一键导入
compliance-frameworks
Multi-framework compliance (ISO 27001, NIST CSF, CIS Controls, GDPR, NIS2, EU CRA, SOC 2), control mapping
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Multi-framework compliance (ISO 27001, NIST CSF, CIS Controls, GDPR, NIS2, EU CRA, SOC 2), control mapping
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | compliance-frameworks |
| description | Multi-framework compliance (ISO 27001, NIST CSF, CIS Controls, GDPR, NIS2, EU CRA, SOC 2), control mapping |
| license | Apache-2.0 |
This skill provides unified compliance mapping across ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, GDPR, NIS2, EU CRA, and SOC 2 for the CIA platform. It enables developers to implement controls that satisfy multiple frameworks simultaneously, reducing compliance overhead.
Apply this skill when:
Do NOT use for:
Compliance Framework Hierarchy for CIA Platform
│
├─ MANDATORY COMPLIANCE
│ ├─ GDPR (data protection, Swedish political data)
│ ├─ NIS2 (network and information security, if applicable)
│ └─ EU CRA (cyber resilience for open-source software)
│
├─ VOLUNTARY STANDARDS (Hack23 ISMS)
│ ├─ ISO 27001:2022 (information security management)
│ ├─ NIST CSF 2.0 (cybersecurity framework)
│ └─ CIS Controls v8 (critical security controls)
│
└─ INDUSTRY BEST PRACTICES
├─ SOC 2 Type II (service organization controls)
├─ OWASP Top 10 (web application security)
└─ OpenSSF Scorecard (open-source security posture)
| Requirement | ISO 27001 | NIST CSF | CIS Controls | GDPR | NIS2 |
|---|---|---|---|---|---|
| Authentication | A.8.5 | PR.AA-01 | CIS 6.3 | Art. 32 | Art. 21(2)(d) |
| Authorization | A.5.15 | PR.AA-03 | CIS 6.8 | Art. 25 | Art. 21(2)(d) |
| Least privilege | A.8.2 | PR.AA-05 | CIS 6.1 | Art. 25 | Art. 21(2)(i) |
| MFA | A.8.5 | PR.AA-02 | CIS 6.5 | Art. 32 | Art. 21(2)(j) |
| Access review | A.5.18 | PR.AA-06 | CIS 6.2 | Art. 32 | Art. 21(2)(d) |
| Requirement | ISO 27001 | NIST CSF | CIS Controls | GDPR | EU CRA |
|---|---|---|---|---|---|
| Encryption at rest | A.8.24 | PR.DS-01 | CIS 3.11 | Art. 32(1)(a) | Art. 10(1) |
| Encryption in transit | A.8.24 | PR.DS-02 | CIS 3.10 | Art. 32(1)(a) | Art. 10(1) |
| Data classification | A.5.12 | ID.AM-08 | CIS 3.7 | Art. 9 | — |
| Data retention | A.5.33 | PR.DS-10 | CIS 3.1 | Art. 5(1)(e) | — |
| Backup | A.8.13 | PR.DS-11 | CIS 11.2 | Art. 32(1)(c) | Art. 10(1) |
| Requirement | ISO 27001 | NIST CSF | CIS Controls | EU CRA | SOC 2 |
|---|---|---|---|---|---|
| Vulnerability scanning | A.8.8 | DE.CM-08 | CIS 7.5 | Art. 10(6) | CC7.1 |
| Patch management | A.8.8 | PR.PS-02 | CIS 7.4 | Art. 10(6) | CC7.1 |
| Dependency check | A.8.28 | PR.PS-02 | CIS 16.4 | Art. 10(6) | CC7.1 |
| Pen testing | A.8.8 | DE.CM-08 | CIS 18.3 | Art. 10(4) | CC7.1 |
| SBOM | A.8.28 | PR.PS-01 | CIS 16.4 | Art. 10(5) | — |
| Requirement | ISO 27001 | NIST CSF | CIS Controls | NIS2 | SOC 2 |
|---|---|---|---|---|---|
| Incident plan | A.5.24 | RS.MA-01 | CIS 17.1 | Art. 23 | CC7.3 |
| Incident detection | A.8.16 | DE.AE-02 | CIS 17.3 | Art. 23(1) | CC7.2 |
| Reporting | A.5.25 | RS.CO-02 | CIS 17.2 | Art. 23(4) | CC7.4 |
| Lessons learned | A.5.27 | RS.IM-02 | CIS 17.8 | Art. 23 | CC7.5 |
| Evidence preservation | A.5.28 | RS.AN-06 | CIS 17.4 | Art. 23 | CC7.3 |
New Feature Compliance Assessment
│
├─→ Does it process personal data?
│ ├─ YES → GDPR (Art. 6 legal basis, Art. 25 privacy by design)
│ └─ NO → Continue
│
├─→ Does it affect network/information security?
│ ├─ YES → NIS2 (Art. 21 risk management measures)
│ └─ NO → Continue
│
├─→ Is it a software product/component?
│ ├─ YES → EU CRA (Art. 10 vulnerability handling)
│ └─ NO → Continue
│
├─→ Does it change security controls?
│ ├─ YES → ISO 27001 (Annex A controls)
│ │ NIST CSF (relevant function)
│ │ CIS Controls (implementation group)
│ └─ NO → Continue
│
└─→ Apply general secure development practices
└─ OWASP Top 10, secure coding standards
NIS2 applies to CIA platform if:
- Essential entity: Public administration ICT services
- Important entity: Digital infrastructure providers
- Open-source steward: Maintained open-source project (Art. 15a)
Hack23/CIA classification: Open-Source Steward
Obligations: Due diligence, vulnerability handling, coordination
| NIS2 Article | Requirement | CIA Implementation |
|---|---|---|
| Art. 21(2)(a) | Risk analysis and IS policies | Hack23 ISMS policies |
| Art. 21(2)(b) | Incident handling | Incident response plan |
| Art. 21(2)(d) | Supply chain security | OWASP dependency check |
| Art. 21(2)(e) | Secure development | SDLC security gates |
| Art. 21(2)(h) | Security awareness | Developer training |
| Art. 21(2)(j) | MFA and encryption | Spring Security, AES-256 |
EU CRA Open-Source Steward Requirements:
├─ Vulnerability disclosure policy (SECURITY.md)
├─ Coordinated vulnerability handling
├─ Security update distribution
├─ Software Bill of Materials (SBOM)
├─ CE marking considerations
└─ Documentation of security properties
| CRA Requirement | Evidence |
|---|---|
| Vulnerability handling | SECURITY.md, GitHub Security Advisories |
| Security updates | Dependabot, automated dependency updates |
| SBOM generation | Maven CycloneDX plugin |
| Secure by default | Spring Security configuration |
| Documentation | SECURITY_ARCHITECTURE.md, THREAT_MODEL.md |
Sprint Compliance Artifacts:
□ Code review records (GitHub PR reviews)
□ Security scan results (CodeQL, OWASP)
□ Test coverage reports (JaCoCo)
□ Dependency audit (Dependabot alerts)
□ Access control changes (audit log)
□ Configuration changes (git history)
Annual Compliance Review:
□ ISMS policy review and update
□ Risk assessment update
□ Penetration testing results
□ Business continuity test
□ Access rights review
□ Security awareness training records
□ Supplier security assessments
□ Incident response drill results
| Policy | Frameworks Covered | Location |
|---|---|---|
| Information Security Policy | ISO 27001, NIST CSF | Hack23 ISMS |
| Classification Policy | ISO 27001, GDPR | Hack23 ISMS |
| Access Control Policy | ISO 27001, CIS, NIS2 | Hack23 ISMS |
| Secure Development Policy | ISO 27001, EU CRA | Hack23 ISMS |
| Incident Response Policy | ISO 27001, NIS2 | Hack23 ISMS |
| Cryptography Policy | ISO 27001, GDPR | Hack23 ISMS |