybersecurity Framework 2.0 Implementation
 * 
 * Functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER
 */

const nistCSF2Mapping = {
  // GOVERN (GV)
  'GV.OC-01': {
    function: 'GOVERN',
    category: 'Organizational Context',
    subcategory: 'Organizational mission, objectives, and activities are understood',
    implementation: 'ISMS policies define organizational security requirements',
    evidence: 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md'
  },
  
  'GV.RM-01': {
    function: 'GOVERN',
    category: 'Risk Management',
    subcategory: 'Risk management objectives are established',
    implementation: 'Threat modeling, risk register, classification framework',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md'
    ]
  },
  
  // IDENTIFY (ID)
  'ID.AM-01': {
    function: 'IDENTIFY',
    category: 'Asset Management',
    subcategory: 'Physical devices and systems are inventoried',
    implementation: 'SBOM generation, dependency tracking, asset inventory',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/releases',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/package-lock.json'
    ]
  },
  
  'ID.RA-01': {
    function: 'IDENTIFY',
    category: 'Risk Assessment',
    subcategory: 'Vulnerabilities are identified and documented',
    implementation: 'CodeQL scanning, Dependabot, npm audit, OSSF Scorecard',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/security/code-scanning',
      'https://securityscorecards.dev/viewer/?uri=github.com/Hack23/European-Parliament-MCP-Server'
    ]
  },
  
  // PROTECT (PR)
  'PR.AC-01': {
    function: 'PROTECT',
    category: 'Access Control',
    subcategory: 'Identities and credentials are issued, managed, and verified',
    implementation: 'MCP stdio transport (process-level isolation), no network auth needed',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/index.ts'
  },
  
  'PR.DS-01': {
    function: 'PROTECT',
    category: 'Data Security',
    subcategory: 'Data-at-rest is protected',
    implementation: 'HTTPS for transit, no persistent storage of personal data',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/api/client.ts'
  },
  
  // DETECT (DE)
  'DE.CM-01': {
    function: 'DETECT',
    category: 'Continuous Monitoring',
    subcategory: 'Networks and network services are monitored',
    implementation: 'Audit logging, error monitoring, GDPR access logs',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts'
  },
  
  // RESPOND (RS)
  'RS.AN-01': {
    function: 'RESPOND',
    category: 'Analysis',
    subcategory: 'Notifications are investigated',
    implementation: 'Vulnerability disclosure process, security incident response',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md'
  },
  
  // RECOVER (RC)
  'RC.RP-01': {
    function: 'RECOVER',
    category: 'Recovery Planning',
    subcategory: 'Recovery plan is executed',
    implementation: 'Incident response procedures, backup and restore capabilities',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#incident-response'
  }
};

Policy Reference: Secure Development Policy Section 📜

Evidence: Black Trigram NIST CSF Mapping

✅ Good Pattern: CIS Controls v8.1 Implementation

/**
 * CIS Controls v8.1 Safeguards
 * Implementation Groups: IG1 (Basic), IG2 (Foundational), IG3 (Organizational)
 */

const cisControlsMapping = {
  // CIS Control 1: Inventory and Control of Enterprise Assets
  '1.1': {
    control: 'Establish and Maintain Detailed Enterprise Asset Inventory',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'SBOM generation with CycloneDX, dependency tracking',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/releases/latest/download/sbom.json'
  },
  
  // CIS Control 2: Inventory and Control of Software Assets
  '2.1': {
    control: 'Establish and Maintain Software Inventory',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'package.json, package-lock.json, SBOM',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/package.json'
  },
  
  '2.3': {
    control: 'Address Unauthorized Software',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'License scanning with FOSSA, approved license list enforcement',
    evidence: [
      'https://app.fossa.com/projects/git%2Bgithub.com%2FHack23%2FEuropean-Parliament-MCP-Server',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#approved-licenses'
    ]
  },
  
  // CIS Control 3: Data Protection
  '3.1': {
    control: 'Establish and Maintain Data Management Process',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Data classification, GDPR compliance, data minimization',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/gdpr-compliance/SKILL.md'
  },
  
  '3.3': {
    control: 'Configure Data Access Control Lists',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Least privilege, process-level isolation via stdio',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/index.ts'
  },
  
  // CIS Control 8: Audit Log Management
  '8.2': {
    control: 'Collect Audit Logs',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Structured audit logging for all security events',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts'
  },
  
  '8.5': {
    control: 'Collect Detailed Audit Logs',
    safeguard: 'Foundational',
    ig: 'IG2',
    implementation: 'Detailed logs with timestamps, event types, actors, outcomes',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts'
  },
  
  // CIS Control 16: Application Software Security
  '16.1': {
    control: 'Establish and Maintain Secure Application Development Process',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Secure Development Policy, security by design, threat modeling',
    evidence: 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md'
  },
  
  '16.10': {
    control: 'Apply Secure Design Principles in Application Architectures',
    safeguard: 'Foundational',
    ig: 'IG2',
    implementation: 'Defense in depth, fail secure, input validation, least privilege',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/ARCHITECTURE.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/security-by-design/SKILL.md'
    ]
  }
};

Policy Reference: Secure Development Policy Section 📜

✅ Good Pattern: EU Cyber Resilience Act (CRA) Compliance

/**
 * EU Cyber Resilience Act Conformity Assessment
 * 
 * ISMS Policy: Open Source Policy Section 🛡️
 * Evidence: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#cra-conformity-assessment-evidence
 */

const craCompliance = {
  product: 'European Parliament MCP Server',
  classification: 'Important (Class I)',  // Based on risk assessment
  
  // Essential Requirements
  essentialRequirements: {
    security: {
      'Art. 10': {
        requirement: 'Products with digital elements shall be delivered without known exploitable vulnerabilities',
        implementation: 'CodeQL scanning, Dependabot, npm audit, OSSF Scorecard ≥7.0',
        evidence: [
          'https://github.com/Hack23/European-Parliament-MCP-Server/security/code-scanning',
          'https://securityscorecards.dev/viewer/?uri=github.com/Hack23/European-Parliament-MCP-Server'
        ]
      },
      'Art. 11': {
        requirement: 'Products shall be delivered with a secure by default configuration',
        implementation: 'Security by design, threat modeling, input validation mandatory',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md'
      }
    },
    
    updates: {
      'Art. 12': {
        requirement: 'Manufacturers shall provide security updates for the expected lifetime',
        implementation: 'Dependabot automated updates, 5-year support lifecycle',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#supported-versions'
      }
    },
    
    documentation: {
      'Art. 13': {
        requirement: 'Technical documentation shall be maintained for 10 years',
        implementation: 'SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, compliance mappings maintained in git',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server'
      }
    },
    
    incidentReporting: {
      'Art. 14': {
        requirement: 'Actively exploited vulnerabilities shall be reported within 24 hours',
        implementation: 'Vulnerability disclosure process, CSIRT coordination',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#reporting-a-vulnerability'
      }
    }
  },
  
  // Conformity Assessment
  conformityAssessment: {
    type: 'Module A (Internal Control)',  // For Class I products
    ceMarking: false,  // Not required for open source tools
    declarationOfConformity: true,
    technicalDocumentation: {
      description: 'European Parliament MCP Server - Model Context Protocol server for parliamentary data',
      architecture: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY_ARCHITECTURE.md',
      threatModel: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md',
      sbom: 'https://github.com/Hack23/European-Parliament-MCP-Server/releases/latest/download/sbom.json'
    }
  }
};

Policy Reference: Open Source Policy Section 🛡️

Anti-Patterns

❌ Bad: No Compliance Mapping

// Just code, no compliance documentation

❌ Bad: Outdated Compliance Evidence

Last compliance review: 2022  // More than 1 year old!

Evidence Portfolio

Reference Implementations

Citizen Intelligence Agency (CIA)
- ISO 27001 Mapping: https://github.com/Hack23/cia/blob/master/ISO27001_MAPPING.md
- NIST CSF: https://github.com/Hack23/cia/blob/master/NIST_CSF_MAPPING.md
- CIS Controls: https://github.com/Hack23/cia/blob/master/CIS_CONTROLS_MAPPING.md
Black Trigram Game
- Compliance Dashboard: https://github.com/Hack23/blacktrigram/blob/main/COMPLIANCE.md
CIA Compliance Manager
- Multi-Framework Mapping: https://github.com/Hack23/cia-compliance-manager/blob/main/COMPLIANCE_MAPPING.md

Policy Documents

Secure Development Policy: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md
Open Source Policy: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md
ISMS-PUBLIC Repository: https://github.com/Hack23/ISMS-PUBLIC

ISMS Compliance

This skill enforces:

CF-001: ISO 27001:2022 control mapping
CF-002: NIST CSF 2.0 function alignment
CF-003: CIS Controls v8.1 safeguards
CF-004: EU CRA conformity assessment
CF-005: GDPR / NIS2 linkage

Policy References

Primary:

Information Security Policy — Top-level frame for multi-standard alignment
Hack23 ISMS-PUBLIC — Full policy portfolio

All policies contribute to compliance mapping:

Secure Development Policy → ISO A.8.25 / A.8.28, NIST PR.PS, CIS 16
Open Source Policy → ISO A.5.19/23, NIST ID.SC, CIS 15
Privacy Policy → GDPR Art. 5/6/25/30, ISO A.5.34
Access Control Policy → ISO A.5.15-18, NIST PR.AA, CIS 6
Cryptography Policy → ISO A.8.24, NIST PR.DS, CIS 3.11
Vulnerability Management → ISO A.8.8, NIST ID.RA/DE.CM-8, CIS 7
Incident Response Plan → ISO A.5.24-28, NIST RS, CIS 17
Change Management → ISO A.8.32, NIST ID.GV
Threat Modeling → ISO A.8.27, NIST ID.RA
Business Continuity Plan → ISO A.5.29-30, NIST RC
Backup Recovery Policy → ISO A.8.13, NIST PR.IP-4
AI Policy + OWASP LLM Security Policy → EU AI Act, ISO 42001 (emerging)
Third Party Management → ISO A.5.19-22, NIST ID.SC
Segregation of Duties Policy → ISO A.5.3, CIS 6.8

name	compliance-frameworks
description	ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
license	MIT

Compliance Frameworks Skill

Context

This skill applies when:

Mapping security controls to compliance frameworks
Creating compliance documentation
Conducting compliance audits
Implementing EU Cyber Resilience Act (CRA) requirements
Generating compliance evidence portfolios
Responding to compliance questionnaires
Preparing for security certifications

This skill enforces Hack23 ISMS policies for multi-standard compliance alignment.

Rules

1. ISO 27001:2022 (Secure Development Policy 📜)

A.5: Organizational controls (policies, roles)
A.8: Asset management (handling, classification, deletion)
A.12: Operations security (change management, vulnerabilities)
A.13: Communications security (network controls, encryption)
A.14: System acquisition and development (secure SDLC)

2. NIST Cybersecurity Framework 2.0 (Secure Development Policy 📜)

GOVERN: Risk management, policy, oversight
IDENTIFY: Asset management, risk assessment
PROTECT: Access control, data security, awareness
DETECT: Continuous monitoring, anomaly detection
RESPOND: Incident analysis, mitigation, communication
RECOVER: Recovery planning, improvements, communications

3. CIS Controls v8.1 (Secure Development Policy 📜)

IG1 (Implementation Group 1): Basic cyber hygiene (8 controls)
IG2 (Implementation Group 2): Medium-sized organizations (56 additional controls)
IG3 (Implementation Group 3): Large organizations/high security (additional 64 controls)

4. EU Cyber Resilience Act (Open Source Policy 🛡️)

Conformity Assessment: CE marking for digital products
Security Updates: Timely vulnerability patching
Risk Management: Classification-based security requirements
Documentation: Technical documentation for 10 years
Incident Reporting: Report actively exploited vulnerabilities

Examples

✅ Good Pattern: ISO 27001:2022 Control Mapping

/**
 * ISO 27001:2022 Control Implementation Matrix
 * 
 * ISMS Policy: Compliance Framework Integration
 * Evidence: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md#compliance-framework-integration
 */

const iso27001Controls = {
  // A.5 Organizational Controls
  'A.5.1': {
    control: 'Policies for information security',
    implementation: 'SECURITY.md, Open_Source_Policy.md, Secure_Development_Policy.md',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/Open_Source_Policy.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.8 Asset Management
  'A.8.3': {
    control: 'Handling of assets',
    implementation: 'Input validation with Zod, data classification per Data_Classification_Policy.md',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/validation/',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  'A.8.10': {
    control: 'Information deletion',
    implementation: 'LRU cache with TTL, GDPR right to erasure support',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/cache.ts',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/gdpr-compliance/SKILL.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.12 Operations Security
  'A.12.1.2': {
    control: 'Change management',
    implementation: 'GitHub PRs, code review, CI/CD pipeline',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/workflows/',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/PULL_REQUEST_TEMPLATE.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  'A.12.6.1': {
    control: 'Management of technical vulnerabilities',
    implementation: 'Dependabot, npm audit, CodeQL, vulnerability remediation SLAs',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/security/dependabot',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/workflows/codeql.yml',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#vulnerability-management'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.13 Communications Security
  'A.13.1.1': {
    control: 'Network controls',
    implementation: 'HTTPS only for EP API, TLS 1.3, no open network ports',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/api/client.ts',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY_HEADERS.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  // A.14 System Acquisition, Development and Maintenance
  'A.14.2.1': {
    control: 'Secure development policy',
    implementation: 'Secure_Development_Policy.md, security by design, threat modeling',
    evidence: [
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  },
  
  'A.14.2.5': {
    control: 'Secure system engineering principles',
    implementation: 'Defense in depth, fail secure, input validation, least privilege',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/ARCHITECTURE.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/security-by-design/SKILL.md'
    ],
    status: 'Implemented',
    lastReview: '2026-02-16'
  }
};

// Export for compliance reporting
export function generateISO27001Report(): string {
  const implemented = Object.values(iso27001Controls).filter(c => c.status === 'Implemented').length;
  const total = Object.keys(iso27001Controls).length;
  
  return `
# ISO 27001:2022 Compliance Report

**Project**: European Parliament MCP Server  
**Date**: ${new Date().toISOString()}  
**Status**: ${implemented}/${total} controls implemented (${Math.round(implemented/total*100)}%)

## Control Implementation Summary

${Object.entries(iso27001Controls).map(([id, control]) => `
### ${id}: ${control.control}

**Implementation**: ${control.implementation}  
**Status**: ${control.status}  
**Last Review**: ${control.lastReview}

**Evidence**:
${control.evidence.map(e => `- ${e}`).join('\n')}
`).join('\n')}

## Compliance Statement

This system implements security controls aligned with ISO 27001:2022 standard, demonstrating commitment to information security management per [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC).
  `;
}

Policy Reference: Secure Development Policy Section 📜

Evidence: CIA ISO 27001 Mapping

✅ Good Pattern: NIST CSF 2.0 Function Mapping

/**
 * NIST Cybersecurity Framework 2.0 Implementation
 * 
 * Functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER
 */

const nistCSF2Mapping = {
  // GOVERN (GV)
  'GV.OC-01': {
    function: 'GOVERN',
    category: 'Organizational Context',
    subcategory: 'Organizational mission, objectives, and activities are understood',
    implementation: 'ISMS policies define organizational security requirements',
    evidence: 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md'
  },
  
  'GV.RM-01': {
    function: 'GOVERN',
    category: 'Risk Management',
    subcategory: 'Risk management objectives are established',
    implementation: 'Threat modeling, risk register, classification framework',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md'
    ]
  },
  
  // IDENTIFY (ID)
  'ID.AM-01': {
    function: 'IDENTIFY',
    category: 'Asset Management',
    subcategory: 'Physical devices and systems are inventoried',
    implementation: 'SBOM generation, dependency tracking, asset inventory',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/releases',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/package-lock.json'
    ]
  },
  
  'ID.RA-01': {
    function: 'IDENTIFY',
    category: 'Risk Assessment',
    subcategory: 'Vulnerabilities are identified and documented',
    implementation: 'CodeQL scanning, Dependabot, npm audit, OSSF Scorecard',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/security/code-scanning',
      'https://securityscorecards.dev/viewer/?uri=github.com/Hack23/European-Parliament-MCP-Server'
    ]
  },
  
  // PROTECT (PR)
  'PR.AC-01': {
    function: 'PROTECT',
    category: 'Access Control',
    subcategory: 'Identities and credentials are issued, managed, and verified',
    implementation: 'MCP stdio transport (process-level isolation), no network auth needed',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/index.ts'
  },
  
  'PR.DS-01': {
    function: 'PROTECT',
    category: 'Data Security',
    subcategory: 'Data-at-rest is protected',
    implementation: 'HTTPS for transit, no persistent storage of personal data',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/api/client.ts'
  },
  
  // DETECT (DE)
  'DE.CM-01': {
    function: 'DETECT',
    category: 'Continuous Monitoring',
    subcategory: 'Networks and network services are monitored',
    implementation: 'Audit logging, error monitoring, GDPR access logs',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts'
  },
  
  // RESPOND (RS)
  'RS.AN-01': {
    function: 'RESPOND',
    category: 'Analysis',
    subcategory: 'Notifications are investigated',
    implementation: 'Vulnerability disclosure process, security incident response',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md'
  },
  
  // RECOVER (RC)
  'RC.RP-01': {
    function: 'RECOVER',
    category: 'Recovery Planning',
    subcategory: 'Recovery plan is executed',
    implementation: 'Incident response procedures, backup and restore capabilities',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#incident-response'
  }
};

Policy Reference: Secure Development Policy Section 📜

Evidence: Black Trigram NIST CSF Mapping

✅ Good Pattern: CIS Controls v8.1 Implementation

/**
 * CIS Controls v8.1 Safeguards
 * Implementation Groups: IG1 (Basic), IG2 (Foundational), IG3 (Organizational)
 */

const cisControlsMapping = {
  // CIS Control 1: Inventory and Control of Enterprise Assets
  '1.1': {
    control: 'Establish and Maintain Detailed Enterprise Asset Inventory',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'SBOM generation with CycloneDX, dependency tracking',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/releases/latest/download/sbom.json'
  },
  
  // CIS Control 2: Inventory and Control of Software Assets
  '2.1': {
    control: 'Establish and Maintain Software Inventory',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'package.json, package-lock.json, SBOM',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/package.json'
  },
  
  '2.3': {
    control: 'Address Unauthorized Software',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'License scanning with FOSSA, approved license list enforcement',
    evidence: [
      'https://app.fossa.com/projects/git%2Bgithub.com%2FHack23%2FEuropean-Parliament-MCP-Server',
      'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#approved-licenses'
    ]
  },
  
  // CIS Control 3: Data Protection
  '3.1': {
    control: 'Establish and Maintain Data Management Process',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Data classification, GDPR compliance, data minimization',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/gdpr-compliance/SKILL.md'
  },
  
  '3.3': {
    control: 'Configure Data Access Control Lists',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Least privilege, process-level isolation via stdio',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/index.ts'
  },
  
  // CIS Control 8: Audit Log Management
  '8.2': {
    control: 'Collect Audit Logs',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Structured audit logging for all security events',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts'
  },
  
  '8.5': {
    control: 'Collect Detailed Audit Logs',
    safeguard: 'Foundational',
    ig: 'IG2',
    implementation: 'Detailed logs with timestamps, event types, actors, outcomes',
    evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/src/audit.ts'
  },
  
  // CIS Control 16: Application Software Security
  '16.1': {
    control: 'Establish and Maintain Secure Application Development Process',
    safeguard: 'Basic',
    ig: 'IG1',
    implementation: 'Secure Development Policy, security by design, threat modeling',
    evidence: 'https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md'
  },
  
  '16.10': {
    control: 'Apply Secure Design Principles in Application Architectures',
    safeguard: 'Foundational',
    ig: 'IG2',
    implementation: 'Defense in depth, fail secure, input validation, least privilege',
    evidence: [
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/ARCHITECTURE.md',
      'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/.github/skills/security-by-design/SKILL.md'
    ]
  }
};

Policy Reference: Secure Development Policy Section 📜

✅ Good Pattern: EU Cyber Resilience Act (CRA) Compliance

/**
 * EU Cyber Resilience Act Conformity Assessment
 * 
 * ISMS Policy: Open Source Policy Section 🛡️
 * Evidence: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md#cra-conformity-assessment-evidence
 */

const craCompliance = {
  product: 'European Parliament MCP Server',
  classification: 'Important (Class I)',  // Based on risk assessment
  
  // Essential Requirements
  essentialRequirements: {
    security: {
      'Art. 10': {
        requirement: 'Products with digital elements shall be delivered without known exploitable vulnerabilities',
        implementation: 'CodeQL scanning, Dependabot, npm audit, OSSF Scorecard ≥7.0',
        evidence: [
          'https://github.com/Hack23/European-Parliament-MCP-Server/security/code-scanning',
          'https://securityscorecards.dev/viewer/?uri=github.com/Hack23/European-Parliament-MCP-Server'
        ]
      },
      'Art. 11': {
        requirement: 'Products shall be delivered with a secure by default configuration',
        implementation: 'Security by design, threat modeling, input validation mandatory',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md'
      }
    },
    
    updates: {
      'Art. 12': {
        requirement: 'Manufacturers shall provide security updates for the expected lifetime',
        implementation: 'Dependabot automated updates, 5-year support lifecycle',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#supported-versions'
      }
    },
    
    documentation: {
      'Art. 13': {
        requirement: 'Technical documentation shall be maintained for 10 years',
        implementation: 'SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, compliance mappings maintained in git',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server'
      }
    },
    
    incidentReporting: {
      'Art. 14': {
        requirement: 'Actively exploited vulnerabilities shall be reported within 24 hours',
        implementation: 'Vulnerability disclosure process, CSIRT coordination',
        evidence: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY.md#reporting-a-vulnerability'
      }
    }
  },
  
  // Conformity Assessment
  conformityAssessment: {
    type: 'Module A (Internal Control)',  // For Class I products
    ceMarking: false,  // Not required for open source tools
    declarationOfConformity: true,
    technicalDocumentation: {
      description: 'European Parliament MCP Server - Model Context Protocol server for parliamentary data',
      architecture: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/SECURITY_ARCHITECTURE.md',
      threatModel: 'https://github.com/Hack23/European-Parliament-MCP-Server/blob/main/THREAT_MODEL.md',
      sbom: 'https://github.com/Hack23/European-Parliament-MCP-Server/releases/latest/download/sbom.json'
    }
  }
};

Policy Reference: Open Source Policy Section 🛡️

Anti-Patterns

❌ Bad: No Compliance Mapping

// Just code, no compliance documentation

❌ Bad: Outdated Compliance Evidence

Last compliance review: 2022  // More than 1 year old!

Evidence Portfolio

Reference Implementations

Citizen Intelligence Agency (CIA)
- ISO 27001 Mapping: https://github.com/Hack23/cia/blob/master/ISO27001_MAPPING.md
- NIST CSF: https://github.com/Hack23/cia/blob/master/NIST_CSF_MAPPING.md
- CIS Controls: https://github.com/Hack23/cia/blob/master/CIS_CONTROLS_MAPPING.md
Black Trigram Game
- Compliance Dashboard: https://github.com/Hack23/blacktrigram/blob/main/COMPLIANCE.md
CIA Compliance Manager
- Multi-Framework Mapping: https://github.com/Hack23/cia-compliance-manager/blob/main/COMPLIANCE_MAPPING.md

Policy Documents

Secure Development Policy: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md
Open Source Policy: https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md
ISMS-PUBLIC Repository: https://github.com/Hack23/ISMS-PUBLIC

ISMS Compliance

This skill enforces:

CF-001: ISO 27001:2022 control mapping
CF-002: NIST CSF 2.0 function alignment
CF-003: CIS Controls v8.1 safeguards
CF-004: EU CRA conformity assessment
CF-005: GDPR / NIS2 linkage

Policy References

Primary:

Information Security Policy — Top-level frame for multi-standard alignment
Hack23 ISMS-PUBLIC — Full policy portfolio

All policies contribute to compliance mapping:

Secure Development Policy → ISO A.8.25 / A.8.28, NIST PR.PS, CIS 16
Open Source Policy → ISO A.5.19/23, NIST ID.SC, CIS 15
Privacy Policy → GDPR Art. 5/6/25/30, ISO A.5.34
Access Control Policy → ISO A.5.15-18, NIST PR.AA, CIS 6
Cryptography Policy → ISO A.8.24, NIST PR.DS, CIS 3.11
Vulnerability Management → ISO A.8.8, NIST ID.RA/DE.CM-8, CIS 7
Incident Response Plan → ISO A.5.24-28, NIST RS, CIS 17
Change Management → ISO A.8.32, NIST ID.GV
Threat Modeling → ISO A.8.27, NIST ID.RA
Business Continuity Plan → ISO A.5.29-30, NIST RC
Backup Recovery Policy → ISO A.8.13, NIST PR.IP-4
AI Policy + OWASP LLM Security Policy → EU AI Act, ISO 42001 (emerging)
Third Party Management → ISO A.5.19-22, NIST ID.SC
Segregation of Duties Policy → ISO A.5.3, CIS 6.8

compliance-frameworks

More from this repository

More from this repository

Compliance Frameworks Skill

Context

Rules

1. ISO 27001:2022 (Secure Development Policy 📜)

2. NIST Cybersecurity Framework 2.0 (Secure Development Policy 📜)

3. CIS Controls v8.1 (Secure Development Policy 📜)

4. EU Cyber Resilience Act (Open Source Policy 🛡️)

Examples

✅ Good Pattern: ISO 27001:2022 Control Mapping

✅ Good Pattern: NIST CSF 2.0 Function Mapping

✅ Good Pattern: CIS Controls v8.1 Implementation

✅ Good Pattern: EU Cyber Resilience Act (CRA) Compliance

Anti-Patterns

❌ Bad: No Compliance Mapping

❌ Bad: Outdated Compliance Evidence

Evidence Portfolio

Reference Implementations

Policy Documents

ISMS Compliance

Policy References

Compliance Frameworks Skill

Context

Rules

1. ISO 27001:2022 (Secure Development Policy 📜)

2. NIST Cybersecurity Framework 2.0 (Secure Development Policy 📜)

3. CIS Controls v8.1 (Secure Development Policy 📜)

4. EU Cyber Resilience Act (Open Source Policy 🛡️)

Examples

✅ Good Pattern: ISO 27001:2022 Control Mapping

✅ Good Pattern: NIST CSF 2.0 Function Mapping

✅ Good Pattern: CIS Controls v8.1 Implementation

✅ Good Pattern: EU Cyber Resilience Act (CRA) Compliance

Anti-Patterns

❌ Bad: No Compliance Mapping

❌ Bad: Outdated Compliance Evidence

Evidence Portfolio

Reference Implementations

Policy Documents

ISMS Compliance

Policy References