‹ 首页

grc-compliance

@masriyan · 收录于 1 周前

Governance, risk, and compliance — risk assessment and scoring, control mapping across NIST CSF 2.0 / ISO 27001:2022 / SOC 2 / CIS Controls v8, gap analysis, audit evidence preparation, and security policy generation

适合你,如果负责企业安全合规,需要对照多个框架做差距分析

/ 下载安装
grc-compliance.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/grc-compliance
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/grc-compliance
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/grc-compliance
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
160GitHub stars
~1.7K最小装载
~4.5K含声明引用
~4.9K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 2c864e3

GRC & Compliance

Purpose

Enable Claude to operate as a governance, risk, and compliance partner: quantify and prioritize risk, map controls across the major frameworks, run gap analyses, prepare audit evidence, and draft clear, tailored security policies. Claude turns scattered control requirements into a single cross-framework view so one piece of evidence can satisfy many obligations.

Advisory scope: This skill produces risk analysis, control mappings, and policy drafts to support a security/compliance program. It is decision-support, not legal advice or a certification. A qualified auditor or counsel should validate before formal attestation.

Activation Triggers

This skill activates when the user asks about:

  • Risk assessment, risk register, risk scoring, or treatment plans
  • NIST CSF 2.0, NIST SP 800-53, ISO/IEC 27001:2022, SOC 2, PCI DSS 4.0, HIPAA, GDPR, CIS Controls v8
  • Control mapping or crosswalk between frameworks
  • Gap analysis against a standard or readiness for an audit/certification
  • Audit evidence collection, control narratives, or an SoA (Statement of Applicability)
  • Security policy, standard, or procedure drafting
  • Third-party / vendor risk assessment
  • Compliance posture reporting to leadership or a board

Prerequisites
pip install pyyaml

No external tools required — this skill is primarily analytical and document-generation focused. Claude reads existing policies, configs, and evidence directly.


Core Capabilities
1. Risk Assessment & Scoring

When asked to assess risk, run a structured, repeatable method:

  1. Asset & context — identify assets, owners, data classification, and business impact (CIA).
  2. Threats & vulnerabilities — enumerate relevant threat sources (map to MITRE ATT&CK where useful) and existing weaknesses.
  3. Likelihood × Impact — score on a defined scale (e.g., 1–5 each) → inherent risk. Apply control effectiveness → residual risk. Support qualitative (heat map) and, where data exists, quantitative (single-loss/annualized-loss, or FAIR-style ranges) views.
  4. Risk treatment — choose Mitigate / Transfer / Avoid / Accept; assign owner, due date, and the controls that move residual risk to within appetite.
  5. Produce a risk register (see Output Standards) and a treatment plan ranked by residual risk.

Use scripts/risk_register.py to score and rank a YAML/CSV risk list and emit a heat-map summary.

2. Cross-Framework Control Mapping

Maintain one control statement mapped to many frameworks so evidence is reused, not duplicated. Anchor on NIST CSF 2.0 functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) and crosswalk outward:

| Need | Framework | Anchor | |------|-----------|--------| | Program governance | NIST CSF 2.0 | GV / ID / PR / DE / RS / RC | | Certifiable ISMS | ISO/IEC 27001:2022 | Annex A (93 controls, 4 themes) | | Service-org attestation | SOC 2 | Trust Services Criteria (CC1–CC9, A/C/PI/P) | | Federal / detailed controls | NIST SP 800-53 Rev.5 | 20 control families | | Cardholder data | PCI DSS 4.0 | 12 requirements | | Prioritized baseline | CIS Controls v8 | 18 controls / IG1–IG3 |

Use scripts/control_mapper.py to crosswalk a control or to show, for a chosen framework, which related-framework requirements a single control satisfies.

3. Gap Analysis & Audit Readiness

When asked for a gap analysis:

  1. Select the target framework and scope (systems, locations, data).
  2. Assess each control: Implemented / Partial / Not Implemented / Not Applicable, with evidence reference.
  3. Compute coverage % per domain/function and overall.
  4. For each gap: required action, owner, effort, and target date → remediation roadmap.
  5. For ISO 27001, produce a Statement of Applicability (control, applicable Y/N, justification, status).
4. Audit Evidence & Control Narratives
  • Build an evidence index: control → required artifact → location/owner → cadence (e.g., quarterly access review export, change tickets, training records, scan reports).
  • Draft control narratives auditors expect: what the control is, who operates it, frequency, and how it's evidenced.
  • Flag common audit failures: stale access reviews, missing change-management tickets, untested IR/BCP plans, no log retention proof, unowned exceptions.
5. Security Policy & Standard Generation

Draft tailored, plain-language policy documents with a consistent structure (Purpose, Scope, Policy Statements, Roles & Responsibilities, Enforcement, Exceptions, Review cadence, Mapped controls). Common set: Information Security Policy, Access Control, Acceptable Use, Data Classification & Handling, Incident Response, Business Continuity/DR, Change Management, Vendor/Third-Party Risk, Cryptography, Secure SDLC, and an AI Use policy. Map each policy back to the controls it satisfies.

6. Third-Party / Vendor Risk

Tier vendors by data access and criticality; drive assessment via SIG/CAIQ-style questionnaires or review of the vendor's SOC 2 / ISO cert; track findings, residual risk, and re-assessment cadence in the register.


Output Standards

Risk register row:

ID | Risk | Asset | Threat | Likelihood(1-5) | Impact(1-5) | Inherent | Controls | Residual | Treatment | Owner | Due
R-001 | Ransomware encrypts file servers | File svc | Crime group | 4 | 5 | 20 (Critical) | Backups, EDR, MFA | 8 (Medium) | Mitigate | IT Ops | 2026-09-30

Gap analysis / SoA:

# [Framework] Gap Analysis — [Org]
Date: [Date] | Scope: [...] | Overall coverage: 72%

## By Domain
| Domain | Implemented | Partial | Not Impl | N/A | Coverage |
| Access Control | 8 | 2 | 1 | 0 | 80% |

## Gaps & Remediation
| Control | Status | Gap | Action | Owner | Effort | Target |

Compliance posture (leadership):

# Compliance Posture — [Period]
Overall: [score] | Trend: [▲/▼] | Frameworks: [...]
Top risks: [3] | Overdue remediations: [n] | Upcoming audits: [...]

Script Reference
risk_register.py
# Score & rank a risk list (YAML or CSV), emit ranked register + heat-map summary
python scripts/risk_register.py --input risks.yaml --output risk_register.json

# Quantitative ALE view where SLE/ARO provided
python scripts/risk_register.py --input risks.csv --quant --output register.json
control_mapper.py
# Crosswalk a control concept across frameworks
python scripts/control_mapper.py --control "access control" --frameworks all

# Show NIST CSF 2.0 -> ISO 27001 / SOC 2 mapping for a function
python scripts/control_mapper.py --csf PR.AA --output crosswalk.json

Skill Integration

| Next Step | Condition | Target Skill | |-----------|-----------|--------------| | Technical validation of a control | Need to prove a control works | → Skill 02 / 09 / 10 | | Cloud compliance scanning | Cloud controls in scope | → Skill 10 | | Detection coverage evidence | DE function controls | → Skill 12 / 15 | | IR plan testing evidence | RESPOND/RECOVER controls | → Skill 07 | | AI governance controls | AI systems in scope | → Skill 16 |


References
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。