Claude Skills for Governance, Risk, & Compliance Frameworks

🆕 New Skills (7)

• New ITAR [US] — International Traffic in Arms Regulations advisor covering all 22 CFR Parts 120–130, USML category analysis, DSP-5/73/85 licence workflows, deemed export obligations, TAA/MLA drafting, voluntary self-disclosure, DDTC registration, and Blue Lantern end-use checks
• New LGPD [Brazil] — Lei Geral de Proteção de Dados compliance advisor covering all 10 legal bases, data subject rights, ANPD enforcement, DPA requirements, consent management, international transfer mechanisms, breach notification (3 working day timeline), and mapping to GDPR
• New CSRD [EU] — Corporate Sustainability Reporting Directive advisor covering ESRS standards, double materiality assessment, Wave 1–4 scoping, GRI/TCFD gap analysis, value chain reporting, EU Taxonomy alignment, non-EU parent obligations, and third-party assurance requirements
• New CIS Controls v8 — CIS Top 18 cyber hygiene advisor covering Implementation Group selection (IG1–IG3), all 153 safeguards, gap assessments, vulnerability management SLAs, SIEM/log management design, and cross-framework mapping to NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, SOC 2, and PCI DSS v4.0
• New EAR [US] — Export Administration Regulations advisor covering ECCN classification, CCL/EAR99 analysis, BIS licence requirements, Entity List/SDN screening, deemed export obligations, FDPR, licence exceptions (ENC, STA, LVS, TMP), voluntary self-disclosure, and 7-element export compliance programme design
• New NIST SP 800-53 — Federal security and privacy controls advisor covering all 20 control families, FIPS 199/200 categorization, Low/Moderate/High baseline selection (SP 800-53B), control tailoring and ODVs, SSP narrative writing, POA&M management, all 7 RMF steps (SP 800-37 Rev 2), ConMon strategy, EO 14028 phishing-resistant MFA, and cross-framework mapping to FedRAMP, FISMA, CMMC 2.0, and ISO 27001
• New EU AI Act — Regulation (EU) 2024/1689 compliance advisor covering all four risk tiers (Prohibited/High-Risk/Limited/Minimal), all 8 Art. 5 prohibited practices, all 8 Annex III high-risk use case areas, provider obligations (Arts. 9–17), deployer obligations (Art. 26), conformity assessment and CE marking (Arts. 43–48), GPAI model obligations (Arts. 53–55) with open-source exception and 10²⁵ FLOPs systemic risk threshold (Art. 51), governance (AI Office, AI Board), phase-in timeline, penalties (Art. 99), and cross-framework mapping to ISO 42001, NIST AI RMF, and GDPR

📊 Skill Evaluation

• Improved Expanded eval suite to 25 skills / 125 test cases (5 per framework), each graded against 5 verifiable assertions — 625 total assertions
• Improved EU AI Act skill scored 100% vs baseline of 76% (+24 pp) after AI Omnibus update; GDPR skill improved to 100% vs 96% (+4 pp); overall suite achieves 97% with-skill vs 81% baseline across 675 assertions (+16 pp advantage)

🌐 GitHub Pages — UX Improvements

• New Collapsible skill cards — all 18 skill cards are now accordion-style; ISO 27001 is expanded by default; remaining cards collapse to just their title for a much cleaner page on first load
• New 📰 GRC Framework Updates tab — monthly regulatory and standards digest covering all 18 frameworks; May 2026 edition live now, with April 2026 archived in a collapsible section; updated monthly going forward
• Improved Skill toggle button — more prominent: solid blue background when expanded, light blue when collapsed; larger click target with chevron rotation
• Improved Table zebra striping — even rows now use #eef2f7 for better contrast and row-scanning readability

🐛 Bug Fixes

• Fix ISM plugin installation failure — marketplace.json was missing the required "source" field for the ISM plugin entry, causing a validation error on install; fixed

🆕 New Skills (3)

• New Australian Information Security Manual (ISM) — Expert advisor for the ASD Information Security Manual; covers control applicability markings (NC/OS/PROTECTED), system authorisation and IRAP assessment preparation, Essential Eight Maturity Level mapping to ISM chapters, Chapter 13 system hardening, supply chain obligations for private sector cloud providers, and government-specific gaps not covered by ISO 27001 certification
• New EU NIS2 Directive — Expert advisor for the NIS2 Directive (Directive (EU) 2022/2555); covers Essential vs Important Entity classification (Annex I/II), all 10 Art. 21 security measures, Art. 23 incident reporting timelines (24h/72h/1 month), Art. 20 management body accountability, supply chain security under Art. 21(2)(d) and Art. 26 ENISA assessments, ISO 27001 gap analysis, and DORA lex specialis interaction for financial entities
• New CCPA/CPRA California Privacy — Expert advisor for the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA/Proposition 24); covers business threshold analysis, all 7 consumer rights with deadlines (45-day standard, 15-business-day for SPI), Sensitive Personal Information (SPI) classification and limitation mechanisms, Do Not Sell or Share link, Global Privacy Control (GPC) signal obligations, ad tech sale vs. sharing classification, service provider/contractor/third-party classification, CPPA enforcement and penalty exposure ($2,500/$7,500 per violation), and GDPR-to-CCPA/CPRA gap analysis

📊 Eval Suite Expansion

• New Expanded from 75 → 90 test cases and 375 → 450 assertions — 5 ISM evals (control scoping and authorisation, IRAP preparation, Chapter 13 hardening, Essential Eight mapping, supply chain obligations), 5 NIS2 evals (entity classification, Art. 21 obligations, Art. 23 reporting, ISO 27001 gap, DORA interaction), and 5 CCPA/CPRA evals (threshold analysis, right-to-know/delete workflow, ad tech classification, GDPR gap analysis, SPI classification)
• Improved Updated benchmark: 95% with-skill (428/450) / 80% baseline (362/450) / +66 additional assertions passing

🌐 GitHub Pages — Improvements

• Improved Header updated — title changed to "Claude Skills for Governance, Risk, & Compliance Frameworks"; skills grid fixed to 6 columns for even rows (18 items ÷ 6 = 3 equal rows)
• Improved CCPA/CPRA uses the actual California flag — replaced unreliable subdivision tag emoji with the Wikimedia Commons California state flag SVG, rendered inline at text size

🆕 New Skills (3)

• New CMMC 2.0 Cybersecurity Maturity Model Certification — Expert advisor for DoD contractors; covers all three CMMC levels (Foundational, Advanced, Expert), 110 NIST SP 800-171 practices, CMMC Level 2 self-assessment vs. C3PAO third-party assessment, POA&M eligibility, SPRS scoring, and OSC/OSA/C3PAO role guidance
• New NIST AI RMF AI Risk Management Framework — Full coverage of NIST AI RMF 1.0 and AI RMF Playbook; all four core functions (GOVERN, MAP, MEASURE, MANAGE), AI risk taxonomy (bias, explainability, security, privacy, safety), trustworthy AI characteristics, tiered risk profiles, and sector-specific guidance
• New SWIFT CSP Customer Security Programme — Expert CSCF v2025 advisor for SWIFT member institutions; all 31 controls (23 mandatory + 8 advisory), all architecture types (A1/A2/A3/A4/B), KYC-SA attestation workflow, hardware MFA token requirements, critical patch SLA, and incident response obligations under Control 7.1

📊 Eval Suite Expansion

• New Expanded from 70 → 75 test cases and 350 → 375 assertions — 5 new SWIFT CSP evals covering architecture scoping, MFA hardware tokens, gap assessment, KYC-SA attestation, and incident response
• Improved Updated benchmark: 95% with-skill / 81% baseline / +14 pts delta / +50 additional assertions passing vs. baseline

🌐 GitHub Pages — UX Improvements

• Improved Skills header redesigned — replaced run-on 15-framework sentence with a clean responsive grid (5 cols → 3 cols → 2 cols) for better readability at all screen sizes
• Fix Skill cards sorted by number — CMMC #13, NIST AI RMF #14, and SWIFT CSP #15 now display in correct order (CMMC was previously appearing last)
• New Added second LinkedIn testimonial — Shubham Mishra, Security Engineering @ Juniper Networks: "genuine progress toward interactive, intelligence-driven compliance"

🌐 GitHub Pages — Site Improvements

• New Added dedicated 📋 Release Notes tab — moved out of Resources for easier access
• New Added LinkedIn testimonial card (Jaana Metsamaa, Co-Founder at Kontion.app) with screenshot and link to post — featured above the Reddit testimonials grid
• New Added GitHub Stars live badge to the site header and README
• Improved Meta description updated to include all 12 skills

📊 Eval Results Page — Rebuilt

• Fix Eval results page previously only showed 36 runs (9 skills). Rebuilt to correctly display all 120 runs (60 prompts × 2 configs) across all 12 skills with accurate benchmark stats (94% / 83% / +11% / +32 assertions)
• Improved Results table links now open and scroll to the corresponding skill accordion

🐛 Bug Fixes — Skill Installability

• Fix DORA and DPDPA skills failed to install with "field 'description' in SKILL.md must be at most 1024 characters" — descriptions trimmed to ~875–890 chars while preserving all key triggering terms
• Fix DORA, DPDPA, ISO 27701, ISO 42001, and FedRAMP plugin .skill ZIPs had an extra skills/ wrapper, causing "SKILL.md must be in the top-level folder" install errors. All five rebuilt with correct <name>/SKILL.md structure

🆕 New Skills (3)

• New ISO 27701 Privacy Information Management — Expert PIMS advisor covering both ISO 27701:2025 (standalone) and ISO 27701:2019 (ISO 27001 extension); gap analysis, SoA generation, privacy risk assessment, DPIA support, and GDPR/CCPA/LGPD alignment across all 78 Annex A controls (A.1 controller, A.2 processor, A.3 shared security)
• New DORA Digital Operational Resilience — Full DORA (Regulation (EU) 2022/2554) compliance advisor for EU financial entities; covers all 64 articles, all 12 adopted RTS/ITS, ICT risk management framework, incident classification and three-stage reporting (4h/72h/1 month), TLPT scoping, ICT third-party risk, and Register of Information requirements
• New DPDPA India Digital Personal Data Protection — Advisor covering India's Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 (effective May 2027); all 44 sections and 23 Rules, notice and consent requirements, Data Principal rights, 72-hour breach notification, children's data (18-year threshold), Significant Data Fiduciary obligations, and GDPR-to-DPDPA gap analysis

🏛️ FedRAMP Skill — Improvements

• Improved Updated based on user feedback

🤖 ISO 42001 Skill — Improvements

• Improved Updated based on user feedback

🔒 ISO 27701 Skill — Improvements

• Improved Rewrote version-selection logic: skill now leads with the 2019 extension model when the user has an existing ISO 27001 certification, and defaults to the 2025 standalone edition for greenfield implementations — previously defaulted to 2025 in all cases
• Improved GDPR alignment is now mentioned in the opening paragraph of every ISO 27701 explanation — the standard's primary value proposition was previously buried in a reference table
• New Added PII Processor terminology table with exact ISO 27701 control language ("PII subject rights assistance obligations", "sub-processor notification and consent", "processing under controller authority") — these are the precise phrases used in audits and DPA contracts
• New Added explicit "Key Statements" section covering: ISO 27701 is not a GDPR safe harbor; it has not been approved as a formal Article 42 GDPR certification scheme; ISO 27701:2019 requires ISO 27001 as a prerequisite and cannot be certified standalone

🐛 Fix — ISO 27701 Standalone Skill File

• Fix The ISO 27701 - Claude Skill/iso27701.skill ZIP was missing entirely — the directory existed but contained no installable file. The standalone skill archive has been built and published.

📊 Skill Evaluation — Updated Benchmark

• Improved Re-ran the 60-case eval suite following ISO 27701 skill improvements. ISO 27701 delta flipped from −8% to +20% (76% → 100% with skill)
• Improved Overall suite: skills now score 94% vs baseline of 83% (+11 point delta, 282/300 assertions passed), up from 92% / +8pts in v0.3.0

🌐 GitHub Pages — Multi-Tab Site

• New Replaced the Jekyll/README default page with a fully custom, multi-tab index.html covering Skills, Installation, Evaluation, Customer Feedback, and Resources
• New Embedded YouTube demo video directly in the Skills tab
• New Interactive Customer Feedback tab with Formspree-powered contact form (Customer Name, Company, Feedback Title, Feedback Body) — submissions delivered to hemant.naik@gmail.com
• New Integrated Formspree Ajax library (@formspree/ajax) via CDN for inline field validation and no-reload submissions
• New Release Notes section (this section) added to the Resources tab
• Improved Evaluation tab now shows stat cards (92% / 84% / +8pts) and per-skill results table for all 12 skills

🐛 Bug Fixes — Skill Installability

• Fix NIST CSF, PCI DSS, TSA Cybersecurity, and ISO 42001 .skill files were failing to install with the error "SKILL.md file must be in the top-level folder, not nested deeper" — caused by SKILL.md being packaged two levels deep (skills/<name>/SKILL.md) instead of one (<name>/SKILL.md). All four skills have been repackaged correctly.

🧪 Test Suite

• New Added tests/test_skill_installability.py — validates ZIP structure, SKILL.md depth, path safety, and content for all 9 .skill files (169 assertions, runs with pytest)
• New Added tests/test_plugin_structure.py — validates plugin directory layout, plugin.json schema, semver versioning, and marketplace.json completeness for all 9 plugins

🆕 New Skills (4)

• New NIST CSF — CSF 2.0 and CSF 1.1 advisor covering all six functions (Govern, Identify, Protect, Detect, Respond, Recover), gap assessments, organisational profiles, and implementation tiers
• New PCI DSS — PCI DSS v4.0.1 advisor covering all 12 requirements, all 8 SAQ types, CDE scoping, v3.2.1 → v4.0.1 migration guidance
• New TSA Cybersecurity — TSA Security Directive advisor for pipeline and rail critical infrastructure, CRMP drafting, OT/ICS implementation, and CISA 24-hour incident reporting
• New ISO 42001 AI Management System — ISO/IEC 42001:2023 AIMS advisor covering all 38 Annex A controls (A.2–A.10), AISIA methodology, AI risk assessment, and EU AI Act mapping

📊 Skill Evaluation

• Improved Expanded eval suite to 12 skills / 60 test cases (5 per framework), each graded against 5 verifiable assertions by independent grader agents — 300 total assertions
• Improved Skills scored 92% vs baseline of 84% (+8 point improvement, +24 additional assertions passed)
• Improved Evaluation tab updated with full 60-case results for all 12 skills including DORA and DPDPA

🐛 Bug Fixes

• Fix Resolved Issue #8 — Claude Code plugin loader path doubling bug where marketplace.json entries with explicit skills arrays caused the installer to construct double-nested paths, preventing plugin loading. Version bump forces cache invalidation for affected users.

📖 Documentation

• New Customer Testimonials section added to README with 9 community responses from Reddit
• Improved README Skill Evaluation section rewritten with new benchmark summary table and per-skill results
• New YouTube demo video embedded in README and GitHub Pages site

🚀 Initial Release

• New ISO 27001 — gap analysis, policy drafting, risk registers, SoA templates; covers ISO 27001:2013 and ISO 27001:2022
• New SOC 2 — Trust Services Criteria coverage (CC, A, C, PI, P), control documentation, vendor risk questionnaires, Type 1 / Type 2 guidance
• New FedRAMP — ATO lifecycle advisor, SSP and POA&M authoring, NIST 800-53 Rev 5, cloud architecture guidance for AWS GovCloud / Azure Government / GCP
• New GDPR — code and architecture audits, Privacy Notices, DPAs, DPIAs, data subject rights, UK GDPR notes
• New HIPAA — Privacy Rule, Security Rule, Breach Notification Rule; BAA and NPP templates; technical safeguards for cloud environments
• New Claude Code plugin marketplace integration — all 5 skills available via /plugin install
• New Skill eval framework with 10 baseline test cases across the 5 initial skills