Corrected the ISO42001 and FedRAMP skills based on user feedback.

Author: Sushegaad

FedRamp - Claude Skill/fedramp.skill

@@ -74,7 +74,7 @@ These skills are designed for professionals who work on information security, pr
 
 ## The Skills
 
-### 🔐 ISO 27001
+### 1. 🔐 ISO 27001
 
 **File:** `ISO 27001 - Claude Skill/iso27001.skill`
 
@@ -92,7 +92,7 @@ The ISO 27001 skill turns Claude into an expert ISO 27001 Lead Auditor and ISMS
 
 ---
 
-### ✅ SOC 2
+### 2. ✅ SOC 2
 
 **File:** `SOC 2 - Claude Skill/soc2.skill`
 
@@ -110,7 +110,7 @@ The SOC 2 skill turns Claude into an expert SOC 2 compliance advisor grounded in
 
 ---
 
-### 🏛️ FedRAMP
+### 3. 🏛️ FedRAMP
 
 **File:** `FedRamp - Claude Skill/fedramp.skill`
 
@@ -128,7 +128,7 @@ The FedRAMP skill turns Claude into a knowledgeable FedRAMP advisor covering the
 
 ---
 
-### 🇪🇺 GDPR
+### 4. 🇪🇺 GDPR
 
 **File:** `GDPR - Claude Skill/gdpr-compliance.skill`
 
@@ -145,7 +145,7 @@ The GDPR skill turns Claude into an expert GDPR compliance assistant that bridge
 
 ---
 
-### 🏥 HIPAA
+### 5. 🏥 HIPAA
 
 **File:** `HIPAA - Claude Skill/hipaa-compliance.skill`
 
@@ -162,7 +162,7 @@ The HIPAA skill turns Claude into a knowledgeable HIPAA compliance advisor cover
 
 ---
 
-### 🛡️ NIST CSF
+### 6. 🛡️ NIST CSF
 
 **File:** `NIST Cybersecurity framework - Claude Skill/NIST Cybersecurity.skill`
 
@@ -181,7 +181,7 @@ The NIST CSF skill turns Claude into an expert NIST Cybersecurity Framework advi
 
 ---
 
-### 💳 PCI DSS
+### 7. 💳 PCI DSS
 
 **File:** `PCI Compliance - Claude Skill/PCI-Compliance.skill`
 
@@ -200,7 +200,7 @@ The PCI DSS skill turns Claude into an expert PCI DSS compliance advisor coverin
 
 ---
 
-### 🚨 TSA Cybersecurity
+### 8. 🚨 TSA Cybersecurity
 
 **File:** `TSA Compliance - Claude Skill/TSA-Compliance.skill`
 
@@ -221,17 +221,17 @@ The TSA Cybersecurity skill turns Claude into an expert TSA cybersecurity direct
 
 ---
 
-### 🤖 ISO 42001 AI Management System
+### 9. 🤖 ISO 42001 AI Management System
 
 **File:** `ISO 42001 - Claude Skill/ISO-42001.skill`
 
 The ISO 42001 skill turns Claude into an expert **ISO/IEC 42001:2023** AI Management System (AIMS) advisor — the world's first international standard for AI governance. It serves both **AI providers** (organisations that develop or deploy AI) and **AI users** (organisations integrating third-party AI), covering the full certification lifecycle from gap assessment through Stage 2 audit readiness.
 
 **What it does:**
-- Conducts structured **gap assessments** across all mandatory clauses (4–10) and all **38 Annex A controls** with 🔴/🟡/🟢 status, evidence requirements, and a phased remediation roadmap
+- Conducts structured **gap assessments** across all mandatory clauses (4–10) and all **38 Annex A controls** (domains A.2–A.10) with 🔴/🟡/🟢 status, evidence requirements, and a phased remediation roadmap
 - Guides the mandatory **AI System Impact Assessment (AISIA)** step by step — identifying affected populations, assessing impact dimensions (severity, reversibility, breadth, human oversight), classifying impact level (Low/Medium/High), and determining proportionate control requirements
 - Performs **AI risk assessment** across all risk categories: model risks (bias, drift, hallucination, adversarial attacks), data risks (quality, poisoning, privacy in training data), operational risks (scope creep, human over-reliance), and supply chain risks (third-party model risk, API dependencies)
-- Generates a complete **Statement of Applicability (SoA)** for all 38 Annex A controls with applicability decisions, justifications, and implementation status
+- Generates a complete **Statement of Applicability (SoA)** covering all 38 Annex A controls (A.2.2–A.10.4) with applicability decisions, justifications, and implementation status
 - Drafts all core **AIMS policies** — AI Policy, AI Risk Management Policy, AI Acceptable Use Policy, Data Governance for AI Policy, AI Incident Management Policy, AI System Lifecycle Policy, and AI Supplier Management Policy — each with document control blocks and clause citations
 - Produces **Stage 1 and Stage 2 audit checklists** with RAG status, evidence requirements per clause, and common auditor focus areas
 - **Maps ISO 42001 to the EU AI Act** — aligns AISIA to the Fundamental Rights Impact Assessment (FRIA) for high-risk AI systems; maps Annex A controls to EU AI Act technical requirements
@@ -283,13 +283,13 @@ The ISO 42001 skill turns Claude into an expert **ISO/IEC 42001:2023** AI Manage
 | Aligning a TSA CRMP to NIST CSF 2.0 and CISA Cross-Sector CPGs | TSA Cybersecurity + NIST CSF |
 | Running an ISO 42001 gap assessment for an AI provider with multiple ML models in production | ISO 42001 |
 | Completing an AI System Impact Assessment (AISIA) for an automated hiring tool | ISO 42001 |
-| Building a Statement of Applicability (SoA) for all 38 ISO 42001 Annex A controls | ISO 42001 |
+| Building a Statement of Applicability (SoA) covering all 38 ISO 42001 Annex A controls (A.2–A.10) | ISO 42001 |
 | Drafting an AI Policy and AI Acceptable Use Policy for a financial services firm | ISO 42001 |
 | Assessing whether a customer-facing AI system requires high-impact controls under ISO 42001 | ISO 42001 |
 | Preparing evidence packages for ISO 42001 Stage 1 and Stage 2 certification audits | ISO 42001 |
 | Mapping ISO 42001 AISIA requirements to EU AI Act Fundamental Rights Impact Assessment (FRIA) | ISO 42001 |
 | Integrating an ISO 42001 AIMS with an existing ISO 27001 ISMS | ISO 42001 + ISO 27001 |
-| Governing staff use of public AI tools (ChatGPT, Copilot) under Annex A control A.9.7 | ISO 42001 |
+| Governing staff use of public AI tools (ChatGPT, Copilot) under Annex A control A.9.2 and A.9.4 | ISO 42001 |
 
 ---
 

ISO 42001 - Claude Skill/ISO-42001.skill

@@ -430,7 +430,7 @@ <h2>Who Is This For?</h2>
     <h2>The Skills</h2>
 
     <div class="skill-card">
-      <h3>🔐 ISO 27001</h3>
+      <h3>1. 🔐 ISO 27001</h3>
       <span class="file-badge">ISO 27001 - Claude Skill/iso27001.skill</span>
       <p>Turns Claude into an expert ISO 27001 Lead Auditor and ISMS implementation consultant. Covers both <strong>ISO 27001:2013</strong> (114 controls, 14 domains) and <strong>ISO 27001:2022</strong> (93 controls, 4 themes), defaulting to 2022.</p>
       <ul>
@@ -444,7 +444,7 @@ <h3>🔐 ISO 27001</h3>
     </div>
 
     <div class="skill-card">
-      <h3>✅ SOC 2</h3>
+      <h3>2. ✅ SOC 2</h3>
       <span class="file-badge">SOC 2 - Claude Skill/soc2.skill</span>
       <p>Turns Claude into an expert SOC 2 compliance advisor grounded in the <strong>AICPA 2017 Trust Services Criteria (TSC) with 2022 Revised Points of Focus</strong>. Covers all five TSC: Security (CC1–CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P1–P8).</p>
       <ul>
@@ -457,7 +457,7 @@ <h3>✅ SOC 2</h3>
     </div>
 
     <div class="skill-card">
-      <h3>🏛️ FedRAMP</h3>
+      <h3>3. 🏛️ FedRAMP</h3>
       <span class="file-badge">FedRamp - Claude Skill/fedramp.skill</span>
       <p>Turns Claude into a knowledgeable FedRAMP advisor covering the full authorization lifecycle for Cloud Service Providers under <strong>NIST SP 800-53 Rev 5</strong>. Current as of 2025–2026, incorporating the Rev 5 transition, September 2026 OSCAL mandate, and December 2024 template updates.</p>
       <ul>
@@ -471,7 +471,7 @@ <h3>🏛️ FedRAMP</h3>
     </div>
 
     <div class="skill-card">
-      <h3>🇪🇺 GDPR</h3>
+      <h3>4. 🇪🇺 GDPR</h3>
       <span class="file-badge">GDPR - Claude Skill/gdpr-compliance.skill</span>
       <p>Turns Claude into an expert GDPR compliance assistant bridging technical and legal perspectives. Covers full <strong>EU GDPR</strong> with notes on <strong>UK GDPR (DPA 2018)</strong> where rules differ.</p>
       <ul>
@@ -484,7 +484,7 @@ <h3>🇪🇺 GDPR</h3>
     </div>
 
     <div class="skill-card">
-      <h3>🏥 HIPAA</h3>
+      <h3>5. 🏥 HIPAA</h3>
       <span class="file-badge">HIPAA - Claude Skill/hipaa-compliance.skill</span>
       <p>Turns Claude into a knowledgeable HIPAA compliance advisor covering the <strong>Privacy Rule, Security Rule, and Breach Notification Rule</strong> (45 CFR Parts 160 and 164, as amended by HITECH).</p>
       <ul>
@@ -497,7 +497,7 @@ <h3>🏥 HIPAA</h3>
     </div>
 
     <div class="skill-card">
-      <h3>🛡️ NIST CSF</h3>
+      <h3>6. 🛡️ NIST CSF</h3>
       <span class="file-badge">NIST Cybersecurity framework - Claude Skill/NIST Cybersecurity.skill</span>
       <p>Turns Claude into an expert NIST Cybersecurity Framework advisor covering both <strong>CSF 2.0</strong> (February 2024) and <strong>CSF 1.1</strong> (April 2018), defaulting to CSF 2.0. Covers all six functions — <strong>Govern, Identify, Protect, Detect, Respond, Recover</strong> — including the new Govern function in CSF 2.0.</p>
       <ul>
@@ -511,7 +511,7 @@ <h3>🛡️ NIST CSF</h3>
     </div>
 
     <div class="skill-card">
-      <h3>💳 PCI DSS</h3>
+      <h3>7. 💳 PCI DSS</h3>
       <span class="file-badge">PCI Compliance - Claude Skill/PCI-Compliance.skill</span>
       <p>Turns Claude into an expert PCI DSS compliance advisor covering <strong>PCI DSS v4.0.1</strong> (June 2024 — current), including all requirements that became mandatory on March 31, 2025. Covers all 12 requirements, all 8 SAQ types, merchant and service provider levels, and v4.0 changes from v3.2.1.</p>
       <ul>
@@ -524,7 +524,7 @@ <h3>💳 PCI DSS</h3>
     </div>
 
     <div class="skill-card">
-      <h3>🚨 TSA Cybersecurity</h3>
+      <h3>8. 🚨 TSA Cybersecurity</h3>
       <span class="file-badge">TSA Compliance - Claude Skill/TSA-Compliance.skill</span>
       <p>Turns Claude into an expert TSA cybersecurity directive advisor for <strong>critical transportation infrastructure</strong>. Covers all current TSA Security Directive series — SD Pipeline-2021-01G, SD Pipeline-2021-02F, SD 1580-21-01E (freight rail), and SD 1582-21-01E (transit/passenger rail) — plus the <strong>November 2024 NPRM</strong>.</p>
       <div class="info-box"><strong>Note on SSI:</strong> TSA Security Directives are classified as Sensitive Security Information (SSI). This skill is built from publicly available summaries, Federal Register notices, and DHS/CISA publications — not the classified full directive text.</div>
@@ -538,14 +538,14 @@ <h3>🚨 TSA Cybersecurity</h3>
     </div>
 
     <div class="skill-card">
-      <h3>🤖 ISO 42001 AI Management System</h3>
+      <h3>9. 🤖 ISO 42001 AI Management System</h3>
       <span class="file-badge">ISO 42001 - Claude Skill/ISO-42001.skill</span>
       <p>Turns Claude into an expert <strong>ISO/IEC 42001:2023</strong> AI Management System (AIMS) advisor — the world's first international standard for AI governance. Serves both <strong>AI providers</strong> (organisations developing or deploying AI) and <strong>AI users</strong> (organisations integrating third-party AI).</p>
       <ul>
-        <li>Conducts structured <strong>gap assessments</strong> across all mandatory clauses (4–10) and all <strong>38 Annex A controls</strong> with 🔴/🟡/🟢 status and phased remediation roadmap</li>
+        <li>Conducts structured <strong>gap assessments</strong> across all mandatory clauses (4–10) and all <strong>38 Annex A controls</strong> (domains A.2–A.10) with 🔴/🟡/🟢 status and phased remediation roadmap</li>
         <li>Guides the mandatory <strong>AI System Impact Assessment (AISIA)</strong> — identifying affected populations, assessing impact dimensions, classifying impact level (Low/Medium/High)</li>
         <li>Performs <strong>AI risk assessment</strong> across model risks, data risks, operational risks, and supply chain risks</li>
-        <li>Generates a complete <strong>Statement of Applicability (SoA)</strong> for all 38 Annex A controls</li>
+        <li>Generates a complete <strong>Statement of Applicability (SoA)</strong> covering all 38 Annex A controls (A.2.2–A.10.4)</li>
         <li><strong>Maps ISO 42001 to the EU AI Act</strong> — aligns AISIA to the Fundamental Rights Impact Assessment (FRIA) for high-risk AI systems</li>
       </ul>
       <div class="trigger-tags"><strong>Trigger phrases:</strong> <code>ISO 42001</code> <code>ISO/IEC 42001</code> <code>AI Management System</code> <code>AIMS</code> <code>AISIA</code> <code>AI governance standard</code> <code>Annex A AI controls</code> <code>AI certification</code> <code>EU AI Act management system</code></div>
@@ -606,15 +606,15 @@ <h2>How to Install a Skill</h2>
       <table class="install-table">
         <thead><tr><th>Framework</th><th>Download</th></tr></thead>
         <tbody>
-          <tr><td>🔐 ISO 27001</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2027001%20-%20Claude%20Skill/iso27001.skill">iso27001.skill</a></td></tr>
-          <tr><td>✅ SOC 2</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/SOC%202%20-%20Claude%20Skill/soc2.skill">soc2.skill</a></td></tr>
-          <tr><td>🏛️ FedRAMP</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/FedRamp%20-%20Claude%20Skill/fedramp.skill">fedramp.skill</a></td></tr>
-          <tr><td>🇪🇺 GDPR</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/GDPR%20-%20Claude%20Skill/gdpr-compliance.skill">gdpr-compliance.skill</a></td></tr>
-          <tr><td>🏥 HIPAA</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/HIPAA%20-%20Claude%20Skill/hipaa-compliance.skill">hipaa-compliance.skill</a></td></tr>
-          <tr><td>🛡️ NIST CSF</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/NIST%20Cybersecurity%20framework%20-%20Claude%20Skill/NIST%20Cybersecurity.skill">NIST Cybersecurity.skill</a></td></tr>
-          <tr><td>💳 PCI DSS</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/PCI%20Compliance%20-%20Claude%20Skill/PCI-Compliance.skill">PCI-Compliance.skill</a></td></tr>
-          <tr><td>🚨 TSA Cybersecurity</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/TSA%20Compliance%20-%20Claude%20Skill/TSA-Compliance.skill">TSA-Compliance.skill</a></td></tr>
-          <tr><td>🤖 ISO 42001 AI Management System</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2042001%20-%20Claude%20Skill/ISO-42001.skill">ISO-42001.skill</a></td></tr>
+          <tr><td>1. 🔐 ISO 27001</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2027001%20-%20Claude%20Skill/iso27001.skill">iso27001.skill</a></td></tr>
+          <tr><td>2. ✅ SOC 2</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/SOC%202%20-%20Claude%20Skill/soc2.skill">soc2.skill</a></td></tr>
+          <tr><td>3. 🏛️ FedRAMP</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/FedRamp%20-%20Claude%20Skill/fedramp.skill">fedramp.skill</a></td></tr>
+          <tr><td>4. 🇪🇺 GDPR</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/GDPR%20-%20Claude%20Skill/gdpr-compliance.skill">gdpr-compliance.skill</a></td></tr>
+          <tr><td>5. 🏥 HIPAA</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/HIPAA%20-%20Claude%20Skill/hipaa-compliance.skill">hipaa-compliance.skill</a></td></tr>
+          <tr><td>6. 🛡️ NIST CSF</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/NIST%20Cybersecurity%20framework%20-%20Claude%20Skill/NIST%20Cybersecurity.skill">NIST Cybersecurity.skill</a></td></tr>
+          <tr><td>7. 💳 PCI DSS</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/PCI%20Compliance%20-%20Claude%20Skill/PCI-Compliance.skill">PCI-Compliance.skill</a></td></tr>
+          <tr><td>8. 🚨 TSA Cybersecurity</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/TSA%20Compliance%20-%20Claude%20Skill/TSA-Compliance.skill">TSA-Compliance.skill</a></td></tr>
+          <tr><td>9. 🤖 ISO 42001 AI Management System</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2042001%20-%20Claude%20Skill/ISO-42001.skill">ISO-42001.skill</a></td></tr>
         </tbody>
       </table>
     </div>
@@ -850,7 +850,7 @@ <h4>🆕 New Skills (4)</h4>
           <li><span class="release-badge badge-new">New</span> <strong>NIST CSF</strong> — CSF 2.0 and CSF 1.1 advisor covering all six functions (Govern, Identify, Protect, Detect, Respond, Recover), gap assessments, organisational profiles, and implementation tiers</li>
           <li><span class="release-badge badge-new">New</span> <strong>PCI DSS</strong> — PCI DSS v4.0.1 advisor covering all 12 requirements, all 8 SAQ types, CDE scoping, v3.2.1 → v4.0.1 migration guidance</li>
           <li><span class="release-badge badge-new">New</span> <strong>TSA Cybersecurity</strong> — TSA Security Directive advisor for pipeline and rail critical infrastructure, CRMP drafting, OT/ICS implementation, and CISA 24-hour incident reporting</li>
-          <li><span class="release-badge badge-new">New</span> <strong>ISO 42001 AI Management System</strong> — ISO/IEC 42001:2023 AIMS advisor covering all 38 Annex A controls, AISIA methodology, AI risk assessment, and EU AI Act mapping</li>
+          <li><span class="release-badge badge-new">New</span> <strong>ISO 42001 AI Management System</strong> — ISO/IEC 42001:2023 AIMS advisor covering all 38 Annex A controls (A.2–A.10), AISIA methodology, AI risk assessment, and EU AI Act mapping</li>
         </ul>
         <h4>📊 Skill Evaluation</h4>
         <ul>

README.md

@@ -34,7 +34,7 @@ Identify the user's goal and jump to the appropriate section:
 ## Current FedRAMP State (as of 2025–2026)
 
 - **Baseline**: NIST SP 800-53 **Rev 5** (approved May 2023, fully in effect)
-- **Control counts** (Rev 5): Low = ~156, Moderate = 323, High = 410
+- **Control counts** (Rev 5): Low = ~156, Moderate = 323, High = 421
 - **OSCAL mandate**: RFC-0024 requires all CSPs to transition to machine-readable OSCAL packages by **September 2026**
 - **Security Inbox**: As of January 5, 2026, all authorized CSPs must maintain a dedicated Security Inbox for urgent vulnerability directives (no CAPTCHAs or barriers)
 - **FedRAMP 20x**: A modernization initiative in progress; introduces continuous authorization and modular/API-driven submissions. Traditional SSP/SAP/SAR templates remain required for non-20x paths.
@@ -46,7 +46,7 @@ Identify the user's goal and jump to the appropriate section:
 
 ### Approach
 1. **Clarify scope** — Ask the user: What is the CSO (Cloud Service Offering)? IaaS/PaaS/SaaS? Target impact level?
-2. **Identify authorization path** — Agency Authorization (sponsor needed) vs. JAB (Joint Authorization Board, now limited) vs. FedRAMP 20x pilot
+2. **Identify authorization path** — Agency Authorization (sponsor needed) vs. JAB P-ATO (Joint Authorization Board — effectively suspended since 2024; verify current status with FedRAMP PMO) vs. FedRAMP 20x pilot
 3. **Run through the readiness checklist** — See `references/readiness-checklist.md`
 4. **Surface gaps** — Map current state to required controls; flag missing documentation, unimplemented controls, and architectural deficiencies
 5. **Prioritize** — Group gaps by: (a) blockers for readiness review, (b) items addressable before 3PAO assessment, (c) POA&M candidates