Remote OpenClaw
Menu

gdpr-compliance

grc-skills

complianceClaude Codeby Hemant Naik

Summary

GDPR compliance assistant — code and system audits, privacy notice drafting, DPAs, DPIAs, data flow reviews, and authoritative article-cited Q&A.

Install to Claude Code

/plugin install gdpr-compliance@grc-skills

Run in Claude Code. Add the marketplace first with /plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-Compliance if you haven't already.

README.md

Claude Skills for Governance, Risk & Compliance (GRC)

Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, ISO 42001 AI Management System, ISO 27701 Privacy Information Management, DORA Digital Operational Resilience, India's Digital Personal Data Protection Act (DPDPA), CMMC 2.0 Cybersecurity Maturity Model Certification, NIST AI Risk Management Framework, SWIFT Customer Security Programme (CSP), Australian Information Security Manual (ISM), EU NIS2 Directive, CCPA/CPRA California Privacy, ITAR (International Traffic in Arms Regulations), Brazil's LGPD (Lei Geral de Proteção de Dados), EU CSRD (Corporate Sustainability Reporting Directive), CIS Controls v8 (CIS Top 18), EAR (Export Administration Regulations), NIST SP 800-53 (Security and Privacy Controls for Federal Systems), EU AI Act (Regulation (EU) 2024/1689), Section 508 (US Federal ICT Accessibility), WCAG (Web Content Accessibility Guidelines), NZISM (New Zealand Information Security Manual), Vietnam PDPL (Law on Personal Data Protection No. 91/2025/QH15), and EU CRA (Cyber Resilience Act, Regulation (EU) 2024/2847) — powered by Claude Skills.

Benchmarked across 150 test cases using the eval framework — each graded against 5 verifiable assertions by independent agents. Skills scored 97% vs a baseline of 81% across 675 total assertions.

![Release: v1.3.0](../../releases/tag/v1.3.0) ![License: MIT](LICENSE) ![Skills: 30](#the-skills) ![Built with Claude](https://claude.ai) ![GitHub Stars](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance)

---

Table of Contents

---

What Are Claude Skills?

Claude Skills are installable knowledge packages that extend Claude's capabilities for specific domains. A skill is a .skill file — a bundled archive containing a SKILL.md instruction file and optional reference materials — that you upload to Claude once and use across all your conversations.

Once installed, a skill activates automatically when your conversation touches its topic area. You don't need to invoke it by name or use special commands. Claude simply becomes a deeper expert in that domain for the duration of your session.

Skills are ideal when you need:

  • Consistent, expert-level responses on a specialized topic
  • Outputs formatted to professional or regulatory standards (e.g., audit-ready control narratives, policy templates with the right clauses)
  • Domain knowledge that goes beyond general LLM training — such as knowing which specific NIST 800-53 controls apply to a given scenario, or which GDPR articles govern international data transfers

How skills work under the hood: Each .skill file contains a primary SKILL.md that is loaded into Claude's context when the skill triggers, plus reference files that are loaded on demand for deeper sub-topics. This "progressive disclosure" pattern keeps context usage efficient while making comprehensive knowledge available when needed.

<div style="position:relative;padding-bottom:56.25%;height:0;overflow:hidden;max-width:100%;"> <iframe src="https://www.youtube.com/embed/-IBLNR0N2vE" title="Claude Skills for GRC Demo" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen style="position:absolute;top:0;left:0;width:100%;height:100%;"></iframe> </div>

---

Who Is This For?

These skills are designed for professionals who work on information security, privacy, and regulatory compliance — whether at organizations seeking certification, development teams building compliant systems, or advisors supporting clients.

Security & Compliance Teams use these skills to accelerate gap assessments, generate first-draft policies, map controls, and prepare evidence packages — compressing weeks of reference work into minutes.

Software Developers & Engineers use them to understand what controls their systems must implement, audit code and architecture for compliance issues, and get actionable technical guidance tied to specific regulatory requirements.

Legal, Privacy & GRC Professionals use them to draft regulatory documents (DPAs, BAAs, privacy notices), answer client questions with precise regulatory citations, and stay current on framework requirements.

Healthcare Organizations use the HIPAA skill to assess systems, generate required notices and agreements, and train staff on obligations — without needing a compliance consultant for every question.

Cloud Service Providers pursuing federal government contracts use the FedRAMP skill to navigate the ATO process, write SSP narratives, manage POA&Ms, and prepare for 3PAO assessments.

Startups and SMBs use these skills to understand what a given framework requires of them, scope their compliance programs, and get expert-quality output without a large in-house team.

---

The Skills

1. <img src="assets/Logos/iso27001.jpg" alt="ISO 27001" height="20" style="vertical-align:middle;object-fit:contain;"> ISO 27001

File: ISO 27001 - Claude Skill/iso27001.skill

The ISO 27001 skill turns Claude into an expert ISO 27001 Lead Auditor and ISMS implementation consultant. It covers both ISO 27001:2013 (114 controls, 14 domains) and ISO 27001:2022 (93 controls, 4 themes), defaulting to the current 2022 version.

What it does:

  • Runs structured gap analyses against mandatory clauses (4–10) and all Annex A controls
  • Generates complete, audit-ready policy documents with document control blocks, scope statements, and clause-to-control mappings
  • Provides step-by-step control implementation guidance for any Annex A control
  • Builds risk registers and risk treatment plans using the likelihood × impact methodology
  • Creates Statement of Applicability (SoA) templates covering all 93 controls
  • Guides 2013 → 2022 transition, explaining the 11 new controls and mapping changes

Trigger phrases: ISO 27001, ISMS, Annex A, Statement of Applicability, SoA, gap analysis, risk register, certification readiness, internal audit

---

2. <img src="assets/Logos/soc2.jpeg" alt="SOC 2" height="20" style="vertical-align:middle;object-fit:contain;"> SOC 2

File: SOC 2 - Claude Skill/soc2.skill

The SOC 2 skill turns Claude into an expert SOC 2 compliance advisor grounded in the AICPA 2017 Trust Services Criteria (TSC) with 2022 Revised Points of Focus. It covers all five TSC: Security (CC1–CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P1–P8).

What it does:

  • Conducts gap analyses across in-scope TSC criteria with 🔴/🟡/🟢 status ratings and remediation roadmaps
  • Drafts all 12 core SOC 2 policies (Information Security, Access Control, Incident Response, Change Management, Risk Assessment, Vendor Management, BCP/DR, and more)
  • Documents controls in auditor-ready format: Control ID, TSC criterion, type, owner, frequency, evidence, and test procedure
  • Produces evidence checklists mapped to each criterion, with sampling guidance for Type 1 vs Type 2 audits
  • Handles vendor risk: tiering, 32-question security questionnaires, SOC 2 report review, CUEC tracking, and contractual requirements
  • Adapts its tone — plain-language for first-time SOC 2 teams, technical AICPA-coded output for practitioners and auditors

Trigger phrases: SOC 2, Trust Services Criteria, TSC, CC6, Type 1, Type 2, AICPA, audit readiness, control statement, evidence

---

3. <img src="assets/Logos/fedramp.svg" alt="FedRAMP" height="20" style="vertical-align:middle;object-fit:contain;"> FedRAMP [US]

File: FedRamp - Claude Skill/fedramp.skill

The FedRAMP skill turns Claude into a knowledgeable FedRAMP advisor covering the full authorization lifecycle for Cloud Service Providers (CSPs) under the current NIST SP 800-53 Rev 5 baseline. It is current as of 2025–2026, incorporating the Rev 5 transition, the September 2026 OSCAL mandate, and December 2024 template updates.

What it does:

  • Conducts readiness and gap assessments using a 75+ item checklist across 14 security domains
  • Guides authoring of ATO documentation: System Security Plans (SSP), POA&Ms, SAPs, SARs, and all required appendices (A–Q)
  • Maps NIST 800-53 Rev 5 controls across all 20 control families to specific system implementations
  • Provides cloud architecture guidance for AWS GovCloud, Azure Government, and Google Cloud Government
  • Supports Continuous Monitoring (ConMon) obligations: monthly deliverables, POA&M SLA management, deviation requests
  • Guides the Rev 4 → Rev 5 transition, FIPS 199 impact level scoping, and OSCAL readiness

Trigger phrases: FedRAMP, ATO, SSP, POA&M, 3PAO, NIST 800-53, ConMon, AWS GovCloud, Azure Government, impact level, OSCAL

---

4. 🇪🇺 GDPR [EU]

File: GDPR - Claude Skill/gdpr-compliance.skill

The GDPR skill turns Claude into an expert GDPR compliance assistant that bridges technical and legal perspectives. It covers the full EU GDPR regulation with notes on UK GDPR (DPA 2018) where the rules differ, and adapts its tone automatically — technical for developers, legally precise for compliance and privacy professionals.

What it does:

  • Audits code, APIs, database schemas, and architectures for GDPR violations, producing severity-graded findings (🔴/🟡/🟢) mapped to specific GDPR articles
  • Drafts compliance documents from built-in templates: Privacy Notices (Art. 13/14), Data Processing Agreements (Art. 28), Cookie/Consent Banners, DPIAs (Art. 35), Data Retention Policies, and Data Subject Rights Procedures
  • Answers compliance questions with authoritative article citations — every response leads with the governing article, then exceptions, then practical implications
  • Reviews data flows and PII handling across six dimensions (what, why, where, who, how long, how protected) and checks alignment with RoPA requirements
  • Covers all key GDPR areas: lawful basis, consent, data subject rights (Arts. 15–22), international transfers (Arts. 44–49), breach response (Arts. 32–34), special category data (Arts. 9–10), and penalties (Arts. 77–84)

Trigger phrases: GDPR, data protection, privacy, personal data, DPA, DPIA, lawful basis, data subject rights, consent, RoPA, Schrems II, ICO, EDPB

---

5. <img src="assets/Logos/hipaa.png" alt="HIPAA" height="20" style="vertical-align:middle;object-fit:contain;"> HIPAA [US]

File: HIPAA - Claude Skill/hipaa-compliance.skill

The HIPAA skill turns Claude into a knowledgeable HIPAA compliance advisor covering the Privacy Rule, Security Rule, and Breach Notification Rule (45 CFR Parts 160 and 164, as amended by HITECH). It serves both technical teams building systems that handle ePHI and compliance/legal teams managing organizational obligations.

What it does:

  • Reviews documents, systems, and architectures for HIPAA compliance, producing structured findings with CFR citations, risk levels (High / Medium / Low), and remediation steps
  • Generates HIPAA-compliant documents from nine ready-to-use templates: Notice of Privacy Practices (NPP), Business Associate Agreements (BAA), Authorization Forms, Workforce Training Acknowledgments, Security Incident Reports, Risk Analysis Templates, and more — all with inline CFR citations
  • Advises on technical safeguards for modern cloud environments (AWS, Azure, GCP), FHIR APIs, mobile/BYOD, and DevOps pipelines — covering all 54 Security Rule implementation specifications (Required and Addressable)
  • Explains HIPAA in plain language for any audience — from developers needing encryption guidance to general staff learning what counts as PHI
  • Guides breach response using the 4-factor risk assessment, notification timelines, HHS reporting obligations, and scenario-by-scenario guidance

Trigger phrases: HIPAA, PHI, ePHI, covered entity, business associate, BAA, NPP, breach notification, minimum necessary, Privacy Rule, Security Rule

---

6. <img src="assets/Logos/nist-csf.jpeg" alt="NIST CSF" height="20" style="vertical-align:middle;object-fit:contain;"> NIST CSF

File: NIST Cybersecurity framework - Claude Skill/NIST Cybersecurity.skill

The NIST CSF skill turns Claude into an expert NIST Cybersecurity Framework advisor covering both CSF 2.0 (February 2024) and CSF 1.1 (April 2018), defaulting to the current CSF 2.0. It covers all six functions — Govern, Identify, Protect, Detect, Respond, Recover — including the new Govern function introduced in CSF 2.0.

What it does:

  • Conducts structured gap assessments across all six CSF 2.0 functions, categories, and subcategories
  • Builds Organisational Profiles — Current and Target — aligned to business context, risk tolerance, and regulatory obligations
  • Assesses Implementation Tiers (1–4) across three dimensions and provides targeted advancement guidance
  • Creates prioritised implementation roadmaps with phased 30/60/90-day and strategic actions
  • Maps CSF subcategories to NIST SP 800-53, ISO 27001:2022, and CIS Controls v8
  • Generates policies aligned to CSF functions — governance policy, incident response, data security, access control, and more
  • Guides CSF 1.1 → CSF 2.0 migration with a detailed subcategory mapping and migration checklist

Trigger phrases: NIST CSF, Cybersecurity Framework, CSF 2.0, Govern function, GV.SC, ID.AM, PR.AA, DE.CM, RS.MA, RC.RP, cybersecurity profile, implementation tiers, CSF gap assessment

---

7. <img src="assets/Logos/pci-dss.png" alt="PCI DSS" height="20" style="vertical-align:middle;object-fit:contain;"> PCI DSS

File: PCI Compliance - Claude Skill/PCI-Compliance.skill

The PCI DSS skill turns Claude into an expert PCI DSS compliance advisor covering PCI DSS v4.0.1 (June 2024 — current version), including all requirements that became mandatory on March 31, 2025. It covers all 12 requirements, all 8 SAQ types, merchant and service provider levels, and key v4.0 changes from v3.2.1.

What it does:

  • Scopes the Cardholder Data Environment (CDE) — identifies what's in scope, assesses network segmentation, and recommends scope reduction via tokenisation or P2PE
  • Selects the correct SAQ type — walks through the decision tree for SAQ A, A-EP, B, B-IP, C, C-VT, P2PE, and D with rationale
  • Conducts structured gap assessments across all 12 requirements with QSA evidence requirements and common gaps
  • Provides control implementation guidance for any PCI DSS sub-requirement — what to implement, evidence needed, and common pitfalls
  • Generates PCI DSS-aligned policies — incident response, access control, cryptography, patch management, data retention, and more
  • Guides v3.2.1 → v4.0.1 migration including new requirements for MFA expansion, payment page script integrity (Req 6.4.3), phishing protection (Req 5.4.1), and automated log review (Req 10.4.1.1)
  • Explains Defined vs Customised Approach and when to use Targeted Risk Analysis (TRA)

Trigger phrases: PCI DSS, PCI compliance, cardholder data, CDE, SAQ, ROC, QSA, ASV scan, PAN, tokenisation, P2PE, merchant level, payment page, Req 8.4.2, Req 6.4.3

---

8. 🚨 TSA Cybersecurity [US]

File: TSA Compliance - Claude Skill/TSA-Compliance.skill

The TSA Cybersecurity skill turns Claude into an expert TSA cybersecurity directive advisor for critical transportation infrastructure. It covers all current TSA Security Directive series — SD Pipeline-2021-01G, SD Pipeline-2021-02F, SD 1580-21-01E (freight rail), and SD 1582-21-01E (transit/passenger rail) — plus the November 2024 NPRM proposing to formalise these directives as permanent federal regulations.

> Note on SSI: TSA Security Directives are classified as Sensitive Security Information (SSI) under 49 CFR Part 1520. This skill is built from publicly available summaries, Federal Register notices, and DHS/CISA publications — not the classified full directive text. Covered entities receive the actual directive directly from TSA.

What it does:

  • Determines applicability — which directive series applies to your organisation (pipeline, freight rail, transit, or bus) and what that means for your compliance obligations
  • Runs structured gap assessments across the four technical domains: IT/OT network segmentation, access controls (MFA), continuous monitoring, and patch management
  • Drafts Cyber Risk Management Program (CRMP) documents: Cybersecurity Implementation Plan (CIP/COIP), Incident Response Plan (IRP), Architecture Design Review (ADR), and Cybersecurity Assessment Plan (CAP)
  • Guides OT/ICS-specific implementation — data diodes, jump servers for legacy HMIs, passive monitoring tools (Claroty, Dragos, Nozomi), OT patch lifecycle with vendor coordination
  • Explains 24-hour CISA incident reporting obligations: what qualifies, how to report, sample initial report language, and CIRCIA overlap
  • Advises on annual IRP testing — two objectives minimum, test scenarios, documentation requirements, and after-action review process
  • Explains the 2024 NPRM impact: NIST CSF 2.0 alignment, CISA CPG baseline, proposed COIP structure, and what changes when the rule is finalised

Trigger phrases: TSA Security Directive, SD Pipeline-2021, SD 1580-21-01, SD 1582-21-01, TSA cybersecurity, Critical Cyber Systems, CCS, Cybersecurity Coordinator, Cybersecurity Implementation Plan, CIP, CRMP, IRP testing, Architecture Design Review, ADR, CAP, CISA 24-hour reporting, OT segmentation TSA, pipeline cybersecurity, rail cybersecurity directive, transit cybersecurity, TSA NPRM 2024

---

9. <img src="assets/Logos/iso42001.webp" alt="ISO 42001" height="20" style="vertical-align:middle;object-fit:contain;"> ISO 42001 AI Management System

File: ISO 42001 - Claude Skill/ISO-42001.skill

The ISO 42001 skill turns Claude into an expert ISO/IEC 42001:2023 AI Management System (AIMS) advisor — the world's first international standard for AI governance. It serves both AI providers (organisations that develop or deploy AI) and AI users (organisations integrating third-party AI), covering the full certification lifecycle from gap assessment through Stage 2 audit readiness.

What it does:

  • Conducts structured gap assessments across all mandatory clauses (4–10) and all 38 Annex A controls (domains A.2–A.10) with 🔴/🟡/🟢 status, evidence requirements, and a phased remediation roadmap
  • Guides the mandatory AI System Impact Assessment (AISIA) step by step — identifying affected populations, assessing impact dimensions (severity, reversibility, breadth, human oversight), classifying impact level (Low/Medium/High), and determining proportionate control requirements
  • Performs AI risk assessment across all risk categories: model risks (bias, drift, hallucination, adversarial attacks), data risks (quality, poisoning, privacy in training data), operational risks (scope creep, human over-reliance), and supply chain risks (third-party model risk, API dependencies)
  • Generates a complete Statement of Applicability (SoA) covering all 38 Annex A controls (A.2.2–A.10.4) with applicability decisions, justifications, and implementation status
  • Drafts all core AIMS policies — AI Policy, AI Risk Management Policy, AI Acceptable Use Policy, Data Governance for AI Policy, AI Incident Management Policy, AI System Lifecycle Policy, and AI Supplier Management Policy — each with document control blocks and clause citations
  • Produces Stage 1 and Stage 2 audit checklists with RAG status, evidence requirements per clause, and common auditor focus areas
  • Maps ISO 42001 to the EU AI Act — aligns AISIA to the Fundamental Rights Impact Assessment (FRIA) for high-risk AI systems; maps Annex A controls to EU AI Act technical requirements
  • Integrates ISO 42001 with ISO 27001 for organisations building a unified ISMS + AIMS

Trigger phrases: ISO 42001, ISO/IEC 42001, AI Management System, AIMS, AISIA, AI System Impact Assessment, responsible AI standard, AI governance standard, Annex A AI controls, AI risk assessment ISO, Statement of Applicability AI, AI policy ISO, AI certification, AI lifecycle controls, AI supplier management ISO, EU AI Act management system, NIST AI RMF ISO mapping, AI bias controls, AI transparency standard, AI incident management ISO

---

10. <img src="assets/Logos/iso27701.png" alt="ISO 27701" height="20" style="vertical-align:middle;object-fit:contain;"> ISO 27701 Privacy Information Management

File: ISO 27701 - Claude Skill/iso27701.skill

The ISO 27701 skill turns Claude into an expert ISO/IEC 27701:2025 Privacy Information Management System (PIMS) advisor — covering the full lifecycle from gap assessment through certification. It handles both ISO 27701:2025 (the new standalone edition) and ISO 27701:2019 (the legacy ISO 27001 extension), and covers both PII controllers and PII processors.

What it does:

  • Conducts structured gap analyses across all mandatory HLS clauses (4–10) and all 78 Annex A controls — 31 for PII controllers (A.1), 18 for PII processors (A.2), and 29 shared security controls (A.3)
  • Generates complete, audit-ready PIMS policy documents — Privacy Policy, Records of Processing Activities (RoPA), Data Subject Rights Procedure, Privacy by Design Procedure, Data Processing Agreements (DPAs), and more
  • Builds privacy risk registers focused on harm to PII principals, triggers DPIAs for high-risk processing, and produces risk treatment plans
  • Creates Statements of Applicability (SoA) scoped to the organization's role (controller, processor, or both) with applicability decisions and justification
  • Provides control-by-control implementation guidance for every A.1, A.2, and A.3 control — with purpose, implementation steps, audit evidence, and common pitfalls
  • Guides 2019 → 2025 transitions with a full control mapping table, gap analysis checklist, and recommended timeline to the October 2028 deadline
  • Maps ISO 27701 to GDPR article by article, plus CCPA/CPRA, LGPD, PIPEDA, PDPA (Singapore/Thailand), and UK GDPR

Trigger phrases: ISO 27701, PIMS, privacy information management, PII controller, PII processor, privacy risk assessment, DPIA, data subject rights, records of processing activities, RoPA, privacy by design, data processing agreement, DPA, GDPR alignment ISO 27701, ISO 27701:2025, ISO 27701:2019, 27701 transition, standalone PIMS, Annex A controller controls, Annex A processor controls

---

11. <img src="assets/Logos/dora.png" alt="DORA" height="20" style="vertical-align:middle;object-fit:contain;"> DORA [EU] — Digital Operational Resilience

File: DORA - Claude Skill/dora.skill

The DORA skill turns Claude into an expert advisor on Regulation (EU) 2022/2554 (the Digital Operational Resilience Act) — the anchoring ICT regulation for EU financial entities since 17 January 2025. It encodes all 64 DORA articles, all 12 adopted RTS/ITS, and provides precise article-level guidance for every compliance workflow. It explicitly separates DORA from NIS2, legacy EBA ICT guidelines, and ISO 27001 — a common source of conflation in general LLM responses.

What it does:

  • Conducts structured DORA gap analyses across all four pillars: ICT risk management framework (Chapter II, Art. 5–16), incident management (Chapter III, Art. 17–23), resilience testing / TLPT (Chapter IV, Art. 24–27), and ICT third-party risk (Chapter V, Art. 28–44)
  • Guides ICT-related incident classification against Art. 18 criteria and the materiality thresholds in CDR (EU) 2024/1772, with a full decision tree for major vs. non-major
  • Builds three-stage incident reporting procedures per Art. 19 and CDR (EU) 2025/301 — initial (4h), intermediate (72h), final (1 month) — including content requirements at each stage
  • Reviews and drafts contractual provisions per Art. 30(2)(a)–(i), flagging the common audit-rights gap with hyperscale cloud providers
  • Builds or validates the Register of Information with all mandatory fields per CIR (EU) 2024/2956
  • Assesses ICT concentration risk per Art. 28(6) and Art. 29 — including multi-function reliance on a single cloud provider
  • Scopes TLPT programmes per Art. 26 and CDR (EU) 2025/1190, covering threat intelligence phase, red team test, mutual recognition, and tester qualification requirements
  • Drafts ICT risk management framework documentation per Art. 6–14 and CDR (EU) 2024/1774
  • Precisely distinguishes Chapter II (proactive ICT risk governance) from Chapter III (reactive incident management) — a common compliance confusion point
  • References all 12 adopted RTS/ITS by exact regulation number (CDR/CIR) with article-level mapping

Trigger phrases: DORA, Regulation (EU) 2022/2554, digital operational resilience, ICT risk management framework, DORA gap analysis, Art. 6 DORA, Art. 17 ICT incident, Art. 18 classification, Art. 19 incident reporting, Art. 26 TLPT, Art. 28 third-party risk, Art. 30 contractual provisions, Register of Information, CIR 2024/2956, CDR 2024/1772, CDR 2024/1773, CDR 2024/1774, CDR 2025/301, CDR 2025/1190, TLPT financial entities, ICT concentration risk, critical ICT TPSP, DORA vs NIS2, EBA ICT guidelines DORA, DORA incident classification, DORA reporting timelines, Chapter II DORA, Chapter III DORA

---

12. 🇮🇳 DPDPA [India] — Digital Personal Data Protection Act

File: DPDPA - Claude Skill/dpdpa.skill

The DPDPA skill turns Claude into an expert advisor on India's Digital Personal Data Protection Act, 2023 and the finalized DPDP Rules, 2025 (notified 13 November 2025, effective 13 May 2027). It covers all 44 sections of the Act and all 23 Rules, with precise section-level citations, GDPR-alignment mapping, and guidance calibrated for both Indian companies and global organizations with Indian data subjects.

What it does:

  • Conducts structured DPDPA gap analyses covering notice and consent (Sections 5–6 + Rules 3–4), lawful processing (Section 7), Data Fiduciary obligations (Section 8 + Rules 6–9), children's data (Section 9 + Rules 10–12), and SDF obligations (Section 10 + Rule 13)
  • Distinguishes DPDPA from GDPR across 8 key dimensions — scope (digital-only vs. all personal data), lawful bases (no legitimate interests in DPDPA), consent standard (unconditional + no bundling), cross-border transfers (blacklist vs. whitelist), erasure right (narrower in DPDPA), DPO requirements (SDFs only; India-resident), children's threshold (18 years vs. 16), and enforcement model (single Board vs. multi-DPA)
  • Guides notice design per Rule 3 — standalone format, plain language, multi-language obligations (Eighth Schedule), and legacy data notice requirements for pre-commencement data
  • Advises on the two lawful bases only — Consent (Section 6) and the nine Certain Legitimate Uses (Section 7) — and identifies GDPR processing activities that require fresh consent under DPDPA
  • Guides breach notification per Section 8(6) and Rule 6 — 72-hour Board notification timeline, content requirements, Processor notification obligations, and the difference from GDPR's risk-threshold approach (all breaches notifiable to Board)
  • Designs children's data compliance programmes — 18-year threshold, Rule 12 parental verification methods (DigiLocker, government tokens, existing verified data, virtual tokens), and absolute prohibitions on tracking/profiling/targeted advertising
  • Advises Significant Data Fiduciaries (SDFs) on additional obligations — India-resident DPO (Section 10 + Rule 13(2)), annual DPIA (Rule 13(3)), annual independent audit (Rule 13(4)), and data localisation readiness
  • Guides Data Principal rights fulfilment — access (Section 11), correction/erasure (Section 12), grievance redressal (Section 13 — mandatory exhaustion before Board complaint), and the unique right to nominate (Section 14)
  • Advises on cross-border transfers — blacklist approach (Section 16), no countries currently notified as restricted (April 2026), and contractual safeguards recommended despite absence of formal restrictions
  • Advises global organisations on their territorial obligations — India-nexus test (Section 3), GDPR compliance gaps that don't satisfy DPDPA, and GDPR-to-DPDPA migration priorities

Trigger phrases: DPDPA, Digital Personal Data Protection Act, India data protection, Data Fiduciary, Data Principal, Significant Data Fiduciary, SDF, Data Protection Board of India, DPBI, DPDP Rules 2025, Section 5 DPDPA, Section 6 DPDPA, Section 7 DPDPA, Section 8 DPDPA, Section 9 DPDPA, Section 10 DPDPA, Rule 3 DPDP, Rule 6 DPDP breach notification, Rule 12 parental consent, India privacy law, India digital privacy, DPDPA gap analysis, DPDPA vs GDPR, India data law, MeitY data protection, DigiLocker consent, India children data law, DPDPA consent requirements, DPDPA breach notification, India cross-border data transfer

---

13. <img src="assets/Logos/cmmc.png" alt="CMMC" height="20" style="vertical-align:middle;object-fit:contain;"> CMMC 2.0 [US] — Cybersecurity Maturity Model Certification

File: CMMC - Claude Skill/cmmc.skill

The CMMC 2.0 skill turns Claude into an expert CMMC compliance advisor for US defense contractors navigating the Cybersecurity Maturity Model Certification program. It covers all three CMMC levels — Level 1 (17 FAR 52.204-21 practices), Level 2 (110 NIST SP 800-171 Rev 2 practices), and Level 3 (110+ NIST SP 800-172 requirements) — under the final 32 CFR Part 170 rule (effective December 16, 2024).

What it does:

  • Determines the correct CMMC level for a given contract based on FCI vs. CUI handling, DFARS clauses present (7012, 7019, 7020, 7021), and program criticality
  • Conducts structured gap assessments across all 17 CMMC domains — AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI — against the full 110-practice set for Level 2
  • Drafts complete System Security Plans (SSP) covering system boundary definition, CUI data flow diagrams, and control implementation narratives for all 110 practices
  • Calculates and explains the SPRS score (starting at 110; deductions per unmet practice; range −203 to +110) and prioritises highest-impact gaps (MFA, FIPS cryptography, CUI flow control, audit logging)
  • Manages the POA&M lifecycle — identifies which practices can remain in a POA&M at certification, drafts remediation milestones, and tracks the 180-day closure deadline
  • Scopes CUI — identifies which systems, people, and processes are in-scope, recommends enclave strategies to reduce scope, and flags FedRAMP Moderate requirements for cloud services handling CUI
  • Prepares for C3PAO assessments — explains the four-phase assessment process (documentation review, assessment activities, findings, certification decision), lists required evidence per practice type, and identifies the 7 critical practices that block conditional certification
  • Explains DFARS clause obligations: 72-hour DIBNET incident reporting (DFARS 252.204-7012), SPRS self-assessment submission, and flow-down requirements to subcontractors under DFARS 252.204-7021

Trigger phrases: CMMC, CMMC 2.0, CMMC Level 2, CUI, Controlled Unclassified Information, NIST 800-171, DFARS 7021, DFARS 252.204-7021, C3PAO, SPRS score, defense contractor, DIB, DoD contractor, FCI, SSP CMMC, POA&M CMMC, gap analysis CMMC, DIBCAC, CUI scoping, 32 CFR Part 170

---

14. 🤖 NIST AI Risk Management Framework

File: NIST AI RMF - Claude Skill/nist-ai-rmf.skill

The NIST AI RMF skill turns Claude into an expert advisor on the NIST AI Risk Management Framework (AI RMF 1.0), published January 2023 as NIST AI 100-1. It covers all four core functions — GOVERN, MAP, MEASURE, and MANAGE — with their 19 categories and subcategories, the AI RMF Playbook's suggested actions, and deep guidance on evaluating AI systems for trustworthiness.

What it does:

  • Builds AI organizational profiles — Current Profile (where you are) and Target Profile (where you want to be) across all 19 categories with gap scoring and a prioritised remediation roadmap
  • Conducts GOVERN gap assessments across all 6 categories (GV-1 to GV-6) — AI risk policies, accountability structures, roles, cross-functional teams, risk tolerance, and regulatory alignment
  • Guides MAP context-setting for any AI system — intended use documentation, affected stakeholder mapping, risk/benefit analysis, and likelihood/impact characterization
  • Specifies MEASURE 2.x evaluation actions before deployment — bias/fairness testing (demographic parity, equalized odds, disparate impact), explainability (SHAP, LIME, counterfactuals), adversarial robustness, privacy assessment, and human oversight validation
  • Builds AI risk registers with per-risk AI RMF category citations (e.g., MAP 5.2, MEASURE 2.2, MANAGE 2.3), trustworthiness property at risk, treatment options, and owners
  • Provides MANAGE incident response guidance — model failure triggers, containment procedures, stakeholder notification thresholds, and lessons-learned cycles
  • Maps AI RMF to ISO 42001, EU AI Act, and NIST CSF — showing which AI RMF categories satisfy Art. 9 (EU AI Act risk management system), equivalent ISO 42001 clauses, and how AI RMF extends NIST CSF beyond cybersecurity into societal and ethical AI risk

Trigger phrases: NIST AI RMF, AI RMF, NIST AI 100-1, AI Risk Management Framework, GOVERN function, MAP function, MEASURE function, MANAGE function, AI RMF Playbook, AI risk profile, AI trustworthiness, AI bias assessment, AI explainability, MEASURE 2.2, AI risk register, AI organizational profile, responsible AI framework, AI governance framework, AI incident response, AI RMF gap assessment

---

15. 🏦 SWIFT Customer Security Programme (CSP)

File: SWIFT CSP - Claude Skill/swift-csp.skill

The SWIFT CSP skill turns Claude into an expert advisor on the SWIFT Customer Security Controls Framework (CSCF) v2025 — the mandatory cybersecurity programme for all SWIFT network participants. It covers all 31 controls (23 mandatory + 8 advisory), all five architecture types (A1/A2/A3/A4/B), the KYC-SA annual attestation process, and complete cross-framework mappings to ISO 27001:2022, PCI DSS v4.0.1, and NIST CSF 2.0.

What it does:

  • Determines the correct SWIFT architecture type (A1/A2/A3/A4/B) from a description of the organisation's SWIFT connectivity and produces the full mandatory/advisory control applicability matrix
  • Conducts structured CSCF v2025 gap assessments with 🔴/🟡/🟢 status per control, evidence requirements, and prioritised remediation roadmaps
  • Provides deep-dive implementation guidance for all 23 mandatory controls — purpose, requirements, step-by-step implementation, and audit evidence artifacts
  • Guides the complete KYC-SA attestation process — evidence preparation per control, independent assessor qualification criteria, portal submission steps, and post-submission counterparty visibility
  • Advises on the CSCF v2024 → v2025 changes: critical patch SLA tightened from 7 to 3 days, hardware MFA token requirement explicitly mandated, log retention clarified (1 year online, 3 years total)
  • Provides SWIFT-specific incident response guidance — 24-hour initial notification to security@swift.com, 30-day full report, evidence preservation, and IRP content requirements for Control 7.1
  • Explains Type B (service bureau) responsibilities — the split between bureau and customer obligations, and how to verify your bureau's KYC-SA attestation
  • Maps CSCF controls to ISO 27001:2022, PCI DSS v4.0.1, and NIST CSF 2.0 — identifying both synergies and SWIFT-specific additions not covered by existing certifications

Trigger phrases: SWIFT CSP, CSCF, KYC-SA, SWIFT security attestation, Alliance Access, SWIFT operator MFA, SWIFT secure zone, SWIFT secure flow zone, CSCF v2025, Control 4.2 SWIFT, Control 6.4 SWIFT, Control 7.1 SWIFT, SWIFT architecture type A1, SWIFT service bureau, Type B SWIFT, SWIFT incident response, SWIFT gap assessment, SWIFT mandatory controls, SWIFT hardware token, SWIFT log retention

---

16. 🇦🇺 ISM [Australia] — Australian Information Security Manual

File: ISM - Claude Skill/ism.skill

The ISM skill turns Claude into an expert advisor on the Australian Information Security Manual — the whole-of-government cybersecurity framework published by the Australian Signals Directorate (ASD) for Australian federal and state government entities and their supply chains. It covers all 22 guideline chapters, the six-step risk management cycle, control applicability markings (NC/OS/PROTECTED/SECRET/TOP SECRET), the IRAP assessment programme, system authorisation, and the Essential Eight relationship.

What it does:

  • Applies the ISM's control applicability marking system — determines which NC/OS/PROTECTED/SECRET/TOP SECRET controls apply to a system and explains the stacking rule (higher classifications cumulate all lower-level controls)
  • Guides the complete system authorisation pathway — defining system boundary, selecting and implementing controls, IRAP assessment, ATO sign-off by the Authorising Official, and ongoing monitoring
  • Prepares agencies for IRAP assessments — artefact checklists (SSP, network diagrams, asset register, risk register, policy suite, control evidence), what to expect during assessment, and the post-assessment POA&M → ATO pathway
  • Provides deep-dive guidance across all 22 ISM guideline chapters: system hardening (Ch. 13), patch management SLAs (Ch. 14), logging/monitoring requirements (Ch. 15), cryptographic standards (Ch. 20), email security (Ch. 18), networking (Ch. 19), and more
  • Explains the Essential Eight as a prioritised ISM subset — maps each of the 8 strategies to their ISM chapters, explains ML0–ML3 maturity levels, and distinguishes between Essential Eight compliance and full ISM compliance
  • Advises private sector suppliers and cloud service providers on their ISM obligations under government contracts and when IRAP assessments are required even for non-government entities
  • Covers approved cryptographic standards (AES-256 for PROTECTED+, TLS 1.2 minimum, SHA-256 minimum, prohibited algorithms) and log retention requirements (18 months minimum for OS/PROTECTED systems)
  • Supports SSP drafting — the System Security Plan structure, required sections, classification, security objectives, and how it feeds the ATO decision

Trigger phrases: ISM, Information Security Manual, ASD cybersecurity, IRAP assessment, IRAP assessor, system authorisation, ATO Australia, PROTECTED system, OFFICIAL Sensitive, NC OS PROTECTED, Essential Eight, ASD compliance, Australian government cybersecurity, ISM controls, ISM gap analysis, ISM chapter, ISM hardening, ISM OSCAL, cyber.gov.au, ASD IRAP

---

17. 🇪🇺 NIS2 [EU] Directive

File: NIS2 - Claude Skill/nis2.skill

The NIS2 skill turns Claude into an expert advisor on the EU NIS2 Directive (Directive (EU) 2022/2555) — the European Union's overarching cybersecurity framework for essential and important entities. In force since 27 December 2022 (transposition deadline 17 October 2024), NIS2 replaces the original NIS1 Directive and significantly expands scope, strengthens incident reporting obligations, introduces management body accountability, and raises maximum penalties to €10M or 2% of global turnover.

What it does:

  • Determines entity classification — Essential Entity (Annex I: 11 highly critical sectors) or Important Entity (Annex II: 7 other critical sectors) — and applies size-threshold analysis to confirm scope
  • Guides compliance with all 10 Art. 21 cybersecurity risk management measures: risk analysis policies, incident handling, BCP/DR/crisis management, supply chain security, secure SDLC and vulnerability management, effectiveness assessment, cyber hygiene training, cryptography, HR security and access control, and MFA/secure communications
  • Walks through the Art. 23 incident reporting workflow: 24-hour early warning, 72-hour incident notification, and 1-month final report — with content requirements for each stage and guidance on significant incident thresholds
  • Explains Art. 20 governance obligations — management body approval, mandatory cybersecurity training, and personal liability under Member State transposition law
  • Performs ISO 27001 gap analysis — maps ISO 27001:2022 Annex A controls to NIS2 Art. 21 measures and identifies gaps where ISO 27001 certification is necessary but not sufficient (Art. 20, Art. 23 timelines, MFA mandate, ENISA supply chain assessments)
  • Advises on EE vs IE supervision differences — Essential Entities face proactive Art. 32 oversight (on-site inspections, security audits); Important Entities face reactive Art. 33 oversight
  • Addresses the DORA lex specialis interaction — explains DORA precedence for financial entities under Art. 4, identifies residual NIS2 obligations, and recommends an integrated compliance programme
  • Calculates penalty exposure (EE: up to €10M or 2% global turnover; IE: up to €7M or 1.4%) and advises on remediation prioritisation to reduce regulatory risk

Trigger phrases: NIS2, NIS 2, Directive EU 2022 2555, essential entity, important entity, NIS2 compliance, NIS2 incident reporting, Article 21 NIS2, Article 23 NIS2, NIS2 gap analysis, NIS2 policy, NIS2 supply chain, NIS2 governance, NIS2 risk management, ENISA NIS2, NIS2 penalties, NIS2 transposition, NIS2 and DORA, NIS2 and ISO 27001, network information security directive

---

18. <img src="https://upload.wikimedia.org/wikipedia/commons/0/01/Flag_of_California.svg" alt="CA" height="16" style="vertical-align:middle;"> CCPA/CPRA [California] Privacy

File: CCPA - Claude Skill/ccpa.skill

The CCPA/CPRA skill turns Claude into an expert advisor on California's comprehensive privacy laws — the California Consumer Privacy Act (CCPA, effective January 1, 2020) and the California Privacy Rights Act (CPRA/Proposition 24, effective January 1, 2023). CPRA significantly expanded CCPA, created the California Privacy Protection Agency (CPPA), introduced Sensitive Personal Information (SPI) as a new category, and added rights to correct PI, limit SPI use, and set retention periods.

What it does:

  • Determines business applicability — whether an organisation meets the CCPA/CPRA threshold ($25M revenue OR 100K+ consumers/households OR 50%+ revenue from PI sale/sharing) and what obligations follow
  • Guides consumer rights fulfillment — step-by-step workflows for right to know (access), delete, correct, opt-out of sale/sharing, limit SPI use, portability, and non-discrimination — including identity verification, exceptions, response deadlines (45 days / 15 business days for SPI), and service provider propagation
  • Classifies ad tech, cookie tracking, and data sharing — determines whether arrangements constitute a "sale" or CPRA "sharing" (cross-context behavioral advertising), advises on Global Privacy Control (GPC) signal compliance and consent management
  • Identifies Sensitive Personal Information (SPI) — precise geolocation, biometrics, health data, SSNs, credentials, and more — and advises on permitted uses, limitation rights, disclosure requirements, and 15-business-day response SLA
  • Performs GDPR-to-CCPA/CPRA gap analysis — identifies CCPA/CPRA-specific additions (Do Not Sell or Share link, GPC, SPI limitation, minors' opt-in, financial incentive disclosures) and highlights key structural differences (opt-out vs. opt-in, no lawful basis requirement, household data, private right of action for breaches)
  • Drafts privacy notices and policies — at-collection notices, comprehensive privacy policies with all required CCPA/CPRA disclosures, and "Do Not Sell or Share" and "Limit SPI" opt-out pages
  • Assesses CPPA enforcement and penalty exposure — $2,500/unintentional, $7,500/intentional, $100–$750/consumer for breach private actions

Trigger phrases: CCPA, CPRA, California Consumer Privacy Act, California Privacy Rights Act, Do Not Sell or Share, sensitive personal information California, CPPA, California privacy compliance, right to know California, right to delete California, California opt-out, GPC signal, Global Privacy Control, ad tech CCPA, CCPA gap analysis, CCPA vs GDPR, California data privacy, CCPA service provider, CCPA third party, CCPA penalty

---

19. <img src="assets/Logos/itar.jpg" alt="ITAR" height="20" style="vertical-align:middle;object-fit:contain;"> ITAR [US] — International Traffic in Arms Regulations

File: ITAR - Claude Skill/itar.skill

The ITAR skill turns Claude into an expert advisor on US defense export controls under 22 CFR Parts 120–130, administered by the Directorate of Defense Trade Controls (DDTC) at the US State Department. ITAR controls the export, re-export, and transfer of defense articles, defense services, and related technical data enumerated on the United States Munitions List (USML).

What it does:

  • Performs USML jurisdiction analysis — applies the enumeration test and specially designed test (22 CFR § 120.41) to determine whether an item falls under ITAR or EAR, and guides Commodity Jurisdiction (CJ) requests for ambiguous cases
  • Guides DDTC registration under 22 CFR Part 122 — who must register, DS-2032 submission, annual fees, renewal timelines, and Empowered Official (EO) designation
  • Advises on export licensing — DSP-5 (permanent export), DSP-73 (temporary export), DSP-94 (temporary import), application requirements via D-Trade, licence conditions, Congressional notification thresholds
  • Drafts and reviews Technical Assistance Agreements (TAA) and Manufacturing License Agreements (MLA) under 22 CFR Part 124, including all mandatory clauses: retransfer prohibition, US government rights, audit rights, and 5-year record retention
  • Advises on deemed exports — foreign national access to ITAR-controlled technical data inside the US is treated as an export to their home country; covers Technology Control Plans (TCP), screening requirements, and access segregation
  • Guides brokering compliance under 22 CFR Part 129 — registration, prior approval requirements, and annual reporting obligations
  • Manages violations and voluntary disclosures — walks through the VSD process under 22 CFR § 127.12, penalty exposure (civil up to $1.369M/violation, criminal up to $1M/20 years), mitigating and aggravating factors, and corrective action planning

Trigger phrases: ITAR, International Traffic in Arms Regulations, USML, United States Munitions List, DDTC, defense export, deemed export, TAA, technical assistance agreement, MLA, manufacturing license agreement, DSP-5, DSP-73, ITAR registration, ITAR violation, voluntary disclosure ITAR, ITAR vs EAR, commodity jurisdiction, defense article, defense service, ITAR compliance, technology control plan, Empowered Official

---

20. <img src="assets/Logos/lgpd-brazil.svg" alt="Brazil" height="20" style="vertical-align:middle;object-fit:contain;"> LGPD [Brazil] — General Data Protection Law

File: LGPD - Claude Skill/lgpd.skill

The LGPD skill turns Claude into an expert advisor on Brazil's Lei Geral de Proteção de Dados Pessoais (Law 13,709/2018), the comprehensive Brazilian data protection law enforced by the ANPD (Autoridade Nacional de Proteção de Dados). LGPD applies extraterritorially to any organisation processing personal data of individuals located in Brazil.

  • Analyses extraterritorial scope (Art. 3) — determines whether LGPD applies to your organisation regardless of country of establishment
  • Maps legal bases for processing (Art. 7 — 10 bases for regular data; Art. 11 — stricter bases for sensitive data including health, biometric, racial origin)
  • Drafts LGPD-compliant privacy notices (Art. 9) and consent mechanisms (Art. 8) covering all mandatory elements
  • Guides data subject rights fulfilment (Arts. 17–22) — access, correction, deletion, portability, consent revocation, automated decision review — with 15-day response workflows
  • Advises on DPO/Encarregado appointment (Art. 41) — mandatory publication requirements and ANPD Resolution No. 2/2022 SME exemptions
  • Produces DPIA/RIPD templates (Art. 38) for high-risk processing and RoPA (Records of Processing Activities) structures (Art. 37)
  • Guides ANPD breach notification (Art. 48 + ANPD Resolution No. 15/2024) — 3 working-day preliminary notification and 20 working-day full report requirements
  • Analyses international transfer mechanisms (Arts. 33–36) for countries without ANPD adequacy decisions (including the US)
  • Calculates penalty exposure (Art. 52) — fines up to 2% of Brazilian revenue, maximum R$50 million per violation
  • Provides LGPD vs. GDPR comparison — key differences in legal bases, DPO obligations, breach timelines, and fine structures

Trigger phrases: LGPD, Brazil data protection, Lei Geral de Proteção de Dados, ANPD, Brazilian privacy law, LGPD compliance, LGPD gap assessment, Encarregado, RIPD, LGPD legal basis, LGPD data subject rights, Brazil data breach, ANPD notification, LGPD vs GDPR, Brazil personal data, LGPD penalty, Brazil privacy policy

---

21. <img src="assets/Logos/csrd-eu.svg" alt="EU" height="20" style="vertical-align:middle;object-fit:contain;"> CSRD [EU] — Corporate Sustainability Reporting Directive

File: CSRD - Claude Skill/csrd.skill

The CSRD skill turns Claude into an expert advisor on EU Directive 2022/2464 (CSRD), which requires approximately 50,000 companies to disclose detailed environmental, social, and governance (ESG) information under the European Sustainability Reporting Standards (ESRS). CSRD came into force on 5 January 2023 and replaces the Non-Financial Reporting Directive (NFRD).

  • Determines CSRD scope and first reporting year — analyses PIE (>500 employees), large company, listed SME, and non-EU company (>€150M EU turnover) thresholds across all four cohorts (FY 2024–2028)
  • Guides the Double Materiality Assessment (DMA) — ESRS 1 step-by-step process covering impact materiality (scale, scope, irremediability) and financial materiality (risks and opportunities), with scoring templates
  • Produces CSRD gap assessments — maps current GRI/TCFD/CDP/SASB disclosures to mandatory ESRS datapoints and identifies priority gaps
  • Drafts ESRS disclosures — ESRS 2 General Disclosures (GOV-1 to GOV-5, SBM-1 to SBM-3, IRO-1) and all topical standards (E1–E5, S1–S4, G1) for material topics
  • Advises on ESRS E1 Climate Change — Scope 1, 2, and all 15 Scope 3 GHG emission categories, transition plan (Art. 19a(2)(a)), EU Taxonomy alignment, physical and transition risk financial effects
  • Supports ESRS S1 Own Workforce disclosures — gender pay gap, CEO pay ratio, LTIFR, collective bargaining coverage, health & safety management systems
  • Designs Scope 3 GHG emissions programmes — category prioritisation matrix, data collection methods (CDP Supply Chain, spend-based, supplier surveys), proxy methodology disclosure
  • Plans assurance readiness — limited assurance requirements under Art. 26a, documentation standards, transition to reasonable assurance post-2028
  • Advises on XBRL/iXBRL digital tagging requirements under ESEF and management report placement obligations
  • Provides CSRD vs GRI/TCFD/SASB/CDP comparison — framework interoperability, Appendix C mapping, and gap identification for existing reporters

Trigger phrases: CSRD, Corporate Sustainability Reporting Directive, ESRS, double materiality, double materiality assessment, DMA, ESG reporting Europe, sustainability disclosure EU, non-financial reporting, ESRS E1, ESRS S1, ESRS G1, Scope 3 CSRD, transition plan ESRS, CSRD gap assessment, CSRD scope, EU sustainability reporting, ESRS assurance, XBRL sustainability, CSRD vs GRI, CSRD vs TCFD, EU Taxonomy CSRD, NFRD CSRD, ESRS materiality

---

22. 🛡️ CIS Controls v8 — CIS Top 18 Cyber Hygiene

File: CIS Controls - Claude Skill/cis-controls.skill

The CIS Controls v8 skill turns Claude into an expert CIS Controls advisor covering all 18 CIS Controls and 153 safeguards from the May 2021 v8 release, including explicit cloud and mobile coverage. It applies the Implementation Group (IG) framework — IG1 (56 safeguards, essential cyber hygiene), IG2 (130 safeguards, intermediate), and IG3 (153 safeguards, advanced) — to scope guidance to each organization's risk profile and resource level.

What it does:

  • Determines the correct Implementation Group for any organization based on IT resources, data sensitivity, regulatory exposure, and threat profile — then scopes all guidance to that IG
  • Conducts structured CIS Controls gap assessments across all 18 controls and applicable safeguards with 🔴/🟡/🟢 status, IG assignment, asset type, security function, and prioritised remediation roadmap
  • Provides safeguard-level implementation guidance for all 153 safeguards — practical steps, recommended tools (e.g., Qualys, CrowdStrike, Splunk, Microsoft Defender), and common pitfalls
  • Delivers a structured IG1 12-week quick-start programme — week-by-week asset inventory, secure configuration, access controls, patch management, backups, and training
  • Maps CIS Controls v8 to NIST CSF 2.0 (subcategory-level), ISO 27001:2022 Annex A, CMMC 2.0 / NIST SP 800-171, SOC 2 TSC, and PCI DSS v4.0
  • Advises on vulnerability management SLAs — CVSS-based remediation timelines (Critical: 15 days, High: 30 days, Medium: 90 days) and authenticated scanner deployment
  • Designs SIEM/log management programmes per Control 8 — what to collect, retention standards (90-day hot, 12-month minimum), and NTP synchronisation
  • Provides industry-specific guidance — healthcare (HIPAA alignment), finance (PCI DSS alignment), government (CMMC alignment), and education (FERPA alignment)

Trigger phrases: CIS Controls, CIS Top 18, CIS v8, CIS Controls v8, Implementation Group, IG1, IG2, IG3, CIS safeguards, cyber hygiene controls, CIS gap assessment, CIS Controls NIST mapping, CIS Benchmarks, CIS CSAT, asset inventory CIS, vulnerability management CIS, CIS Controls ISO 27001, CIS Controls SOC 2, CIS Controls PCI DSS, CIS Controls CMMC, CIS Controls NIST CSF

---

23. 📦 EAR — Export Administration Regulations

File: EAR - Claude Skill/ear.skill

The EAR skill turns Claude into an expert Export Administration Regulations advisor with deep knowledge of all 15 CFR Parts 730–774, administered by the Bureau of Industry and Security (BIS). It guides exporters, manufacturers, technology companies, and compliance professionals through the full dual-use export control lifecycle — from item classification to licence analysis to enforcement response.

What it does:

  • Applies the mandatory Order of Review to determine EAR vs. ITAR jurisdiction — USML check first, then CCL classification or EAR99 confirmation
  • Classifies items across all 10 CCL categories (0–9) and 5 product groups (A–E) with step-by-step ECCN determination, including when to seek a CCATS or CJ request
  • Analyses licence requirements using the Commerce Country Chart — RFC × country matrix — and identifies applicable licence exceptions (LVS, GBS, CIV, APP, TSR, TMP, RPL, GOV, TSU, ENC, BAG, AVS, ACE, GFT)
  • Screens transactions against all restricted party lists: Entity List, Denied Persons List, Unverified List, MEU List, and OFAC SDN — with guidance on the Consolidated Screening List (CSL)
  • Explains deemed export rules (§ 734.13), the most restrictive nationality rule for dual nationals, and access contr

Related plugins

Browse all →

ccpa

grc-skills

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance advisor — business threshold analysis, consumer rights fulfillment, privacy notice drafting, service provider classification, sensitive personal information (SPI) handling, opt-out mechanisms (including GPC), CPPA enforcement, penalty exposure, and GDPR alignment.

Open plugin →

cis-controls

grc-skills

CIS Controls v8 (CIS Top 18) advisor — Implementation Group scoping (IG1/IG2/IG3), gap assessments across all 153 safeguards, asset/software inventory, data protection, secure configuration, MFA and access control, vulnerability management, audit log management, malware defenses, incident response, penetration testing, and CIS Controls mapping to NIST CSF 2.0, ISO 27001:2022, SOC 2, PCI DSS, and CMMC 2.0. Use for any CIS Controls, CIS Benchmarks, or prioritized cyber hygiene question.

Open plugin →

cmmc

grc-skills

Expert CMMC 2.0 compliance advisor for US defense contractors — gap analysis, SSP drafting, POA&M management, SPRS scoring, CUI scoping, and C3PAO assessment readiness for Level 1, 2, and 3.

Open plugin →

csrd

grc-skills

EU CSRD (Corporate Sustainability Reporting Directive, EU 2022/2464) compliance advisor — scope & threshold analysis (large PIEs, other large, listed SMEs, non-EU), double materiality assessment (DMA), ESRS gap assessment, ESRS E1–E5 environmental disclosures, ESRS S1–S4 social disclosures, ESRS G1 governance, Scope 1/2/3 GHG emissions, transition plan drafting, assurance readiness, XBRL tagging, value chain reporting, and CSRD vs GRI/TCFD/SASB comparison.

Open plugin →

dora

grc-skills

DORA (Regulation (EU) 2022/2554) compliance advisor for EU financial entities — ICT risk management framework, incident classification and reporting, TLPT, ICT third-party risk, Register of Information, and all adopted RTS/ITS with article-level citations.

Open plugin →

dpdpa

grc-skills

India's Digital Personal Data Protection Act, 2023 (DPDPA) and DPDP Rules, 2025 compliance advisor — gap analysis, notice and consent requirements, Data Principal rights, breach notification, children’s data, Significant Data Fiduciary obligations, cross-border transfers, Data Protection Board proceedings, and GDPR alignment for global organisations.

Open plugin →

Browse

Plugins by category

Other2041development375productivity237communication49design47security46database40workflow30compliance28product24data22bundle21