Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, and ISO 42001 AI Management System — powered by Claude Skills.
Benchmarked across 18 test cases (2 per framework) using the eval framework — each graded against 4–5 verifiable assertions by independent agents. Skills scored 94% ± 10% vs a baseline of 72% ± 28%.
- What Are Claude Skills?
- Who Is This For?
- The Skills
- Potential Use Cases
- How to Install a Skill
- Install via Claude Code Marketplace
- Skill Evaluation
- Support & Contributing
- Author
- Disclaimer
Claude Skills are installable knowledge packages that extend Claude's capabilities for specific domains. A skill is a .skill file — a bundled archive containing a SKILL.md instruction file and optional reference materials — that you upload to Claude once and use across all your conversations.
Once installed, a skill activates automatically when your conversation touches its topic area. You don't need to invoke it by name or use special commands. Claude simply becomes a deeper expert in that domain for the duration of your session.
Skills are ideal when you need:
- Consistent, expert-level responses on a specialized topic
- Outputs formatted to professional or regulatory standards (e.g., audit-ready control narratives, policy templates with the right clauses)
- Domain knowledge that goes beyond general LLM training — such as knowing which specific NIST 800-53 controls apply to a given scenario, or which GDPR articles govern international data transfers
How skills work under the hood: Each .skill file contains a primary SKILL.md that is loaded into Claude's context when the skill triggers, plus reference files that are loaded on demand for deeper sub-topics. This "progressive disclosure" pattern keeps context usage efficient while making comprehensive knowledge available when needed.
These skills are designed for professionals who work on information security, privacy, and regulatory compliance — whether at organizations seeking certification, development teams building compliant systems, or advisors supporting clients.
Security & Compliance Teams use these skills to accelerate gap assessments, generate first-draft policies, map controls, and prepare evidence packages — compressing weeks of reference work into minutes.
Software Developers & Engineers use them to understand what controls their systems must implement, audit code and architecture for compliance issues, and get actionable technical guidance tied to specific regulatory requirements.
Legal, Privacy & GRC Professionals use them to draft regulatory documents (DPAs, BAAs, privacy notices), answer client questions with precise regulatory citations, and stay current on framework requirements.
Healthcare Organizations use the HIPAA skill to assess systems, generate required notices and agreements, and train staff on obligations — without needing a compliance consultant for every question.
Cloud Service Providers pursuing federal government contracts use the FedRAMP skill to navigate the ATO process, write SSP narratives, manage POA&Ms, and prepare for 3PAO assessments.
Startups and SMBs use these skills to understand what a given framework requires of them, scope their compliance programs, and get expert-quality output without a large in-house team.
File: ISO 27001 - Claude Skill/iso27001.skill
The ISO 27001 skill turns Claude into an expert ISO 27001 Lead Auditor and ISMS implementation consultant. It covers both ISO 27001:2013 (114 controls, 14 domains) and ISO 27001:2022 (93 controls, 4 themes), defaulting to the current 2022 version.
What it does:
- Runs structured gap analyses against mandatory clauses (4–10) and all Annex A controls
- Generates complete, audit-ready policy documents with document control blocks, scope statements, and clause-to-control mappings
- Provides step-by-step control implementation guidance for any Annex A control
- Builds risk registers and risk treatment plans using the likelihood × impact methodology
- Creates Statement of Applicability (SoA) templates covering all 93 controls
- Guides 2013 → 2022 transition, explaining the 11 new controls and mapping changes
Trigger phrases: ISO 27001, ISMS, Annex A, Statement of Applicability, SoA, gap analysis, risk register, certification readiness, internal audit
File: SOC 2 - Claude Skill/soc2.skill
The SOC 2 skill turns Claude into an expert SOC 2 compliance advisor grounded in the AICPA 2017 Trust Services Criteria (TSC) with 2022 Revised Points of Focus. It covers all five TSC: Security (CC1–CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P1–P8).
What it does:
- Conducts gap analyses across in-scope TSC criteria with 🔴/🟡/🟢 status ratings and remediation roadmaps
- Drafts all 12 core SOC 2 policies (Information Security, Access Control, Incident Response, Change Management, Risk Assessment, Vendor Management, BCP/DR, and more)
- Documents controls in auditor-ready format: Control ID, TSC criterion, type, owner, frequency, evidence, and test procedure
- Produces evidence checklists mapped to each criterion, with sampling guidance for Type 1 vs Type 2 audits
- Handles vendor risk: tiering, 32-question security questionnaires, SOC 2 report review, CUEC tracking, and contractual requirements
- Adapts its tone — plain-language for first-time SOC 2 teams, technical AICPA-coded output for practitioners and auditors
Trigger phrases: SOC 2, Trust Services Criteria, TSC, CC6, Type 1, Type 2, AICPA, audit readiness, control statement, evidence
File: FedRamp - Claude Skill/fedramp.skill
The FedRAMP skill turns Claude into a knowledgeable FedRAMP advisor covering the full authorization lifecycle for Cloud Service Providers (CSPs) under the current NIST SP 800-53 Rev 5 baseline. It is current as of 2025–2026, incorporating the Rev 5 transition, the September 2026 OSCAL mandate, and December 2024 template updates.
What it does:
- Conducts readiness and gap assessments using a 75+ item checklist across 14 security domains
- Guides authoring of ATO documentation: System Security Plans (SSP), POA&Ms, SAPs, SARs, and all required appendices (A–Q)
- Maps NIST 800-53 Rev 5 controls across all 20 control families to specific system implementations
- Provides cloud architecture guidance for AWS GovCloud, Azure Government, and Google Cloud Government
- Supports Continuous Monitoring (ConMon) obligations: monthly deliverables, POA&M SLA management, deviation requests
- Guides the Rev 4 → Rev 5 transition, FIPS 199 impact level scoping, and OSCAL readiness
Trigger phrases: FedRAMP, ATO, SSP, POA&M, 3PAO, NIST 800-53, ConMon, AWS GovCloud, Azure Government, impact level, OSCAL
File: GDPR - Claude Skill/gdpr-compliance.skill
The GDPR skill turns Claude into an expert GDPR compliance assistant that bridges technical and legal perspectives. It covers the full EU GDPR regulation with notes on UK GDPR (DPA 2018) where the rules differ, and adapts its tone automatically — technical for developers, legally precise for compliance and privacy professionals.
What it does:
- Audits code, APIs, database schemas, and architectures for GDPR violations, producing severity-graded findings (🔴/🟡/🟢) mapped to specific GDPR articles
- Drafts compliance documents from built-in templates: Privacy Notices (Art. 13/14), Data Processing Agreements (Art. 28), Cookie/Consent Banners, DPIAs (Art. 35), Data Retention Policies, and Data Subject Rights Procedures
- Answers compliance questions with authoritative article citations — every response leads with the governing article, then exceptions, then practical implications
- Reviews data flows and PII handling across six dimensions (what, why, where, who, how long, how protected) and checks alignment with RoPA requirements
- Covers all key GDPR areas: lawful basis, consent, data subject rights (Arts. 15–22), international transfers (Arts. 44–49), breach response (Arts. 32–34), special category data (Arts. 9–10), and penalties (Arts. 77–84)
Trigger phrases: GDPR, data protection, privacy, personal data, DPA, DPIA, lawful basis, data subject rights, consent, RoPA, Schrems II, ICO, EDPB
File: HIPAA - Claude Skill/hipaa-compliance.skill
The HIPAA skill turns Claude into a knowledgeable HIPAA compliance advisor covering the Privacy Rule, Security Rule, and Breach Notification Rule (45 CFR Parts 160 and 164, as amended by HITECH). It serves both technical teams building systems that handle ePHI and compliance/legal teams managing organizational obligations.
What it does:
- Reviews documents, systems, and architectures for HIPAA compliance, producing structured findings with CFR citations, risk levels (High / Medium / Low), and remediation steps
- Generates HIPAA-compliant documents from nine ready-to-use templates: Notice of Privacy Practices (NPP), Business Associate Agreements (BAA), Authorization Forms, Workforce Training Acknowledgments, Security Incident Reports, Risk Analysis Templates, and more — all with inline CFR citations
- Advises on technical safeguards for modern cloud environments (AWS, Azure, GCP), FHIR APIs, mobile/BYOD, and DevOps pipelines — covering all 54 Security Rule implementation specifications (Required and Addressable)
- Explains HIPAA in plain language for any audience — from developers needing encryption guidance to general staff learning what counts as PHI
- Guides breach response using the 4-factor risk assessment, notification timelines, HHS reporting obligations, and scenario-by-scenario guidance
Trigger phrases: HIPAA, PHI, ePHI, covered entity, business associate, BAA, NPP, breach notification, minimum necessary, Privacy Rule, Security Rule
File: NIST Cybersecurity framework - Claude Skill/NIST Cybersecurity.skill
The NIST CSF skill turns Claude into an expert NIST Cybersecurity Framework advisor covering both CSF 2.0 (February 2024) and CSF 1.1 (April 2018), defaulting to the current CSF 2.0. It covers all six functions — Govern, Identify, Protect, Detect, Respond, Recover — including the new Govern function introduced in CSF 2.0.
What it does:
- Conducts structured gap assessments across all six CSF 2.0 functions, categories, and subcategories
- Builds Organisational Profiles — Current and Target — aligned to business context, risk tolerance, and regulatory obligations
- Assesses Implementation Tiers (1–4) across three dimensions and provides targeted advancement guidance
- Creates prioritised implementation roadmaps with phased 30/60/90-day and strategic actions
- Maps CSF subcategories to NIST SP 800-53, ISO 27001:2022, and CIS Controls v8
- Generates policies aligned to CSF functions — governance policy, incident response, data security, access control, and more
- Guides CSF 1.1 → CSF 2.0 migration with a detailed subcategory mapping and migration checklist
Trigger phrases: NIST CSF, Cybersecurity Framework, CSF 2.0, Govern function, GV.SC, ID.AM, PR.AA, DE.CM, RS.MA, RC.RP, cybersecurity profile, implementation tiers, CSF gap assessment
File: PCI Compliance - Claude Skill/PCI-Compliance.skill
The PCI DSS skill turns Claude into an expert PCI DSS compliance advisor covering PCI DSS v4.0.1 (June 2024 — current version), including all requirements that became mandatory on March 31, 2025. It covers all 12 requirements, all 8 SAQ types, merchant and service provider levels, and key v4.0 changes from v3.2.1.
What it does:
- Scopes the Cardholder Data Environment (CDE) — identifies what's in scope, assesses network segmentation, and recommends scope reduction via tokenisation or P2PE
- Selects the correct SAQ type — walks through the decision tree for SAQ A, A-EP, B, B-IP, C, C-VT, P2PE, and D with rationale
- Conducts structured gap assessments across all 12 requirements with QSA evidence requirements and common gaps
- Provides control implementation guidance for any PCI DSS sub-requirement — what to implement, evidence needed, and common pitfalls
- Generates PCI DSS-aligned policies — incident response, access control, cryptography, patch management, data retention, and more
- Guides v3.2.1 → v4.0.1 migration including new requirements for MFA expansion, payment page script integrity (Req 6.4.3), phishing protection (Req 5.4.1), and automated log review (Req 10.4.1.1)
- Explains Defined vs Customised Approach and when to use Targeted Risk Analysis (TRA)
Trigger phrases: PCI DSS, PCI compliance, cardholder data, CDE, SAQ, ROC, QSA, ASV scan, PAN, tokenisation, P2PE, merchant level, payment page, Req 8.4.2, Req 6.4.3
File: TSA Compliance - Claude Skill/TSA-Compliance.skill
The TSA Cybersecurity skill turns Claude into an expert TSA cybersecurity directive advisor for critical transportation infrastructure. It covers all current TSA Security Directive series — SD Pipeline-2021-01G, SD Pipeline-2021-02F, SD 1580-21-01E (freight rail), and SD 1582-21-01E (transit/passenger rail) — plus the November 2024 NPRM proposing to formalise these directives as permanent federal regulations.
Note on SSI: TSA Security Directives are classified as Sensitive Security Information (SSI) under 49 CFR Part 1520. This skill is built from publicly available summaries, Federal Register notices, and DHS/CISA publications — not the classified full directive text. Covered entities receive the actual directive directly from TSA.
What it does:
- Determines applicability — which directive series applies to your organisation (pipeline, freight rail, transit, or bus) and what that means for your compliance obligations
- Runs structured gap assessments across the four technical domains: IT/OT network segmentation, access controls (MFA), continuous monitoring, and patch management
- Drafts Cyber Risk Management Program (CRMP) documents: Cybersecurity Implementation Plan (CIP/COIP), Incident Response Plan (IRP), Architecture Design Review (ADR), and Cybersecurity Assessment Plan (CAP)
- Guides OT/ICS-specific implementation — data diodes, jump servers for legacy HMIs, passive monitoring tools (Claroty, Dragos, Nozomi), OT patch lifecycle with vendor coordination
- Explains 24-hour CISA incident reporting obligations: what qualifies, how to report, sample initial report language, and CIRCIA overlap
- Advises on annual IRP testing — two objectives minimum, test scenarios, documentation requirements, and after-action review process
- Explains the 2024 NPRM impact: NIST CSF 2.0 alignment, CISA CPG baseline, proposed COIP structure, and what changes when the rule is finalised
Trigger phrases: TSA Security Directive, SD Pipeline-2021, SD 1580-21-01, SD 1582-21-01, TSA cybersecurity, Critical Cyber Systems, CCS, Cybersecurity Coordinator, Cybersecurity Implementation Plan, CIP, CRMP, IRP testing, Architecture Design Review, ADR, CAP, CISA 24-hour reporting, OT segmentation TSA, pipeline cybersecurity, rail cybersecurity directive, transit cybersecurity, TSA NPRM 2024
File: ISO 42001 - Claude Skill/ISO-42001.skill
The ISO 42001 skill turns Claude into an expert ISO/IEC 42001:2023 AI Management System (AIMS) advisor — the world's first international standard for AI governance. It serves both AI providers (organisations that develop or deploy AI) and AI users (organisations integrating third-party AI), covering the full certification lifecycle from gap assessment through Stage 2 audit readiness.
What it does:
- Conducts structured gap assessments across all mandatory clauses (4–10) and all 38 Annex A controls with 🔴/🟡/🟢 status, evidence requirements, and a phased remediation roadmap
- Guides the mandatory AI System Impact Assessment (AISIA) step by step — identifying affected populations, assessing impact dimensions (severity, reversibility, breadth, human oversight), classifying impact level (Low/Medium/High), and determining proportionate control requirements
- Performs AI risk assessment across all risk categories: model risks (bias, drift, hallucination, adversarial attacks), data risks (quality, poisoning, privacy in training data), operational risks (scope creep, human over-reliance), and supply chain risks (third-party model risk, API dependencies)
- Generates a complete Statement of Applicability (SoA) for all 38 Annex A controls with applicability decisions, justifications, and implementation status
- Drafts all core AIMS policies — AI Policy, AI Risk Management Policy, AI Acceptable Use Policy, Data Governance for AI Policy, AI Incident Management Policy, AI System Lifecycle Policy, and AI Supplier Management Policy — each with document control blocks and clause citations
- Produces Stage 1 and Stage 2 audit checklists with RAG status, evidence requirements per clause, and common auditor focus areas
- Maps ISO 42001 to the EU AI Act — aligns AISIA to the Fundamental Rights Impact Assessment (FRIA) for high-risk AI systems; maps Annex A controls to EU AI Act technical requirements
- Integrates ISO 42001 with ISO 27001 for organisations building a unified ISMS + AIMS
Trigger phrases: ISO 42001, ISO/IEC 42001, AI Management System, AIMS, AISIA, AI System Impact Assessment, responsible AI standard, AI governance standard, Annex A AI controls, AI risk assessment ISO, Statement of Applicability AI, AI policy ISO, AI certification, AI lifecycle controls, AI supplier management ISO, EU AI Act management system, NIST AI RMF ISO mapping, AI bias controls, AI transparency standard, AI incident management ISO
| Scenario | Relevant Skill(s) |
|---|---|
| Preparing for an ISO 27001:2022 Stage 2 certification audit | ISO 27001 |
| Writing an Information Security Policy mapped to Annex A | ISO 27001 |
| Running a SOC 2 readiness assessment before engaging an auditor | SOC 2 |
| Documenting controls for a SOC 2 Type 2 report | SOC 2 |
| Scoping a FedRAMP Moderate authorization on AWS GovCloud | FedRAMP |
| Writing SSP control narratives for all 20 NIST 800-53 control families | FedRAMP |
| Auditing an API for GDPR compliance before product launch | GDPR |
| Drafting a DPIA for a new AI feature that processes personal data | GDPR |
| Generating a BAA for a healthcare SaaS vendor relationship | HIPAA |
| Assessing whether a data incident constitutes a reportable HIPAA breach | HIPAA |
| Building a compliance program that satisfies both ISO 27001 and SOC 2 | ISO 27001 + SOC 2 |
| Responding to a customer security questionnaire covering multiple frameworks | All skills |
| Onboarding a new compliance engineer who needs framework context quickly | Any skill |
| Preparing a risk register and treatment plan for an ISMS | ISO 27001 |
| Transitioning from ISO 27001:2013 to ISO 27001:2022 | ISO 27001 |
| Preparing for a FedRAMP Rev 4 → Rev 5 transition | FedRAMP |
| Assessing current cybersecurity posture using NIST CSF 2.0 | NIST CSF |
| Building a CSF organisational profile with Current and Target states | NIST CSF |
| Advancing from CSF Implementation Tier 1 to Tier 2 | NIST CSF |
| Migrating a cybersecurity programme from CSF 1.1 to CSF 2.0 | NIST CSF |
| Mapping ISO 27001 or SOC 2 controls to NIST CSF subcategories | NIST CSF + ISO 27001 / SOC 2 |
| Writing a Cybersecurity Governance Policy aligned to the CSF GV function | NIST CSF |
| Scoping a PCI DSS CDE for a cloud-hosted e-commerce platform | PCI DSS |
| Selecting the right SAQ type for a merchant using a hosted payment page | PCI DSS |
| Preparing for a Level 1 ROC with a QSA | PCI DSS |
| Implementing the new PCI DSS v4.0 payment page script integrity requirements | PCI DSS |
| Extending MFA to all CDE access per Req 8.4.2 | PCI DSS |
| Managing third-party service providers under PCI DSS Req 12.8 | PCI DSS |
| Determining whether your pipeline or rail operation is a TSA covered entity | TSA Cybersecurity |
| Drafting a Cybersecurity Implementation Plan (CIP) for pipeline OT/SCADA environments | TSA Cybersecurity |
| Planning and documenting annual IRP testing for TSA directive compliance | TSA Cybersecurity |
| Responding to ransomware on IT that may spread to OT — reporting obligations to CISA | TSA Cybersecurity |
| Conducting an Architecture Design Review (ADR) for IT/OT network segmentation | TSA Cybersecurity |
| Implementing MFA and PAM for legacy OT/HMI systems with limited native controls | TSA Cybersecurity |
| Understanding what changes if TSA's November 2024 NPRM becomes final regulation | TSA Cybersecurity |
| Aligning a TSA CRMP to NIST CSF 2.0 and CISA Cross-Sector CPGs | TSA Cybersecurity + NIST CSF |
| Running an ISO 42001 gap assessment for an AI provider with multiple ML models in production | ISO 42001 |
| Completing an AI System Impact Assessment (AISIA) for an automated hiring tool | ISO 42001 |
| Building a Statement of Applicability (SoA) for all 38 ISO 42001 Annex A controls | ISO 42001 |
| Drafting an AI Policy and AI Acceptable Use Policy for a financial services firm | ISO 42001 |
| Assessing whether a customer-facing AI system requires high-impact controls under ISO 42001 | ISO 42001 |
| Preparing evidence packages for ISO 42001 Stage 1 and Stage 2 certification audits | ISO 42001 |
| Mapping ISO 42001 AISIA requirements to EU AI Act Fundamental Rights Impact Assessment (FRIA) | ISO 42001 |
| Integrating an ISO 42001 AIMS with an existing ISO 27001 ISMS | ISO 42001 + ISO 27001 |
| Governing staff use of public AI tools (ChatGPT, Copilot) under Annex A control A.9.7 | ISO 42001 |
-
Download the
.skillfile for the framework you need:Framework Download 🔐 ISO 27001 iso27001.skill ✅ SOC 2 soc2.skill 🏛️ FedRAMP fedramp.skill 🇪🇺 GDPR gdpr-compliance.skill 🏥 HIPAA hipaa-compliance.skill 🛡️ NIST CSF NIST Cybersecurity.skill 💳 PCI DSS PCI-Compliance.skill 🚨 TSA Cybersecurity TSA-Compliance.skill 🤖 ISO 42001 AI Management System ISO-42001.skill -
Open Claude and navigate to Customize → Skills.
-
Click Upload Skill and select the
.skillfile. -
The skill is now active. Start a new conversation and ask your compliance question — Claude will automatically apply the skill.
Tip: You can install multiple skills at once. If you work across several frameworks (e.g., both ISO 27001 and SOC 2), install all of them — Claude will activate whichever is most relevant to each question.
If you use Claude Code — the AI-powered CLI for developers — these skills are also available as installable Claude Code plugins through a hosted marketplace. This is the recommended installation path for developers and teams, as it supports version-pinning, automatic updates, and team-wide distribution without any manual file handling.
Add the marketplace and install the skills you need directly from the terminal:
/plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skillsTeams can pre-wire the marketplace in .claude/settings.json so every developer gets the skills automatically when they open the project — no manual install required.
📖 Full installation instructions, team setup, and update guide → INSTALLATION.md
These skills were benchmarked using the Claude Skill Creator eval framework. 18 realistic test cases were run across all 9 skills — 2 per framework — covering gap analysis, policy drafting, control narratives, code audits, breach response, CRMP drafting, and AI system impact assessments. Each test case was evaluated against 4–5 objectively verifiable assertions by independent grader agents comparing skill-assisted vs. baseline Claude responses.
| Configuration | Pass Rate |
|---|---|
| With GRC Skills installed | 94% ± 10% |
| Without skills (baseline Claude) | 72% ± 28% |
| Delta | +22 points |
| Skill | Test Cases | Pass Rate | What Was Tested |
|---|---|---|---|
| ISO 27001 | 2 | 100% | Stage 2 gap analysis; Access Control Policy drafting |
| SOC 2 | 2 | 100% | First-time audit guidance; CC6.3 control documentation |
| FedRAMP | 2 | 88% | AC-2 SSP narrative; Impact level & LI-SaaS guidance |
| GDPR | 2 | 100% | API endpoint audit with article citations; DPA drafting |
| HIPAA | 2 | 100% | Technical safeguards (45 CFR 164.312); Breach notification |
| NIST CSF | 2 | 78% | CSF 2.0 OT/IT gap assessment; Target profile for healthcare |
| PCI DSS | 2 | 90% | Stripe.js SAQ/CDE scope; v4.0.1 new requirements |
| TSA Cybersecurity | 2 | 100% | Pipeline CRMP obligations; Incident Reporting section |
| ISO 42001 | 2 | 90% | AI user gap assessment; AISIA for resume screening |
The skills add the most measurable value on highly framework-specific tasks: producing correct Annex A control IDs for ISO 27001, mapping gaps to CC criteria for SOC 2, generating formal third-person SSP prose with enhancement references for FedRAMP, applying article-level citations for GDPR, distinguishing Required vs. Addressable HIPAA specifications, using CSF 2.0 subcategory IDs for NIST, correctly identifying SAQ types for PCI, referencing specific TSA Security Directives and CISA contact details, and classifying AI system impact levels with AISIA methodology for ISO 42001.
📊 View the full eval results →
If you find an error, outdated regulatory reference, or missing coverage in any skill, please open a GitHub issue and include:
- The skill name (e.g., ISO 27001, FedRAMP)
- A description of the issue or incorrect guidance
- The correct information with a source reference if possible (e.g., regulatory text, official guidance document)
Have a compliance framework not covered here? Open a GitHub issue with the tag skill-request and describe the framework, your use case, and the audience it would serve. Community suggestions are welcome for frameworks such as NIST CSF, PCI DSS, CCPA, SOX, CMMC, and others.
Contributions are welcome and encouraged. To contribute:
- Fork this repository and create a new branch for your changes.
- For skill improvements — edit the relevant skill's
SKILL.mdor reference files. Follow the existing structure: YAML frontmatter, a routing/trigger section, and modular reference files. - For new skills — use the Claude Skill Creator to build your skill using the same progressive disclosure pattern (a lean
SKILL.md+ reference files loaded on demand). - Cite your sources — all regulatory content must be traceable to official sources (ISO standards, NIST publications, official regulatory text, agency guidance documents).
- Submit a Pull Request with a clear description of what changed and why.
- Keep
SKILL.mdfocused and under ~500 lines. Offload detailed reference content to separate files in areferences/folder. - All compliance assertions must cite the governing clause, article, or control ID.
- Skills should include a disclaimer that outputs are informational guidance, not legal advice.
- Avoid paraphrasing regulatory text in ways that alter its meaning. Where possible, use the authoritative language directly.
Hemant Naik LinkedIn · hemant.naik@gmail.com
Built March 2026
The skills in this repository provide informational guidance based on publicly available regulatory and standards documentation. They do not constitute legal, audit, or professional compliance advice. Outputs should be reviewed by qualified professionals — such as a certified ISO 27001 Lead Auditor, licensed attorney, Data Protection Officer, or HIPAA compliance officer — before being relied upon for formal compliance purposes.
Regulatory requirements evolve. Always verify guidance against the latest official publications from the relevant standards body or regulatory authority.
Licensed under the MIT License.
