This guide covers how to install the GRC Skills marketplace in Claude Code, the AI-powered CLI for developers. The marketplace provides nine compliance skills as Claude Code plugins — each one extends Claude Code with deep, framework-specific expertise for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, and ISO 42001 AI Management System.
Plugins let you extend Claude Code with custom functionality that can be shared across projects and teams. A plugin can contain skills (instructions Claude follows automatically), commands (slash commands you invoke), agents, hooks, and MCP servers. Once installed, a plugin is available in every Claude Code session on that machine.
A marketplace is a catalog of plugins hosted in a Git repository. You add a marketplace once, then install any plugin it lists by name.
- Claude Code installed (
claude --versionto confirm) - Git installed and accessible on your PATH
- An active Claude subscription or API key configured
Register the GRC Skills marketplace with a single command. You only need to do this once per machine.
/plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-ComplianceClaude Code will clone the repository, read the .claude-plugin/marketplace.json catalog, and register it locally as grc-skills. You can confirm it was added with:
/plugin marketplace listOnce the marketplace is registered, install only the frameworks you need.
/plugin install iso27001@grc-skills/plugin install soc2@grc-skills/plugin install fedramp@grc-skills/plugin install gdpr-compliance@grc-skills/plugin install hipaa-compliance@grc-skills/plugin install nist-csf@grc-skills/plugin install pci-compliance@grc-skills/plugin install tsa-compliance@grc-skills/plugin install iso42001@grc-skillsEach plugin is installed to a local cache (~/.claude/plugins/cache) and activates immediately in new Claude Code sessions.
To install the full GRC suite in a single command:
/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skillsFor teams, you can pre-wire the marketplace into your project so every developer gets the skills automatically when they open the project in Claude Code — no manual install step required.
Add the following to your project's .claude/settings.json:
{
"extraKnownMarketplaces": {
"grc-skills": {
"source": {
"source": "github",
"repo": "Sushegaad/Claude-Skills-Governance-Risk-and-Compliance"
}
}
},
"enabledPlugins": {
"iso27001@grc-skills": true,
"soc2@grc-skills": true,
"fedramp@grc-skills": true,
"gdpr-compliance@grc-skills": true,
"hipaa-compliance@grc-skills": true,
"nist-csf@grc-skills": true,
"pci-compliance@grc-skills": true,
"tsa-compliance@grc-skills": true,
"iso42001@grc-skills": true
}
}Commit this file to your repository. The next time a team member trusts the project folder in Claude Code, the marketplace and plugins will be registered automatically. Only enable the skills your team actually needs — you don't have to include all nine.
When this repository is updated with new skill content or bug fixes, refresh your local copy with:
/plugin marketplace update grc-skillsTo update a specific installed plugin:
/plugin update iso27001@grc-skillsTo remove a plugin:
/plugin uninstall iso27001@grc-skillsTo remove the marketplace entirely:
/plugin marketplace remove grc-skills| Plugin name | Framework | What it does |
|---|---|---|
iso27001 |
ISO 27001:2022 | Gap analysis, policy writing, Annex A control guidance, SoA generation, risk registers |
soc2 |
SOC 2 | TSC gap analysis, policy drafting, control documentation, audit evidence, vendor risk |
fedramp |
FedRAMP Moderate/High | Readiness assessments, SSP narratives, POA&M, NIST 800-53 control mapping, ConMon |
gdpr-compliance |
GDPR / UK GDPR | Code audits, privacy notices, DPAs, DPIAs, data flow reviews, article-cited Q&A |
hipaa-compliance |
HIPAA | Document generation, technical safeguards for cloud, breach response guidance |
nist-csf |
NIST CSF 2.0 / 1.1 | Gap assessments, organisational profiles, implementation tiers, roadmaps, cross-framework mapping |
pci-compliance |
PCI DSS v4.0.1 | CDE scoping, SAQ selection, gap assessments, control guidance, QSA audit prep, remediation planning |
tsa-compliance |
TSA Security Directives | Pipeline, freight rail, and transit OT/ICS cybersecurity — CIP/COIP, IRP, ADR, CAP, incident reporting, NPRM guidance |
iso42001 |
ISO/IEC 42001:2023 | AI Management System gap analysis, AISIA, AI risk assessment, SoA, policy generation, and certification readiness |
Marketplace not found after adding
Run /plugin marketplace list to confirm it was registered. If it's missing, check that your Git credentials allow access and retry.
Plugin installation fails
Verify you have network access to GitHub and that your Git version is current. You can also clone the repo manually to test: git clone https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance.git
Skills not activating in sessions Restart Claude Code after installing plugins. Skills activate in new sessions, not mid-session.
Git timeout on slow connections Increase the timeout via environment variable before running Claude Code:
export CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS=300000For additional help, open an issue on the repository.
- Claude Code documentation
- Plugin marketplace docs
- README — full skill descriptions and use cases
- GitHub repository