Claude Skills for GRC — Governance, Risk & Compliance

What Are Claude Skills?

Claude Skills are installable knowledge packages that extend Claude's capabilities for specific domains. A skill is a .skill file — a bundled archive containing a SKILL.md instruction file and optional reference materials — that you upload to Claude once and use across all your conversations.

Once installed, a skill activates automatically when your conversation touches its topic area. You don't need to invoke it by name or use special commands. Claude simply becomes a deeper expert in that domain for the duration of your session.

Skills are ideal when you need:

Consistent, expert-level responses on a specialized topic
Outputs formatted to professional or regulatory standards (e.g., audit-ready control narratives, policy templates with the right clauses)
Domain knowledge that goes beyond general LLM training — such as knowing which specific NIST 800-53 controls apply to a given scenario, or which GDPR articles govern international data transfers

How skills work under the hood: Each .skill file contains a primary SKILL.md that is loaded into Claude's context when the skill triggers, plus reference files that are loaded on demand for deeper sub-topics. This "progressive disclosure" pattern keeps context usage efficient while making comprehensive knowledge available when needed.

Who Is This For?

These skills are designed for professionals who work on information security, privacy, and regulatory compliance — whether at organizations seeking certification, development teams building compliant systems, or advisors supporting clients.

Security & Compliance Teams use these skills to accelerate gap assessments, generate first-draft policies, map controls, and prepare evidence packages — compressing weeks of reference work into minutes.

Software Developers & Engineers use them to understand what controls their systems must implement, audit code and architecture for compliance issues, and get actionable technical guidance tied to specific regulatory requirements.

Legal, Privacy & GRC Professionals use them to draft regulatory documents (DPAs, BAAs, privacy notices), answer client questions with precise regulatory citations, and stay current on framework requirements.

Healthcare Organizations use the HIPAA skill to assess systems, generate required notices and agreements, and train staff on obligations — without needing a compliance consultant for every question.

Cloud Service Providers pursuing federal government contracts use the FedRAMP skill to navigate the ATO process, write SSP narratives, manage POA&Ms, and prepare for 3PAO assessments.

Startups and SMBs use these skills to understand what a given framework requires of them, scope their compliance programs, and get expert-quality output without a large in-house team.

The Skills

1. 🔐 ISO 27001

ISO 27001 - Claude Skill/iso27001.skill

Turns Claude into an expert ISO 27001 Lead Auditor and ISMS implementation consultant. Covers both ISO 27001:2013 (114 controls, 14 domains) and ISO 27001:2022 (93 controls, 4 themes), defaulting to 2022.

Runs structured gap analyses against mandatory clauses (4–10) and all Annex A controls
Generates complete, audit-ready policy documents with document control blocks, scope statements, and clause-to-control mappings
Builds risk registers and risk treatment plans using the likelihood × impact methodology
Creates Statement of Applicability (SoA) templates covering all 93 controls
Guides 2013 → 2022 transition, explaining the 11 new controls and mapping changes

Trigger phrases: ISO 27001 ISMS Annex A SoA gap analysis risk register certification readiness internal audit

2. ✅ SOC 2

SOC 2 - Claude Skill/soc2.skill

Turns Claude into an expert SOC 2 compliance advisor grounded in the AICPA 2017 Trust Services Criteria (TSC) with 2022 Revised Points of Focus. Covers all five TSC: Security (CC1–CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P1–P8).

Conducts gap analyses across in-scope TSC criteria with 🔴/🟡/🟢 status ratings and remediation roadmaps
Drafts all 12 core SOC 2 policies — Information Security, Access Control, Incident Response, Change Management, and more
Documents controls in auditor-ready format: Control ID, TSC criterion, type, owner, frequency, evidence, and test procedure
Handles vendor risk: tiering, 32-question security questionnaires, SOC 2 report review, CUEC tracking

Trigger phrases: SOC 2 Trust Services Criteria TSC CC6 Type 1 Type 2 AICPA audit readiness control statement

3. 🏛️ FedRAMP

FedRamp - Claude Skill/fedramp.skill

Turns Claude into a knowledgeable FedRAMP advisor covering the full authorization lifecycle for Cloud Service Providers under NIST SP 800-53 Rev 5. Current as of 2025–2026, incorporating the Rev 5 transition, September 2026 OSCAL mandate, and December 2024 template updates.

Conducts readiness and gap assessments using a 75+ item checklist across 14 security domains
Guides authoring of ATO documentation: SSP, POA&Ms, SAPs, SARs, and all required appendices (A–Q)
Maps NIST 800-53 Rev 5 controls across all 20 control families
Provides cloud architecture guidance for AWS GovCloud, Azure Government, and Google Cloud Government
Supports Continuous Monitoring (ConMon) obligations and guides the Rev 4 → Rev 5 transition

Trigger phrases: FedRAMP ATO SSP POA&M 3PAO NIST 800-53 ConMon AWS GovCloud impact level OSCAL

4. 🇪🇺 GDPR

GDPR - Claude Skill/gdpr-compliance.skill

Turns Claude into an expert GDPR compliance assistant bridging technical and legal perspectives. Covers full EU GDPR with notes on UK GDPR (DPA 2018) where rules differ.

Audits code, APIs, database schemas, and architectures for GDPR violations with severity-graded findings (🔴/🟡/🟢) mapped to specific GDPR articles
Drafts compliance documents: Privacy Notices (Art. 13/14), Data Processing Agreements (Art. 28), Cookie/Consent Banners, DPIAs (Art. 35), Data Retention Policies
Answers compliance questions with authoritative article citations — every response leads with the governing article
Covers lawful basis, consent, data subject rights (Arts. 15–22), international transfers (Arts. 44–49), breach response (Arts. 32–34)

Trigger phrases: GDPR data protection privacy personal data DPA DPIA lawful basis data subject rights consent RoPA

5. 🏥 HIPAA

HIPAA - Claude Skill/hipaa-compliance.skill

Turns Claude into a knowledgeable HIPAA compliance advisor covering the Privacy Rule, Security Rule, and Breach Notification Rule (45 CFR Parts 160 and 164, as amended by HITECH).

Reviews documents, systems, and architectures for HIPAA compliance with structured findings: CFR citations, risk levels (High / Medium / Low), and remediation steps
Generates HIPAA-compliant documents from nine ready-to-use templates: NPP, BAA, Authorization Forms, Workforce Training Acknowledgments, Security Incident Reports, Risk Analysis Templates
Advises on technical safeguards for AWS, Azure, GCP, FHIR APIs, mobile/BYOD, and DevOps — all 54 Security Rule implementation specifications
Guides breach response using the 4-factor risk assessment, notification timelines, and HHS reporting obligations

Trigger phrases: HIPAA PHI ePHI covered entity business associate BAA NPP breach notification Privacy Rule Security Rule

6. 🛡️ NIST CSF

NIST Cybersecurity framework - Claude Skill/NIST Cybersecurity.skill

Turns Claude into an expert NIST Cybersecurity Framework advisor covering both CSF 2.0 (February 2024) and CSF 1.1 (April 2018), defaulting to CSF 2.0. Covers all six functions — Govern, Identify, Protect, Detect, Respond, Recover — including the new Govern function in CSF 2.0.

Conducts structured gap assessments across all six CSF 2.0 functions, categories, and subcategories
Builds Organisational Profiles — Current and Target — aligned to business context and risk tolerance
Assesses Implementation Tiers (1–4) and provides targeted advancement guidance
Maps CSF subcategories to NIST SP 800-53, ISO 27001:2022, and CIS Controls v8
Guides CSF 1.1 → CSF 2.0 migration with a detailed subcategory mapping and migration checklist

Trigger phrases: NIST CSF Cybersecurity Framework CSF 2.0 Govern function GV.SC ID.AM PR.AA cybersecurity profile implementation tiers

7. 💳 PCI DSS

PCI Compliance - Claude Skill/PCI-Compliance.skill

Turns Claude into an expert PCI DSS compliance advisor covering PCI DSS v4.0.1 (June 2024 — current), including all requirements that became mandatory on March 31, 2025. Covers all 12 requirements, all 8 SAQ types, merchant and service provider levels, and v4.0 changes from v3.2.1.

Scopes the Cardholder Data Environment (CDE) — identifies what's in scope, assesses network segmentation, recommends scope reduction via tokenisation or P2PE
Selects the correct SAQ type — decision tree for SAQ A, A-EP, B, B-IP, C, C-VT, P2PE, and D
Conducts structured gap assessments across all 12 requirements with QSA evidence requirements
Guides v3.2.1 → v4.0.1 migration including MFA expansion, payment page script integrity (Req 6.4.3), phishing protection (Req 5.4.1)

Trigger phrases: PCI DSS PCI compliance cardholder data CDE SAQ ROC QSA PAN tokenisation merchant level

8. 🚨 TSA Cybersecurity

TSA Compliance - Claude Skill/TSA-Compliance.skill

Turns Claude into an expert TSA cybersecurity directive advisor for critical transportation infrastructure. Covers all current TSA Security Directive series — SD Pipeline-2021-01G, SD Pipeline-2021-02F, SD 1580-21-01E (freight rail), and SD 1582-21-01E (transit/passenger rail) — plus the November 2024 NPRM.

Note on SSI: TSA Security Directives are classified as Sensitive Security Information (SSI). This skill is built from publicly available summaries, Federal Register notices, and DHS/CISA publications — not the classified full directive text.

Determines applicability — which directive series applies to your organisation and what it means for compliance
Runs structured gap assessments across four technical domains: IT/OT network segmentation, access controls (MFA), continuous monitoring, and patch management
Drafts CRMP documents: Cybersecurity Implementation Plan (CIP/COIP), IRP, Architecture Design Review (ADR), and Cybersecurity Assessment Plan (CAP)
Guides OT/ICS-specific implementation — data diodes, jump servers for legacy HMIs, passive monitoring tools (Claroty, Dragos, Nozomi)

Trigger phrases: TSA Security Directive SD Pipeline-2021 TSA cybersecurity Critical Cyber Systems CCS CRMP IRP testing OT segmentation TSA pipeline cybersecurity

9. 🤖 ISO 42001 AI Management System

ISO 42001 - Claude Skill/ISO-42001.skill

Turns Claude into an expert ISO/IEC 42001:2023 AI Management System (AIMS) advisor — the world's first international standard for AI governance. Serves both AI providers (organisations developing or deploying AI) and AI users (organisations integrating third-party AI).

Conducts structured gap assessments across all mandatory clauses (4–10) and all 38 Annex A controls (domains A.2–A.10) with 🔴/🟡/🟢 status and phased remediation roadmap
Guides the mandatory AI System Impact Assessment (AISIA) — identifying affected populations, assessing impact dimensions, classifying impact level (Low/Medium/High)
Performs AI risk assessment across model risks, data risks, operational risks, and supply chain risks
Generates a complete Statement of Applicability (SoA) covering all 38 Annex A controls (A.2.2–A.10.4)
Maps ISO 42001 to the EU AI Act — aligns AISIA to the Fundamental Rights Impact Assessment (FRIA) for high-risk AI systems

Trigger phrases: ISO 42001 ISO/IEC 42001 AI Management System AIMS AISIA AI governance standard Annex A AI controls AI certification EU AI Act management system

10. 🔒 ISO 27701 Privacy Information Management

ISO 27701 - Claude Skill/iso27701.skill

Turns Claude into an expert ISO/IEC 27701:2025 Privacy Information Management System (PIMS) advisor. Covers the full lifecycle from gap assessment through certification for both PII controllers and PII processors, and handles both the new standalone 2025 edition and the legacy 2019 extension edition.

Conducts structured gap analyses across all mandatory HLS clauses (4–10) and all 78 Annex A controls — 31 for PII controllers (A.1), 18 for PII processors (A.2), 29 shared security controls (A.3)
Generates complete PIMS policy documents — Privacy Policy, RoPA, Data Subject Rights Procedure, DPAs, Privacy by Design Procedure, and more
Builds privacy risk registers, triggers DPIAs for high-risk processing, and produces risk treatment plans
Creates Statements of Applicability (SoA) scoped to the organization's role (controller, processor, or both)
Guides 2019 → 2025 transitions with full control mapping table and timeline to the October 2028 deadline
Maps ISO 27701 to GDPR article by article, plus CCPA/CPRA, LGPD, PIPEDA, and UK GDPR

Trigger phrases: ISO 27701 PIMS privacy information management PII controller PII processor DPIA RoPA data subject rights privacy by design data processing agreement GDPR alignment ISO 27701

11. 🏦 DORA Digital Operational Resilience

DORA - Claude Skill/dora.skill

Turns Claude into an expert advisor on Regulation (EU) 2022/2554 (DORA) — the anchoring ICT regulation for EU financial entities since 17 January 2025. Encodes all 64 DORA articles, all 12 adopted RTS/ITS, and provides precise article-level guidance. Explicitly separates DORA from NIS2, legacy EBA ICT guidelines, and ISO 27001.

Conducts structured DORA gap analyses across ICT risk management (Chapter II, Art. 5–16), incident management (Chapter III, Art. 17–23), TLPT (Chapter IV, Art. 24–27), and third-party risk (Chapter V, Art. 28–44)
Guides ICT incident classification against Art. 18 criteria and CDR (EU) 2024/1772 materiality thresholds, with a full decision tree for major vs. non-major
Builds three-stage reporting procedures per Art. 19: initial (4h), intermediate (72h), final (1 month), including content requirements per CDR (EU) 2025/301
Reviews contracts against Art. 30(2)(a)–(i) mandatory provisions and flags the audit-rights gap common with hyperscale cloud providers
Builds and validates the Register of Information with all mandatory fields per CIR (EU) 2024/2956
Scopes TLPT programmes per Art. 26 and CDR (EU) 2025/1190, covering threat intelligence, red team, mutual recognition, and tester qualifications

Trigger phrases: DORA Regulation (EU) 2022/2554 digital operational resilience ICT risk management framework Art. 18 classification Art. 19 incident reporting Art. 26 TLPT Art. 30 contractual provisions Register of Information ICT concentration risk DORA vs NIS2 Chapter II DORA Chapter III DORA

12. 🇮🇳 DPDPA India Digital Personal Data Protection

DPDPA - Claude Skill/dpdpa.skill

Turns Claude into an expert advisor on India's Digital Personal Data Protection Act, 2023 and the finalized DPDP Rules, 2025 (notified 13 November 2025, effective 13 May 2027). Covers all 44 sections and 23 Rules with section-level citations, GDPR-alignment mapping, and guidance for both Indian companies and global organizations with Indian data subjects.

Conducts structured DPDPA gap analyses covering notice/consent (Sections 5–6 + Rules 3–4), Data Fiduciary obligations (Section 8 + Rules 6–9), children's data (Section 9 + Rules 10–12), and SDF obligations (Section 10 + Rule 13)
Distinguishes DPDPA from GDPR across 8 dimensions — digital-only scope, no legitimate interests basis, unconditional consent + no bundling, blacklist cross-border transfers, narrower erasure right, India-resident DPO for SDFs, 18-year children's threshold, single Board enforcement
Guides breach notification per Section 8(6) and Rule 6 — 72-hour Board notification, all breaches notifiable (no risk threshold), Processor cascade obligations
Designs children's data programmes — Rule 12 parental verification (DigiLocker, government tokens, virtual tokens) and absolute prohibitions on tracking, profiling, and targeted advertising for under-18s
Advises Significant Data Fiduciaries on India-resident DPO, annual DPIA, annual independent audit, and data localisation readiness
Guides Data Principal rights fulfilment — access (Section 11), correction/erasure (Section 12), grievance redressal (Section 13), and the unique right to nominate (Section 14)

Trigger phrases: DPDPA Digital Personal Data Protection Act India data protection Data Fiduciary Data Principal Significant Data Fiduciary DPDP Rules 2025 Rule 6 DPDP breach Rule 12 parental consent India privacy law DPDPA vs GDPR DigiLocker consent India children data

Potential Use Cases

Scenario	Relevant Skill(s)
Preparing for an ISO 27001:2022 Stage 2 certification audit	ISO 27001
Writing an Information Security Policy mapped to Annex A	ISO 27001
Running a SOC 2 readiness assessment before engaging an auditor	SOC 2
Documenting controls for a SOC 2 Type 2 report	SOC 2
Scoping a FedRAMP Moderate authorization on AWS GovCloud	FedRAMP
Writing SSP control narratives for all 20 NIST 800-53 control families	FedRAMP
Auditing an API for GDPR compliance before product launch	GDPR
Drafting a DPIA for a new AI feature that processes personal data	GDPR
Generating a BAA for a healthcare SaaS vendor relationship	HIPAA
Assessing whether a data incident constitutes a reportable HIPAA breach	HIPAA
Building a compliance program that satisfies both ISO 27001 and SOC 2	ISO 27001 + SOC 2
Responding to a customer security questionnaire covering multiple frameworks	All skills
Assessing current cybersecurity posture using NIST CSF 2.0	NIST CSF
Building a CSF organisational profile with Current and Target states	NIST CSF
Scoping a PCI DSS CDE for a cloud-hosted e-commerce platform	PCI DSS
Selecting the right SAQ type for a merchant using a hosted payment page	PCI DSS
Determining whether your pipeline or rail operation is a TSA covered entity	TSA Cybersecurity
Drafting a Cybersecurity Implementation Plan (CIP) for pipeline OT/SCADA environments	TSA Cybersecurity
Running an ISO 42001 gap assessment for an AI provider with multiple ML models	ISO 42001
Completing an AI System Impact Assessment (AISIA) for an automated hiring tool	ISO 42001
Integrating an ISO 42001 AIMS with an existing ISO 27001 ISMS	ISO 42001 + ISO 27001
Aligning a TSA CRMP to NIST CSF 2.0 and CISA Cross-Sector CPGs	TSA Cybersecurity + NIST CSF
Running an ISO 27701:2025 gap assessment for a SaaS company acting as both PII controller and processor	ISO 27701
Transitioning from ISO 27701:2019 certification to the 2025 standalone edition	ISO 27701
Drafting a GDPR-aligned Data Processing Agreement (DPA) with all required Article 28 clauses	ISO 27701
Completing a DPIA for a new AI feature that profiles users for targeted advertising	ISO 27701
Mapping ISO 27701:2025 controls to GDPR articles for a compliance audit	ISO 27701
Integrating a PIMS with an existing ISO 27001:2022 ISMS to avoid duplicating controls	ISO 27701 + ISO 27001
Running a DORA gap analysis for an EU credit institution ahead of a supervisory review	DORA
Classifying an ICT incident against Art. 18 criteria and CDR (EU) 2024/1772 thresholds	DORA
Building a three-stage incident reporting procedure (4h / 72h / 1 month) per Art. 19	DORA
Reviewing ICT vendor contracts against Art. 30(2) mandatory provisions	DORA
Building or validating the Register of Information per CIR (EU) 2024/2956	DORA
Assessing ICT concentration risk for a bank reliant on a single hyperscaler	DORA
Scoping a TLPT programme and evaluating whether Art. 26 applies	DORA
Advising on the interaction between DORA and NIS2 for a financial entity	DORA
Running a DPDPA gap analysis for an Indian SaaS company ahead of the May 2027 deadline	DPDPA
Identifying which GDPR-compliant processing activities need fresh consent under DPDPA	DPDPA + GDPR
Designing a Rule 3-compliant notice with multi-language obligations	DPDPA
Implementing a 72-hour breach notification pipeline per Section 8(6) and Rule 6	DPDPA
Designing a children's data compliance programme with Rule 12 parental verification	DPDPA
Preparing for potential Significant Data Fiduciary designation — DPO, DPIA, audit	DPDPA
Updating Data Processing Agreements with vendors to satisfy Rule 16	DPDPA
Assessing India cross-border transfer obligations — blacklist approach and contractual safeguards	DPDPA

How to Install a Skill

Download the .skill file for the framework you need from the table below.
Open Claude and navigate to Customize → Skills.
Click Upload Skill and select the .skill file.
The skill is now active. Start a new conversation and ask your compliance question — Claude will automatically apply the skill.

Tip: You can install multiple skills at once. If you work across several frameworks (e.g., both ISO 27001 and SOC 2), install all of them — Claude will activate whichever is most relevant to each question.

Framework	Download
1. 🔐 ISO 27001	iso27001.skill
2. ✅ SOC 2	soc2.skill
3. 🏛️ FedRAMP	fedramp.skill
4. 🇪🇺 GDPR	gdpr-compliance.skill
5. 🏥 HIPAA	hipaa-compliance.skill
6. 🛡️ NIST CSF	NIST Cybersecurity.skill
7. 💳 PCI DSS	PCI-Compliance.skill
8. 🚨 TSA Cybersecurity	TSA-Compliance.skill
9. 🤖 ISO 42001 AI Management System	ISO-42001.skill
10. 🔒 ISO 27701 Privacy Information Management	iso27701.skill
11. 🏦 DORA Digital Operational Resilience	dora.skill
12. 🇮🇳 DPDPA India Digital Personal Data Protection	dpdpa.skill

Install via Claude Code Marketplace

If you use Claude Code — the AI-powered CLI for developers — these skills are also available as installable Claude Code plugins through a hosted marketplace. This is the recommended installation path for developers and teams, as it supports version-pinning, automatic updates, and team-wide distribution without any manual file handling.

Add the marketplace and install the skills you need directly from the terminal:

/plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skills iso27701@grc-skills dora@grc-skills dpdpa@grc-skills

Teams can pre-wire the marketplace in .claude/settings.json so every developer gets the skills automatically when they open the project — no manual install required.

📖 Full installation instructions, team setup, and update guide → INSTALLATION.md

Skill Evaluation

These skills were benchmarked using the Claude Skill Creator eval framework. 60 realistic test cases were run across all 12 skills — 5 per framework — covering gap analysis, policy drafting, control deep-dives, edge cases, and compliance advice scenarios. Each test case was evaluated against 5 objectively verifiable assertions by independent grader agents comparing skill-assisted vs. baseline Claude responses. 300 total assertions evaluated.

94%

With GRC Skills installed
282 / 300 assertions passed

83%

Baseline Claude (no skills)
250 / 300 assertions passed

+11

Point improvement
+32 additional assertions passed

Per-Skill Results

Skill	Cases	With Skill	Baseline	Delta	What Was Tested
🔐 ISO 27001	5	100%	84%	+16%	Gap assessment; Policy drafting; 2013→2022 transition; Risk assessment; Management review CAP
✅ SOC 2	5	100%	84%	+16%	Type 1 vs 2; CC controls checklist; Availability criteria; Access control policy; Audit exception response
🏛️ FedRAMP	5	84%	76%	+8%	Authorization pathways; Impact levels; FedRAMP 20x; System boundary; POA&M remediation timelines
🇪🇺 GDPR	5	88%	88%	±0%	US company checklist; Article 28 DPA; Subject access request; Cookie consent; 72-hour breach notification
🏥 HIPAA	5	92%	88%	+4%	Covered entity analysis; BAA template; Encryption (addressable vs required); Risk analysis; Workforce violation
🛡️ NIST CSF	5	96%	84%	+12%	CSF 2.0 overview; Ransomware recovery plan; Profile creation; Control mapping; Board reporting
💳 PCI DSS	5	92%	88%	+4%	SAQ type selection; Req 3 stored data (v4.0); Breach obligations; Penetration testing; Tokenization scope
🚨 TSA Cybersecurity	5	100%	96%	+4%	Pipeline directive requirements; CIRP elements; OT/IT segmentation; Airport applicability; TSA vs CIRCIA
🤖 ISO 42001	5	92%	80%	+12%	AIMS applicability; Key requirements; AI-specific risks; Third-party LLM management; AI ethics controls
🔏 ISO 27701	5	100%	80%	+20%	Extension to ISO 27001; GDPR mapping; Processor controls; PIA methodology; Certification as GDPR evidence
🏦 DORA	5	88%	72%	+16%	Five pillars; ICT incident reporting timelines; TLPT requirements; Third-party contracts; DORA vs EBA
🇮🇳 DPDPA	5	96%	80%	+16%	Applicability to foreign entities; Consent vs GDPR; Children's data (18-year threshold); Cross-border transfers; SDF obligations

Skills add the most measurable value on highly framework-specific tasks: clause-level precision for ISO 27001, CC criteria mapping for SOC 2, exact FedRAMP document names and POA&M timeframes, GDPR article citations, HIPAA regulatory section references, CSF 2.0 subcategory IDs, PCI DSS v4.0.1 requirement numbers, TSA Security Directive citations, ISO 42001 AIMS clause references, DORA Article numbers and exact incident reporting timelines (4h/72h/1 month), and DPDPA-specific terminology and section references.

📊 View the full eval results →

Customer Testimonials

Feedback from the GRC and Claude AI community on Reddit: r/grc · r/ClaudeAI

"Fantastic work. Going to follow this and test it out myself."

— Reddit u/Efficient_Bus_923

"This is awesome, thank you!"

— Reddit u/ThePsychicCEO

"This is awesome! Any chance you can build one for ISO 42001?"

— Reddit u/ComparisonThink7683

"As a rather new Claude Code user, I'm both impressed and thankful. It's really helpful that you release it publicly. I am at the stage where I understand the need for a well-written CLAUDE.md and skills. This will help me a lot."

— Reddit u/bloulboi

"The skills approach is a good entry point — getting Claude to reason about specific frameworks is exactly the right instinct. The gap I kept hitting was that Claude could describe the compliance picture but couldn't act on it... this is a great start."

— Reddit u/sensationweb

"I've been doing something similar for the CIS controls and it's been brilliant so far. I'll be using this for ISO and SOC 2. Thanks!"

— Reddit u/gpldn

"Hell ya. We just approved Claude for enterprise so I'll go check it out."

— Reddit u/AcrobaticWatercress7

"I'll definitely check this out. I have a skill for threat modeling and am working on some other ones, this is super helpful."

— Reddit u/lilgreenbite

"Awesome, thanks for sharing. I'm going to play around with this."

— Reddit u/DeliciousNet593

Share Your Feedback

Have you used the GRC Claude Skills? We'd love to hear what you think — your feedback helps improve future skills and guides new framework coverage.

Support

Reporting Issues

If you find an error, outdated regulatory reference, or missing coverage in any skill, please open a GitHub issue and include:

The skill name (e.g., ISO 27001, FedRAMP)
A description of the issue or incorrect guidance
The correct information with a source reference if possible (e.g., regulatory text, official guidance document)

Requesting New Skills

Have a compliance framework not covered here? Open a GitHub issue with the tag skill-request and describe the framework, your use case, and the audience it would serve. Community suggestions are welcome for frameworks such as CMMC, CCPA, SOX, and others.

Release Notes

Full changelog for all public releases. Latest release: v0.4.0.

v0.4.0 Latest April 18, 2026

🆕 New Skills (3)

New ISO 27701 Privacy Information Management — Expert PIMS advisor covering both ISO 27701:2025 (standalone) and ISO 27701:2019 (ISO 27001 extension); gap analysis, SoA generation, privacy risk assessment, DPIA support, and GDPR/CCPA/LGPD alignment across all 78 Annex A controls (A.1 controller, A.2 processor, A.3 shared security)
New DORA Digital Operational Resilience — Full DORA (Regulation (EU) 2022/2554) compliance advisor for EU financial entities; covers all 64 articles, all 12 adopted RTS/ITS, ICT risk management framework, incident classification and three-stage reporting (4h/72h/1 month), TLPT scoping, ICT third-party risk, and Register of Information requirements
New DPDPA India Digital Personal Data Protection — Advisor covering India's Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 (effective May 2027); all 44 sections and 23 Rules, notice and consent requirements, Data Principal rights, 72-hour breach notification, children's data (18-year threshold), Significant Data Fiduciary obligations, and GDPR-to-DPDPA gap analysis

🏛️ FedRAMP Skill — Improvements

Improved Updated based on user feedback

🤖 ISO 42001 Skill — Improvements

Improved Updated based on user feedback

🔒 ISO 27701 Skill — Improvements

Improved Rewrote version-selection logic: skill now leads with the 2019 extension model when the user has an existing ISO 27001 certification, and defaults to the 2025 standalone edition for greenfield implementations — previously defaulted to 2025 in all cases
Improved GDPR alignment is now mentioned in the opening paragraph of every ISO 27701 explanation — the standard's primary value proposition was previously buried in a reference table
New Added PII Processor terminology table with exact ISO 27701 control language ("PII subject rights assistance obligations", "sub-processor notification and consent", "processing under controller authority") — these are the precise phrases used in audits and DPA contracts
New Added explicit "Key Statements" section covering: ISO 27701 is not a GDPR safe harbor; it has not been approved as a formal Article 42 GDPR certification scheme; ISO 27701:2019 requires ISO 27001 as a prerequisite and cannot be certified standalone

🐛 Fix — ISO 27701 Standalone Skill File

Fix The ISO 27701 - Claude Skill/iso27701.skill ZIP was missing entirely — the directory existed but contained no installable file. The standalone skill archive has been built and published.

📊 Skill Evaluation — Updated Benchmark

Improved Re-ran the 60-case eval suite following ISO 27701 skill improvements. ISO 27701 delta flipped from −8% to +20% (76% → 100% with skill)
Improved Overall suite: skills now score 94% vs baseline of 83% (+11 point delta, 282/300 assertions passed), up from 92% / +8pts in v0.3.0

v0.3.0 April 10, 2026

🌐 GitHub Pages — Multi-Tab Site

New Replaced the Jekyll/README default page with a fully custom, multi-tab index.html covering Skills, Installation, Evaluation, Customer Feedback, and Resources
New Embedded YouTube demo video directly in the Skills tab
New Interactive Customer Feedback tab with Formspree-powered contact form (Customer Name, Company, Feedback Title, Feedback Body) — submissions delivered to hemant.naik@gmail.com
New Integrated Formspree Ajax library (@formspree/ajax) via CDN for inline field validation and no-reload submissions
New Release Notes section (this section) added to the Resources tab
Improved Evaluation tab now shows stat cards (92% / 84% / +8pts) and per-skill results table for all 12 skills

🐛 Bug Fixes — Skill Installability

Fix NIST CSF, PCI DSS, TSA Cybersecurity, and ISO 42001 .skill files were failing to install with the error "SKILL.md file must be in the top-level folder, not nested deeper" — caused by SKILL.md being packaged two levels deep (skills/<name>/SKILL.md) instead of one (<name>/SKILL.md). All four skills have been repackaged correctly.

🧪 Test Suite

New Added tests/test_skill_installability.py — validates ZIP structure, SKILL.md depth, path safety, and content for all 9 .skill files (169 assertions, runs with pytest)
New Added tests/test_plugin_structure.py — validates plugin directory layout, plugin.json schema, semver versioning, and marketplace.json completeness for all 9 plugins

v0.2.0 March 25, 2026

🆕 New Skills (4)

New NIST CSF — CSF 2.0 and CSF 1.1 advisor covering all six functions (Govern, Identify, Protect, Detect, Respond, Recover), gap assessments, organisational profiles, and implementation tiers
New PCI DSS — PCI DSS v4.0.1 advisor covering all 12 requirements, all 8 SAQ types, CDE scoping, v3.2.1 → v4.0.1 migration guidance
New TSA Cybersecurity — TSA Security Directive advisor for pipeline and rail critical infrastructure, CRMP drafting, OT/ICS implementation, and CISA 24-hour incident reporting
New ISO 42001 AI Management System — ISO/IEC 42001:2023 AIMS advisor covering all 38 Annex A controls (A.2–A.10), AISIA methodology, AI risk assessment, and EU AI Act mapping

📊 Skill Evaluation

Improved Expanded eval suite to 12 skills / 60 test cases (5 per framework), each graded against 5 verifiable assertions by independent grader agents — 300 total assertions
Improved Skills scored 92% vs baseline of 84% (+8 point improvement, +24 additional assertions passed)
Improved Evaluation tab updated with full 60-case results for all 12 skills including DORA and DPDPA

🐛 Bug Fixes

Fix Resolved Issue #8 — Claude Code plugin loader path doubling bug where marketplace.json entries with explicit skills arrays caused the installer to construct double-nested paths, preventing plugin loading. Version bump forces cache invalidation for affected users.

📖 Documentation

New Customer Testimonials section added to README with 9 community responses from Reddit
Improved README Skill Evaluation section rewritten with new benchmark summary table and per-skill results
New YouTube demo video embedded in README and GitHub Pages site

v0.1.0 March 14, 2026

🚀 Initial Release

New ISO 27001 — gap analysis, policy drafting, risk registers, SoA templates; covers ISO 27001:2013 and ISO 27001:2022
New SOC 2 — Trust Services Criteria coverage (CC, A, C, PI, P), control documentation, vendor risk questionnaires, Type 1 / Type 2 guidance
New FedRAMP — ATO lifecycle advisor, SSP and POA&M authoring, NIST 800-53 Rev 5, cloud architecture guidance for AWS GovCloud / Azure Government / GCP
New GDPR — code and architecture audits, Privacy Notices, DPAs, DPIAs, data subject rights, UK GDPR notes
New HIPAA — Privacy Rule, Security Rule, Breach Notification Rule; BAA and NPP templates; technical safeguards for cloud environments
New Claude Code plugin marketplace integration — all 5 skills available via /plugin install
New Skill eval framework with 10 baseline test cases across the 5 initial skills

Author

Hemant Naik
LinkedIn · hemant.naik@gmail.com
Built March 2026

Disclaimer

The skills in this repository provide informational guidance based on publicly available regulatory and standards documentation. They do not constitute legal, audit, or professional compliance advice. Outputs should be reviewed by qualified professionals — such as a certified ISO 27001 Lead Auditor, licensed attorney, Data Protection Officer, or HIPAA compliance officer — before being relied upon for formal compliance purposes.

Regulatory requirements evolve. Always verify guidance against the latest official publications from the relevant standards body or regulatory authority.

Licensed under the MIT License.