一键在 Manus 中运行任何 Skill

开始使用

$pwd:

isms-compliance

Name: Isms Compliance
Author: Hack23

// Hack23 ISMS alignment — ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, EU CRA — with policy citations

在 Manus 中运行

$ git log --oneline --stat

stars:11

forks:4

updated:2026年4月17日 14:05

SKILL.md

readonly

name	isms-compliance
description	Hack23 ISMS alignment — ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, EU CRA — with policy citations
license	MIT

ISMS Compliance Skill

Context

Applies when adding features, dependencies, or security controls; editing security code; documenting architecture; touching CI/CD; or handling any sensitive data.

All practices align with Hack23 AB's ISMS-PUBLIC, implementing ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, and EU CRA readiness.

Policy Catalogue (cite the one that applies)

Concern	Policy
Overarching governance / incident / transparency	Information Security Policy
SDLC / CI / testing / deployment / threat modeling	Secure Development Policy
Dependencies / licenses / SBOM / supply chain	Open Source Policy
Auth / identity / access	Access Control Policy
Encryption / keys / hashing	Cryptography Policy
Data handling / classification	Data Classification Policy
Personal data / GDPR	Privacy Policy
STRIDE / abuse cases / MITRE ATT&CK	Threat Modeling
Vulnerability triage + patch SLAs	Vulnerability Management
Copilot / LLM / MCP governance	AI Policy
Agent / MCP / workflow edits	Change Management
BCP / DR / backup	Business Continuity / Disaster Recovery / Backup Recovery

Rules

Reference ISMS Policies — security-relevant code, docs, and PRs must cite the applicable policy (e.g., "ISMS: SDP §Phase 3")
Defense in Depth — stack validation + sanitization + encoding + CSP + headers
Document Decisions — ADRs and threat models cite ISMS policies
Verify Dependencies — npm audit + npm run test:licenses + GitHub Advisory DB before adding
Security Headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options (see SECURITY_HEADERS.md)
Secure Defaults — unused features off; risky options explicit opt-in
Least Privilege — minimum token scopes, minimum workflow permissions, minimum tool scopes
Validate All Inputs — never trust user input (validate / sanitize / encode)
Encrypt Sensitive Data — AES-256 at rest, TLS 1.3+ in transit, SHA-256+ hashing
Log Security Events — auth, authorization failures, security-relevant events; never secrets/PII
Secure SDLC — security baked into design → dev → test → deploy → operate
Test Security Controls — ≥ 95 % coverage on security-sensitive paths
Patch within SLA — Critical ≤ 7 d, High ≤ 30 d, Medium ≤ 90 d
No Production Data in Tests — anonymize / synthesize

Secure SDLC Phase Gates (per SDP)

Phase	Gate
Plan & Design	Classification (CIA triad) + threat model + policy links
Develop	OWASP-aligned, typed, no hardcoded secrets, least-privilege tokens
Test	CodeQL clean, `npm audit` clean, coverage ≥ 80 / 70 (≥ 95 % security)
Deploy	SHA-pinned Actions, SLSA L3 attestations, SBOM + SBOMQS ≥ 7.0
Operate	Scorecard ≥ 8.0, Dependabot green, patch SLAs honored, incident drills

Compliance Framework Mapping

ISO 27001:2022 — A.5.23, A.5.30, A.8.25, A.8.28, A.8.29, A.8.30, A.8.31, A.8.32

NIST CSF 2.0 — GV (govern), ID.AM, PR.DS, PR.IR, DE.CM, RS.AN, RC.RP

CIS Controls v8.1 — 2, 3, 4, 6, 7, 8, 11, 16, 18

EU CRA — SBOM, CVE handling, security updates, conformity self-assessment

Example: ISMS-Cited Code

/**
 * Persist the high score.
 * ISMS: Secure Development Policy §Phase 2 — Secure Coding (input validation)
 * ISMS: Data Classification Policy — local-only, non-PII
 * Compliance: ISO 27001:2022 A.8.28, NIST CSF PR.DS-1
 */
export function saveHighScore(score: number): void {
  if (!Number.isFinite(score) || score < 0) {
    throw new RangeError('Invalid score value');
  }
  localStorage.setItem('highScore', String(Math.floor(score)));
}

Validation Checklist

Applicable ISMS policy cited in code, commit, or PR description
Threat model reviewed if attack surface changed (STRIDE)
Dependency audit clean; licenses approved
Security coverage ≥ 95 % on changed security code
CodeQL + Scorecard + Dependabot status green
No PII / production data in code, fixtures, or tests
Docs updated (README / ISMS_POLICY_MAPPING.md / SECURITY.md as applicable)

related-skills.json

同仓库

ai-augmented-sdlc.md

from "Hack23/game"

AI-assisted development governance — Copilot custom agents, MCP servers, change control, audit trail — per Hack23 ISMS AI Policy

2026-04-1711

documentation-standards.md

from "Hack23/game"

Clear technical documentation — JSDoc, Mermaid, READMEs, ADRs, C4 diagrams, ISMS policy citations

2026-04-1711

performance-optimization.md

from "Hack23/game"

React re-render optimization, Three.js rendering performance, useMemo/useCallback, bundle size, 60 fps profiling, Lighthouse budgets

2026-04-1711

react-threejs-game.md

from "Hack23/game"

Three.js game development with React using @react-three/fiber and @react-three/drei — strict TypeScript, 60 fps, accessible

2026-04-1711

security-by-design.md

from "Hack23/game"

Defense-in-depth security principles — OWASP Top 10 prevention, input validation, secure error handling, encryption, least privilege

2026-04-1711

testing-strategy.md

from "Hack23/game"

Vitest + Cypress + RTL — deterministic tests, ≥80% line / ≥70% branch coverage, ≥95% on security code, Three.js component testing

2026-04-1711

package.json

"author": "Hack23"

"repository": "Hack23/game"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

合规官员商业与金融运营类职业13-1041L4

ISMS Compliance Skill

Context

Applies when adding features, dependencies, or security controls; editing security code; documenting architecture; touching CI/CD; or handling any sensitive data.

All practices align with Hack23 AB's ISMS-PUBLIC, implementing ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, and EU CRA readiness.

Policy Catalogue (cite the one that applies)

Concern

Policy

Overarching governance / incident / transparency

Information Security Policy

SDLC / CI / testing / deployment / threat modeling

Secure Development Policy

Dependencies / licenses / SBOM / supply chain

Open Source Policy

Auth / identity / access

Access Control Policy

Encryption / keys / hashing

Cryptography Policy

Data handling / classification

Data Classification Policy

Personal data / GDPR

STRIDE / abuse cases / MITRE ATT&CK

Threat Modeling

Vulnerability triage + patch SLAs

Vulnerability Management

Copilot / LLM / MCP governance

AI Policy

Agent / MCP / workflow edits

Change Management

BCP / DR / backup

Business Continuity / Disaster Recovery / Backup Recovery

Rules

Reference ISMS Policies — security-relevant code, docs, and PRs must cite the applicable policy (e.g., "ISMS: SDP §Phase 3")

Defense in Depth — stack validation + sanitization + encoding + CSP + headers

Document Decisions — ADRs and threat models cite ISMS policies

Verify Dependencies — npm audit + npm run test:licenses + GitHub Advisory DB before adding

Security Headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options (see SECURITY_HEADERS.md)

Secure Defaults — unused features off; risky options explicit opt-in

Least Privilege — minimum token scopes, minimum workflow permissions, minimum tool scopes

Validate All Inputs — never trust user input (validate / sanitize / encode)

Encrypt Sensitive Data — AES-256 at rest, TLS 1.3+ in transit, SHA-256+ hashing

Log Security Events — auth, authorization failures, security-relevant events; never secrets/PII

Secure SDLC — security baked into design → dev → test → deploy → operate

Test Security Controls — ≥ 95 % coverage on security-sensitive paths

Patch within SLA — Critical ≤ 7 d, High ≤ 30 d, Medium ≤ 90 d

No Production Data in Tests — anonymize / synthesize

Secure SDLC Phase Gates (per SDP)

Phase

Gate

Plan & Design

Classification (CIA triad) + threat model + policy links

Develop

OWASP-aligned, typed, no hardcoded secrets, least-privilege tokens

Test

CodeQL clean, npm audit clean, coverage ≥ 80 / 70 (≥ 95 % security)

Deploy

SHA-pinned Actions, SLSA L3 attestations, SBOM + SBOMQS ≥ 7.0

Operate

Scorecard ≥ 8.0, Dependabot green, patch SLAs honored, incident drills

Compliance Framework Mapping

ISO 27001:2022 — A.5.23, A.5.30, A.8.25, A.8.28, A.8.29, A.8.30, A.8.31, A.8.32

NIST CSF 2.0 — GV (govern), ID.AM, PR.DS, PR.IR, DE.CM, RS.AN, RC.RP

CIS Controls v8.1 — 2, 3, 4, 6, 7, 8, 11, 16, 18

EU CRA — SBOM, CVE handling, security updates, conformity self-assessment

Example: ISMS-Cited Code

/** * Persist the high score. * ISMS: Secure Development Policy §Phase 2 — Secure Coding (input validation) * ISMS: Data Classification Policy — local-only, non-PII * Compliance: ISO 27001:2022 A.8.28, NIST CSF PR.DS-1 */ export function saveHighScore(score: number): void { if (!Number.isFinite(score) || score < 0) { throw new RangeError('Invalid score value'); } localStorage.setItem('highScore', String(Math.floor(score))); }

Validation Checklist

Applicable ISMS policy cited in code, commit, or PR description

Threat model reviewed if attack surface changed (STRIDE)

Dependency audit clean; licenses approved

Security coverage ≥ 95 % on changed security code

CodeQL + Scorecard + Dependabot status green

No PII / production data in code, fixtures, or tests

Docs updated (README / ISMS_POLICY_MAPPING.md / SECURITY.md as applicable)

isms-compliance

ISMS Compliance Skill

Context

Policy Catalogue (cite the one that applies)

Rules

Secure SDLC Phase Gates (per SDP)

Compliance Framework Mapping

Example: ISMS-Cited Code

Validation Checklist

同仓库更多 Skills

同仓库更多 Skills

ISMS Compliance Skill

Context

Policy Catalogue (cite the one that applies)

Rules

Secure SDLC Phase Gates (per SDP)

Compliance Framework Mapping

Example: ISMS-Cited Code

Validation Checklist