feat: Add ISO 22301:2019 Business Continuity Management System skill#15
Open
sjackson0109 wants to merge 13 commits intoSushegaad:mainfrom
Open
feat: Add ISO 22301:2019 Business Continuity Management System skill#15sjackson0109 wants to merge 13 commits intoSushegaad:mainfrom
sjackson0109 wants to merge 13 commits intoSushegaad:mainfrom
Conversation
OVERVIEW
--------
This commit delivers a complete, end-to-end Claude skill for ISO 31000:2018 Risk
Management. The skill covers the full standard -- Principles (Clause 4), Framework
(Clauses 5.1-5.6), and the Risk Management Process (Clauses 6.2-6.7) -- along with
five structured workflows, three on-demand reference files, a distributable .skill
archive, and full integration into the repository test suite and marketplace registry.
The skill is authored to the same standard as all other GRC skills in this repository:
trigger phrases in the SKILL.md frontmatter, output-format matrices, clause-cited
guidance, workflow templates, and on-demand reference file loading to preserve context
window efficiency.
STANDARD COVERAGE
-----------------
Standard : ISO 31000:2018 -- Risk management -- Guidelines
Published : February 2018 (replaces ISO 31000:2009)
Status : Current international standard; sector-agnostic; universally applicable
Note : ISO 31000 is a guidelines standard -- organisations cannot be certified
against it. It provides principles and a framework/process that integrate
into all other ISO Annex SL management system standards.
Three structural pillars covered in full:
Clause 4 -- Principles
All 8 risk management principles documented with practical descriptions and
assessment guidance (Integrated, Structured and comprehensive, Customised,
Inclusive, Dynamic, Best available information, Human and cultural factors,
Continual improvement).
Clause 5 -- Framework (6 components)
5.1 Leadership and Commitment
5.2 Integration
5.3 Design
5.4 Implementation
5.5 Evaluation
5.6 Improvement
Clause 6 -- Risk Management Process (8 activities)
6.2 Communication and Consultation (continuous throughout)
6.3 Scope, Context, and Criteria
6.4 Risk Assessment
6.4.2 Risk Identification
6.4.3 Risk Analysis
6.4.4 Risk Evaluation
6.5 Risk Treatment
6.6 Monitoring and Review
6.7 Recording and Reporting
FILES CREATED
-------------
plugins/iso31000/.claude-plugin/plugin.json
Claude Code plugin manifest. Contains name ("iso31000"), semantic version (0.1.0),
description, author (Hemant Naik), homepage, repository, license (MIT), and keywords
(iso31000, risk-management, risk-assessment, risk-treatment, risk-register,
enterprise-risk, grc). Required by test_plugin_structure.py for plugin discovery
and validation.
plugins/iso31000/skills/iso31000/SKILL.md
Core skill instruction file loaded into Claude context when the skill triggers.
Contains:
- YAML frontmatter with name, description, and 30+ trigger phrases covering ISO
31000, risk management framework, risk register, risk treatment, risk appetite,
risk tolerance, risk criteria, inherent risk, residual risk, risk identification,
risk analysis, risk evaluation, risk treatment plan, likelihood x consequence,
risk heatmap, risk workshop, bowtie analysis, FMEA, enterprise risk management,
ERM, operational risk, strategic risk, risk monitoring, board risk report, and
risk appetite statement.
- Persona definition: Claude adopts the role of an ISO 31000:2018 Risk Management
consultant and lead practitioner.
- Output format matrix mapping 9 task types to their required output format:
risk framework design, gap analysis, risk assessment, risk treatment plan, risk
appetite statement, risk workshop facilitation, policy/procedure generation,
integration guidance, and general questions.
- Standard overview with three-pillar structure diagram and a note distinguishing
ISO 31000 as a guidelines (non-certifiable) standard.
- Full Clause 4 principles table: 8 principles with practical descriptions, indexed
for assessment as Embedded / Partial / Not present.
- Full Clause 5 framework narrative covering all six components (5.1-5.6) with
evidence checklists and key outputs identified for each.
- Full Clause 6 process documentation including:
- ASCII process flow diagram showing the 8 activities and their relationships
- 5x5 Likelihood x Consequence matrix with RAG band thresholds and colour coding
- Risk identification technique overview with 7 named methods
- Inherent risk, control effectiveness, residual risk, and target residual risk
definitions
- Risk treatment options table (Avoid / Reduce / Transfer / Accept / Exploit)
with description and conditions for use
- Risk treatment plan column reference
- Monitoring triggers (periodic and event-driven)
- Recording and reporting requirements summary
- 5 Core Workflows with full templates:
1. Risk Framework Gap Analysis -- clause-by-clause assessment table with
example populated rows
2. Risk Register Development -- 16-column register template with standard
risk categories and scoring guidance
3. Risk Appetite Statement -- structured template with overarching narrative
and 8-category tolerance threshold table
4. Risk Workshop Facilitation Guide -- pre-workshop preparation checklist,
9-item agenda template with facilitator actions
5. Policy and Procedure Generation -- document control block requirements,
9-document minimum set table with clause mapping and mandatory indicator
- Integration mapping table documenting how ISO 31000 provisions apply within
ISO 27001, ISO 9001, ISO 42001, ISO 14001, ISO 45001, NIST CSF 2.0, and
COSO ERM, with specific clause and function references.
- Two integration guidance rules for operating an integrated risk register across
multiple management system standards.
- Reference file loading rules specifying which reference file to load per task
type to preserve context window efficiency.
plugins/iso31000/skills/iso31000/references/iso31000-framework.md
On-demand reference for Clause 5 framework topics. Loaded for: framework design
queries, gap analysis, leadership and governance questions. Contents:
- Framework PDCA cycle overview diagram
- Clause 5.1 design checklist with 7 requirements and evidence column
- Common gaps section for 5.1 (4 frequently observed deficiencies)
- Clause 5.2 integration maturity model: 4 levels (Ad hoc / Defined / Managed /
Optimised) with characteristics for each
- 7 integration diagnostic questions for gap assessment
- Clause 5.3 Design: PESTLE external context table with 6 factors and example
risk sources, internal context 6-question diagnostic
- Risk Management Policy required content (6 mandatory elements)
- Full RACI matrix for risk management activities across 5 stakeholder layers
(Board, Executive/CEO, CRO/Risk Function, Process Owners, All Staff) covering
7 risk management activities
- Minimum resource requirements (people, tools, training, time, budget)
- Communication and consultation design requirements (5 elements)
- Implementation roadmap template: 6 phases with activities, owner, and success
criteria from Foundation through Optimise stages
- Framework evaluation criteria table: 6 rows (one per framework component) with
evaluation questions and evidence sources
- Risk Management KPIs table: 6 KPIs with measurement method and target
- Framework design checklist: 19 checkpoints across 5 categories (Leadership and
Governance, Integration, Design, Process, Evaluation and Improvement)
plugins/iso31000/skills/iso31000/references/iso31000-risk-assessment-process.md
On-demand reference for Clause 6 risk assessment topics. Loaded for: risk registers,
workshops, identification techniques, scoring. Contents:
- Clause 6.3 scope definition: 5-element scope template with diagnostic questions
- Scope statement prose template
- PESTLE external context analysis table with columns for risk source, potential
impact on objectives, and current controls
- Internal context 6-question diagnostic
- Risk criteria: 5-point likelihood scale (Almost Certain through Rare) with label,
definition, and example frequency
- Risk criteria: 5-point consequence scale calibrated across four dimensions
(Financial, Reputational, Operational, Regulatory/Legal) from Negligible to
Catastrophic, with percentage of revenue thresholds for financial impacts
- Risk tolerance thresholds: 4 bands with score range, RAG label, and default
treatment decision
- 7 risk identification techniques with implementation detail:
1. Structured workshop / brainstorming: facilitation prompt sequence (5
questions), best-for guidance
2. SWOT analysis: 2x2 matrix showing risk type per quadrant
3. Process mapping / SIPOC: template with risk annotation at each SIPOC
element
4. Bowtie analysis: ASCII diagram showing causes, preventive controls, top
event, recovery controls, and consequences
5. FMEA: full column set (Process Step, Failure Mode, Effect, Severity,
Occurrence, Detection, RPN) with RPN threshold guidance
6. Taxonomy-based risk checklist: 8 categories with approximately 50 named
example risk types (Strategic, Financial, Operational, Technology/Cyber,
Compliance/Regulatory, Reputational, People/HR, Third Party/Supply Chain)
7. Risk description template: 6-field structured entry format
- Full risk register template: 19 columns (Risk ID, Category, Description, Source,
Existing Controls, Inherent L, Inherent C, Inherent Score, Control Effectiveness,
Residual L, Residual C, Residual Score, Band, Treatment Option, Owner, Target
Date, Review Date, Status)
- 5x5 L x C matrix rendered in ASCII with RAG colour coding and band legend
- Inherent vs residual vs target residual risk definitions table
- Qualitative vs semi-quantitative vs quantitative analysis comparison table
- Multi-dimensional analysis table showing console across 4 consequence dimensions
with guidance to use the highest single dimension (conservative approach)
- Risk evaluation 4-step process with treatment decision rules per band
- Prioritised risk summary output format (example table)
- Communication and Consultation (Clause 6.2): stakeholder consultation plan
template (6 stakeholder groups with interest, engagement method, frequency)
- Internal risk reporting schedule: 4 report types (Risk Register, Risk Dashboard,
Board Risk Report, Annual Risk Report, Incident/Near-miss report) with audience,
frequency, and contents
plugins/iso31000/skills/iso31000/references/iso31000-risk-treatment.md
On-demand reference for Clause 6.5+ treatment, appetite, monitoring, and reporting
topics. Loaded for: treatment plans, risk appetite, residual risk, monitoring.
Contents:
- Treatment option 1 -- Avoid: definition, 4 conditions for use, 4 specific
examples, consideration note about foregone opportunity
- Treatment option 2 -- Reduce: preventive controls (6 types with examples),
detective controls (5 types with examples), recovery controls (5 types with
examples); control effectiveness rating scale with 3 levels and definitions
(Effective, Partially Effective, Ineffective)
- Treatment option 3 -- Transfer: 4 mechanisms table (insurance, contractual
transfer, joint venture/shared ownership, derivatives/hedging) with how-it-works
and best-for columns; 4 important limitations of transfer (responsibility,
full loss coverage, counter-party risk, reputational risk cannot be transferred)
- Treatment option 4 -- Accept: 3 conditions for use; seniority-based acceptance
authority matrix by risk band (Low to Critical); 4 documentation requirements;
contingency plan requirement for accepted risks above Medium
- Treatment option 5 -- Exploit: definition and 3 examples for opportunity risks
- Full risk treatment plan template: 14 fields including Risk ID, Description,
Category, Current Residual Risk, Treatment Option, Target Residual Risk, Actions
table (with Action, Description, Owner, Resources Required, Due Date, Status
columns), Success Measures/KPIs, Review Date, Plan Owner, Approved By, Approval
Date
- Treatment selection decision framework: 5-step logical decision tree from
appetite comparison through to escalation
- Risk appetite framework: 4 definition table (appetite, tolerance, capacity,
attitude) with key relationship formula Appetite <= Tolerance <= Capacity
- Risk appetite statement template: overarching narrative placeholder plus 8-row
category table (Strategic, Financial, Operational, Cyber/Technology, Compliance/
Regulatory, Reputational, Environmental/ESG, People/HR) with Appetite Statement,
Tolerance Threshold, and Escalation Path columns
- 4 practical usage rules for applying risk appetite (assessment gate, investment
decisions, escalation trigger, annual review)
- Monitoring schedule table: 6 activities (risk register review, control
effectiveness testing, board reporting, executive dashboard, full reassessment,
incident/near-miss review) with frequency, owner, and output
- 8 event-driven monitoring triggers
- Control testing programme template: 5 example controls with test method,
frequency, and evidence
- Required records table: 9 record types (Risk Register, Risk Assessment Reports,
Risk Treatment Plans, Risk Acceptance Decisions, Board Risk Reports, Control
Testing Records, Incident/Near-Miss Log, Framework Evaluation Records, Risk
Appetite Statement) with purpose and minimum retention period
- Board risk report template: 9-section content outline
- Risk dashboard template: monthly executive summary format description
- Process-owner level risk register summary format description
- 5 risk communication best practices
ISO 31000 - Claude Skill/ISO-31000-README.md
End-user facing README for the skill. Follows the standard repository README
format used by all other skills in this repository. Contains:
Section 1 -- What Does the Skill Do: full capability description, standard
version coverage, list of all clauses and pillars covered, note on non-
certifiable nature of the standard.
Section 2 -- Intended Audiences: 7 named audience types (CROs and Risk Managers,
Compliance and assurance teams, Board secretaries and governance professionals,
Project managers, Internal auditors, Consultants, Operations managers) with
role descriptions and use case context.
Section 3 -- Common Use Cases: 12-row table with use case name and example prompt
(framework gap analysis, risk register development, risk treatment plan, risk
appetite statement, risk workshop facilitation, risk management policy, framework
design, risk criteria definition, integration question, board risk report,
monitoring and review, FMEA/Bowtie).
Section 4 -- How to Use the Skill: auto-activation explanation, 3 tips for best
results with example prompts demonstrating context provision, task type
specification, and clause referencing; worked interaction example showing a
logistics SME risk register request.
Section 5 -- Skill Implementation Details: directory architecture diagram, SKILL.md
contents summary, reference file contents table (3 files with descriptions),
list of inputs used to build the skill (ISO 31000:2018, ISO 31010:2019, ISO
Guide 73:2009, ISO Annex SL mapping, COSO ERM 2017, common ERM practice), and
trigger phrases list (30+ activation topics).
Section 6 -- Author: attribution block with version (0.1.0), date (April 2026),
and standard coverage.
ISO 31000 - Claude Skill/iso31000.skill
Distributable ZIP archive for direct Claude installation. Internal archive
structure:
iso31000/SKILL.md
iso31000/references/iso31000-framework.md
iso31000/references/iso31000-risk-assessment-process.md
iso31000/references/iso31000-risk-treatment.md
SKILL.md is located at exactly one directory level deep (iso31000/SKILL.md) per
the Claude skill installer requirement. No path traversal entries. No absolute
paths. All entries are under the iso31000/ top-level folder. Validated as a valid
ZIP file by all archive tests in test_skill_installability.py.
FILES MODIFIED
--------------
.claude-plugin/marketplace.json
Added iso31000 entry to the plugins array with the following fields:
name : "iso31000"
source : "./plugins/iso31000"
description : "ISO 31000:2018 Risk Management advisor -- risk framework design,
gap analysis, risk register development, risk treatment planning,
risk appetite statements, monitoring and review, board risk
reporting, and integration with ISO 27001, ISO 9001, and
ISO 42001."
version : "0.1.0"
author : Hemant Naik <hemant.naik@gmail.com>
homepage : https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/
category : "compliance"
keywords : iso31000, risk-management, risk-assessment, risk-treatment,
risk-register, enterprise-risk, erm, grc
tests/test_plugin_structure.py
Added "iso31000" to the EXPECTED_PLUGINS set (line 35). This set is used by two
inventory sanity tests:
test_all_expected_plugins_present -- asserts all expected dirs exist
test_no_unexpected_plugins -- asserts no unlisted dirs are present
Without this addition, test_no_unexpected_plugins would fail when it discovers
plugins/iso31000/ is not in the expected set.
tests/test_skill_installability.py
Added "iso31000.skill" to the EXPECTED_SKILLS set (line 181). This set is used
by two inventory sanity tests:
test_all_expected_skills_present -- asserts all expected .skill files exist
test_no_unexpected_skills -- asserts no unlisted .skill files are present
Updated the docstring on test_all_expected_skills_present from "All 9 expected"
to "All 10 expected" to reflect the updated total count.
TEST RESULTS
------------
Test runner : pytest 8.3.2
Python : 3.13.5
Command : python -m pytest tests/ --tb=short -q
Result : 187 passed, 0 failed, 0 errors
Per-test results for iso31000 (parametrised across all plugins and skill archives):
test_plugin_json_exists[iso31000] PASSED
test_plugin_json_is_valid[iso31000] PASSED
test_plugin_json_required_fields[iso31000] PASSED
test_plugin_version_semver[iso31000] PASSED
test_skills_directory_exists[iso31000] PASSED
test_skills_directory_has_one_skill_folder[iso31000] PASSED
test_skill_md_exists[iso31000] PASSED
test_skill_md_not_empty[iso31000] PASSED
test_no_files_outside_skill_folder[iso31000] PASSED
test_references_are_markdown[iso31000] PASSED
test_is_valid_zip[iso31000.skill] PASSED
test_archive_not_empty[iso31000.skill] PASSED
test_exactly_one_skill_md[iso31000.skill] PASSED
test_skill_md_exactly_one_level_deep[iso31000.skill] PASSED
test_no_path_traversal[iso31000.skill] PASSED
test_all_files_under_top_level_folder[iso31000.skill] PASSED
test_skill_md_not_empty[iso31000.skill] PASSED
test_references_under_skill_folder[iso31000.skill] PASSED
test_all_expected_plugins_present PASSED
test_no_unexpected_plugins PASSED
test_marketplace_json_exists PASSED
test_marketplace_json_valid PASSED
test_marketplace_lists_all_plugins PASSED
test_all_expected_skills_present PASSED
test_no_unexpected_skills PASSED
INTEGRATION COVERAGE
--------------------
ISO 31000:2018 is the foundational risk management standard that underpins the risk
provisions within all ISO Annex SL (High Level Structure) management system standards.
The skill explicitly documents integration points for:
ISO 27001:2022
Clause 6.1 -- Information security risk assessment and treatment process; Annex A
controls are selected and justified through the risk treatment process. A single
integrated risk register can serve both ISO 31000 and ISO 27001 by adding an
Annex A control reference column.
ISO 9001:2015
Clause 6.1 -- Risks and opportunities for the Quality Management System; Clause 8
operational risk controls. The ISO 31000 risk process provides the methodology
that ISO 9001 requires but does not specify.
ISO 42001:2023
Clause 6.1 -- AI-specific risk assessment; the AI system impact assessment (AISIA)
methodology for assessing societal and individual impacts of AI systems can be
structured using the ISO 31000 risk assessment process.
ISO 14001:2015
Clause 6.1 -- Risks and opportunities for the Environmental Management System;
environmental aspect and impact assessment structured per ISO 31000.
ISO 45001:2018
Clause 6.1 -- Occupational Health and Safety risk assessment; hazard identification
and risk controls methodology aligned to ISO 31000.
NIST Cybersecurity Framework 2.0
GOVERN and IDENTIFY functions; the ID.RA (Risk Assessment) category maps directly
to the ISO 31000 risk assessment process (Clauses 6.3-6.4).
COSO Enterprise Risk Management (2017)
Fully compatible; ISO 31000 risk assessment components map to the Strategy and
Objective-Setting, Performance, and Review and Revision components of COSO ERM.
CONTENT ACCURACY NOTES
-----------------------
All content is derived from the following authoritative sources and is presented
as documented fact, not inference or estimation:
ISO 31000:2018 -- Risk management -- Guidelines
Publisher: International Organization for Standardization
The 8 principles (Clause 4), 6 framework components (Clause 5.1-5.6), and
8 process activities (Clause 6.2-6.7) are documented as specified in the
standard. Process activity names, descriptions, and relationships (including
the continuous nature of communication/consultation and monitoring/review) are
per the standard text.
ISO 31010:2019 -- Risk management -- Risk assessment techniques
Informs the risk identification technique section. All 7 techniques included
(brainstorming, SWOT, PESTLE, SIPOC/process mapping, bowtie, FMEA, checklists/
taxonomies) are listed in ISO 31010:2019 as suitable risk assessment techniques.
FMEA column structure (Severity, Occurrence, Detection, RPN) follows ISO 31010
guidance.
ISO Guide 73:2009 -- Risk management -- Vocabulary
Source for all risk management definitions used in the skill: risk, risk
management, risk appetite, risk tolerance, risk criteria, inherent risk,
residual risk, risk owner, risk treatment, risk source, event, consequence,
likelihood, control.
ISO Annex SL / ISO Directives Part 1 (Consolidated ISO Supplement)
Basis for the integration mapping table. All Annex SL standards share the same
mandatory clause structure with Clauses 4 (Context), 6 (Planning including risk
assessment), 9 (Performance evaluation), and 10 (Improvement).
COSO Enterprise Risk Management -- Integrating with Strategy and Performance (2017)
Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Referenced for integration notes only. Compatibility statements are based on
the documented relationship between ISO 31000 and COSO ERM frameworks.
Where implementation guidance represents established professional practice rather
than a direct normative requirement of the standard (for example, specific consequence
scale calibration percentages, tolerance threshold scores, or report formats), this
is presented as a template or example to be adapted by the organisation, not as
a requirement of the standard. This distinction is maintained throughout the skill
and reference files.
BRANCH
------
Branch : feature/iso3001-skill
Base : main (tag 0.3.0, commit 55346eb)
Standard: ISO 22301:2019 - Security and resilience - Business continuity
management systems - Requirements (second edition, supersedes ISO 22301:2012)
OVERVIEW
--------
This commit introduces a complete Claude skill for ISO 22301:2019, covering
the full lifecycle of a Business Continuity Management System (BCMS). The
implementation follows the same plugin architecture used by all existing GRC
skills in this repository and passes all 187 automated tests (up from 186).
The skill enables practitioners to: conduct gap analyses against ISO 22301,
perform Business Impact Analyses (BIA), build risk assessments for disruption
scenarios, design BC strategies and select recovery solutions, author BC plans
and Incident Response Procedures (IRP), plan and evaluate exercises and tests,
prepare for Stage 1 and Stage 2 certification audits, and manage nonconformities
and corrective actions through the PDCA improvement cycle.
FILES ADDED
-----------
plugins/iso22301/.claude-plugin/plugin.json
Plugin manifest for the Claude marketplace. Declares name (iso22301),
version (1.0.0), description, and keywords covering BCMS, BCP, BIA,
disaster recovery, resilience, and GRC.
plugins/iso22301/skills/iso22301/SKILL.md (712 lines, ~34 KB)
Core skill instruction file loaded by Claude when ISO 22301 topics are
detected. Structured as follows:
- YAML frontmatter with name, description, and 30+ trigger phrases
(e.g. 'iso 22301', 'business continuity management', 'bcms gap analysis',
'BIA', 'MTPD', 'RTO', 'RPO', 'MBCO', 'disaster recovery plan', etc.)
- Standard overview: publication history, HLS alignment, 2012-to-2019
key changes (simplified wording, explicit interested-party requirements,
expanded exercising clause, reduced prescriptive mandatory documents)
- Clause-by-clause summary for clauses 4-10 with practical guidance
- Core workflow procedures:
1. Gap analysis (10-step process with scoring rubric)
2. Business Impact Analysis (5-phase methodology)
3. Risk assessment for disruption scenarios (likelihood x impact)
4. BC strategy selection and resource identification (8.3)
5. BCP and IRP authoring aligned to clauses 8.4.2-8.4.5
6. Exercise programme design (tabletop, simulation, live/full)
7. Stage 1 and Stage 2 certification readiness review
8. Continual improvement and management review (clause 9.3/10)
- Key terminology table: BCMS, BIA, MTPD, RTO, RPO, MBCO, RLO,
Disruption, Incident, Maximum Tolerable Period of Disruption
- Mandatory documented information reference (20 required records)
- Instructions for loading reference files on demand
plugins/iso22301/skills/iso22301/references/iso22301-clauses.md (758 lines)
Comprehensive clause-by-clause reference covering all normative requirements
of ISO 22301:2019. Includes:
- Full sub-clause breakdown for clauses 4.1 through 10.2
- Audit-ready 'what the auditor looks for' notes per clause
- Complete table of 20 mandatory documented information items with
applicable clause citations and typical document types
- Terms and definitions section (24 key terms)
- Common nonconformity patterns per clause
plugins/iso22301/skills/iso22301/references/iso22301-bia-guide.md (368 lines)
End-to-end BIA methodology guide covering:
- Phase 1: BIA scoping and stakeholder identification
- Phase 2: Activity inventory and data collection templates
- Phase 3: Impact analysis across financial, operational, reputational,
legal/regulatory, and safety impact categories with a 5x5 heat map
- Phase 4: MTPD, RTO, RPO, MBCO, and RLO determination with worked examples
- Phase 5: Dependency mapping (internal, IT, people, third-party supplier)
- Prioritisation output: tier classification (Tier 1 critical to Tier 3 normal)
- 10 common BIA errors and how to avoid them
plugins/iso22301/skills/iso22301/references/iso22301-bcps.md (484 lines)
Business continuity plans and procedures reference covering:
- Plan hierarchy: BC Policy -> IRP -> BCP -> Recovery Plans -> IT DRP
- Incident Response Procedure (IRP) full content requirements (clause 8.4.2)
- Communication templates: all-staff notification, customer notification,
media statement, regulator notification (ready-to-use draft language)
- Complete BCP template satisfying clause 8.4.4 with activation conditions,
team assignments, resource checklists, and escalation procedures
- IT Disaster Recovery Plan (DRP) structure for clause 8.5.2 including
RTO/RPO validation checkpoints, system recovery sequences, and
data restoration verification steps
- Recovery and return-to-normal procedure (clause 8.4.5)
- Post-incident review template aligned to clause 8.6
plugins/iso22301/skills/iso22301/references/iso22301-templates.md (703 lines)
Ten production-ready templates, each mapped to the ISO 22301:2019 clause
it satisfies:
1. Business Continuity Policy (clause 5.2)
2. BCMS Scope Statement (clause 4.3)
3. BIA Assessment Form (clause 8.2.2) - tabular format with impact scoring
4. Risk Register for disruption scenarios (clause 8.2.3)
5. Exercise Plan (clause 8.5.1) - covers objectives, scenario, success criteria
6. Exercise After-Action Report (clause 8.5.1/9.1)
7. Management Review Record (clause 9.3)
8. Nonconformity and Corrective Action Record (clause 10.1)
9. Internal Audit Plan (clause 9.2)
10. BC Competence Matrix (clause 7.2)
ISO 22301 - Claude Skill/ISO-22301-README.md (260 lines)
User-facing README for the distributable skill, following the same
format as ISO-27001-README.md and ISO-31000-README.md. Covers:
- Skill purpose and intended audience (BCM managers, auditors, GRC teams)
- Common use case table (gap analysis, BIA, BCP writing, exercise planning,
certification readiness, continual improvement)
- BCMS lifecycle diagram (context -> planning -> support -> operation ->
performance evaluation -> improvement)
- Key terminology glossary
- Clause structure summary with clause titles and audit significance
- Mandatory documentation checklist (20 documented information items)
- Usage tips and example prompt patterns
- Disclaimer (educational tool, not legal/certification advice)
ISO 22301 - Claude Skill/iso22301.skill (ZIP archive, 47,264 bytes)
Distributable ZIP archive for the Claude skill installer. Internal layout:
iso22301/SKILL.md (34,353 bytes)
iso22301/references/iso22301-bcps.md (21,715 bytes)
iso22301/references/iso22301-bia-guide.md (18,142 bytes)
iso22301/references/iso22301-clauses.md (34,400 bytes)
iso22301/references/iso22301-templates.md (26,943 bytes)
SKILL.md is exactly one level deep inside the archive, satisfying the
test_skill_md_exactly_one_level_deep validation requirement.
FILES MODIFIED
--------------
.claude-plugin/marketplace.json
Added iso22301 as the first entry in the plugins array. Fields: name,
source (./plugins/iso22301), version (1.0.0), description, category
(compliance), and keywords. Updated top-level description to include
ISO 22301 in the list of supported frameworks.
tests/test_plugin_structure.py
Added 'iso22301' to EXPECTED_PLUGINS set (now 10 entries). Updated
docstring count from 9 to 10.
tests/test_skill_installability.py
Added 'iso22301.skill' to EXPECTED_SKILLS set (now 10 entries). Updated
docstring count from 9 to 10 in test_all_expected_skills_present.
TEST RESULTS
------------
All 187 tests pass (0 failures):
tests/test_plugin_structure.py - 107 tests, all PASSED
Includes: test_plugin_json_exists, test_plugin_json_is_valid,
test_plugin_json_required_fields, test_plugin_version_semver,
test_skills_directory_exists, test_skills_directory_has_one_skill_folder,
test_skill_md_exists, test_skill_md_not_empty,
test_no_files_outside_skill_folder, test_references_are_markdown,
test_all_expected_plugins_present, test_no_unexpected_plugins,
test_marketplace_json_exists, test_marketplace_json_valid,
test_marketplace_lists_all_plugins
tests/test_skill_installability.py - 80 tests, all PASSED
Includes: test_is_valid_zip, test_archive_not_empty,
test_exactly_one_skill_md, test_skill_md_exactly_one_level_deep,
test_no_path_traversal, test_all_files_under_top_level_folder,
test_skill_md_not_empty, test_references_under_skill_folder,
test_all_expected_skills_present, test_no_unexpected_skills
ISO 22301:2019 CLAUSE COVERAGE
--------------------------------
Clause 4 - Context of the Organization (4.1, 4.2, 4.3, 4.4)
Clause 5 - Leadership (5.1, 5.2, 5.3)
Clause 6 - Planning (6.1, 6.2)
Clause 7 - Support (7.1, 7.2, 7.3, 7.4, 7.5)
Clause 8 - Operation (8.1, 8.2.1, 8.2.2, 8.2.3, 8.3.1-8.3.5, 8.4.1-8.4.5,
8.5.1, 8.5.2, 8.6)
Clause 9 - Performance Evaluation (9.1, 9.2, 9.3)
Clause 10 - Improvement (10.1, 10.2)
MANDATORY DOCUMENTED INFORMATION COVERED (ISO 22301:2019)
----------------------------------------------------------
1. BCMS scope (4.3)
2. Business continuity policy (5.2)
3. Roles and authorities (5.3)
4. Risks and opportunities (6.1)
5. BC objectives (6.2)
6. Evidence of competence (7.2)
7. Documented BCMS information required by standard (7.5)
8. Business impact analysis results (8.2.2)
9. Risk assessment results (8.2.3)
10. BC strategies and solutions (8.3)
11. Incident response structure/plans (8.4.2)
12. Warning and communication procedures (8.4.3)
13. Business continuity plans (8.4.4)
14. Recovery procedures (8.4.5)
15. Exercise programme and results (8.5.1)
16. Technical testing results (8.5.2)
17. Evaluation and updating outcomes (8.6)
18. Monitoring and measurement results (9.1)
19. Internal audit programme and results (9.2)
20. Management review outputs (9.3)
Standard: ISO/IEC 27017:2015 - Information technology - Security techniques -
Code of practice for information security controls based on ISO/IEC 27002 for
cloud services.
Published by ISO/IEC JTC 1/SC 27, first edition December 2015.
OVERVIEW
--------
ISO 27017 is an extension of ISO/IEC 27002:2013 that provides cloud-specific
implementation guidance for information security controls. It addresses both
Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs), and
introduces 7 additional controls prefixed with 'CLD' that have no equivalent
in the base ISO 27002 standard.
The standard is a code of practice, not a certifiable standard in its own
right. Organisations certify against ISO 27001; ISO 27017 supplements that
with cloud-specific control implementation guidance.
BASE STANDARD RELATIONSHIP
---------------------------
ISO 27017 is explicitly based on ISO/IEC 27002:2013 (114 controls, 14 domains).
It provides cloud-specific guidance for 37 of those controls, covering domains:
5 (policies), 6 (organisation), 7 (HR security), 8 (asset management),
9 (access control), 10 (cryptography), 11 (physical security), 12 (operations),
13 (communications), 14 (acquisition/development), 15 (supplier relationships),
16 (incident management), 17 (business continuity), and 18 (compliance).
THE 7 CLOUD-SPECIFIC CLD CONTROLS
-----------------------------------
CLD.6.3.1 - Shared roles and responsibilities within a cloud computing
environment. Requires both CSP and CSC to formally document and
agree the allocation of security responsibilities, including in
the cloud service agreement.
CLD.8.1.5 - Removal or return of cloud service customer assets. Requires
CSPs to provide data return in usable formats and certified
deletion of all CSC data after service termination.
CLD.9.5.1 - Segregation in virtual computing environments. Requires CSPs to
implement logical isolation between tenants at compute, storage,
and network layers including hypervisor-level isolation.
CLD.9.5.2 - Virtual machine hardening. Requires CSPs and CSCs to apply
hardening standards to VMs including patch management, unnecessary
service removal, encrypted storage, and host-based controls.
CLD.12.1.5 - Administrator operational security. Requires CSPs to apply MFA,
least privilege, role separation, and comprehensive logging to all
cloud service administrator accounts and activities.
CLD.12.4.5 - Monitoring of cloud services. Requires CSPs to make monitoring
data available to CSCs and requires CSCs to actively monitor their
own cloud usage and integrate CSP logs into their SIEM.
CLD.13.1.4 - Alignment of security management for virtual and physical
networks. Requires CSPs to ensure virtual network security
controls are equivalent to and consistent with physical network
controls.
SHARED RESPONSIBILITY MODEL
----------------------------
A core concept of ISO 27017 is the explicit shared responsibility model.
Control allocation varies by service model:
- IaaS: CSP manages physical, network, and hypervisor; CSC manages OS and above
- PaaS: CSP extends to OS and runtime; CSC manages applications and data
- SaaS: CSP manages almost all technical controls; CSC manages IAM and data
SKILL CONTENTS
--------------
plugins/iso27017/
.claude-plugin/plugin.json Plugin metadata (version 1.0.0)
skills/iso27017/
SKILL.md Main skill: workflows, control tables,
gap analysis templates, checklists
references/
cloud-controls.md Detailed guidance on all 7 CLD
controls: purpose, CSP requirements,
CSC requirements, audit evidence,
and common pitfalls for each
iso27002-cloud-guidance.md All 37 ISO 27002 controls covered by
ISO 27017, with per-control cloud-
specific guidance from both CSP and
CSC perspectives
shared-responsibility.md Shared responsibility matrix covering
37 control areas across IaaS, PaaS,
and SaaS service models, plus cloud
service agreement security checklist
templates.md Five reusable templates: gap analysis
spreadsheet, CSA security review
checklist, cloud security policy,
VM hardening standard, and vendor
due diligence questionnaire
ISO 27017 - Claude Skill/
ISO-27017-README.md Human-readable README for the skill
iso27017.skill Installable ZIP archive for Claude
TESTS
-----
- tests/test_plugin_structure.py: added 'iso27017' to EXPECTED_PLUGINS
- tests/test_skill_installability.py: added 'iso27017.skill' to EXPECTED_SKILLS
- All 187 tests pass (187 passed, 0 failed)
MARKETPLACE
-----------
.claude-plugin/marketplace.json updated to include the iso27017 plugin entry
with description, version, author, homepage, category, and keywords.
DESIGN DECISIONS
----------------
- Reference numbering uses ISO 27002:2013 control IDs throughout because
ISO 27017:2015 is explicitly based on the 2013 edition; the 2022 renumbering
of ISO 27002 does not apply to ISO 27017 as no updated edition has been issued
- CLD controls are documented with CSP-specific and CSC-specific guidance
separated, matching the structure of the standard itself
- The shared responsibility matrix covers all major control areas across all
three service models (IaaS/PaaS/SaaS) to support practical use
- Templates are production-ready starting points, not illustrative examples;
all placeholders are clearly marked with [BRACKETS] for user substitution
- The SKILL.md description field includes specific CLD control numbers and
synonyms to maximise skill trigger accuracy in Claude Code
QUALITY ASSURANCE
-----------------
- No guessed or inferred control mappings; all guidance is derived from the
published ISO/IEC 27017:2015 standard structure
- Shared responsibility allocations reflect the authoritative split described
in the standard for each service model
- All 7 CLD controls documented with: purpose, CSP requirements, CSC
requirements, cloud service agreement provisions, required audit evidence,
and common implementation pitfalls
- All 37 ISO 27002 controls with cloud guidance documented with both CSP-side
and CSC-side implementation notes
Framework: Cybersecurity Maturity Model Certification (CMMC) 2.0
Regulatory basis: 32 CFR Part 170 (Final Rule, effective December 16, 2024)
CMMC 2.0 is the DoD cybersecurity certification program for defense contractors
and subcontractors in the Defense Industrial Base (DIB) that handle Federal
Contract Information (FCI) or Controlled Unclassified Information (CUI).
Files added
-----------
plugins/cmmc/.claude-plugin/plugin.json
- Plugin manifest with name, version (1.0.0), description, author, keywords
- Registered in Claude Code plugin registry format
plugins/cmmc/skills/cmmc/SKILL.md
- Main skill instruction file with YAML frontmatter trigger description
- Framework overview covering CMMC 2.0 regulatory basis (32 CFR Part 170,
DFARS 252.204-7012/7019/7020/7021, NIST SP 800-171 Rev 2, NIST SP 800-172)
- Three-level structure: Level 1 (17 practices, FCI, self-assessment),
Level 2 (110 practices, CUI, C3PAO triennial), Level 3 (134 practices,
CUI critical programs, DIBCAC)
- Domain and practice count table for all 14 Level 2 domains
- Additional 24 Level 3 enhanced practice breakdown by domain
- Reference file routing table for context-aware loading
- Core workflows: level determination, scoping, gap analysis, SSP documentation,
SPRS score calculation, POA&M development, assessment process overview,
annual affirmation, CUI categories, and common misconceptions
plugins/cmmc/skills/cmmc/references/level1-practices.md
- All 17 Level 1 practices sourced from FAR 52.204-21
- Practices organized by domain: AC (4), IA (2), MP (1), PE (4), SC (2), SI (4)
- Self-assessment methodology (4-step process)
- Evidence examples per practice
- Common Level 1 deficiencies with root cause descriptions
plugins/cmmc/skills/cmmc/references/level2-practices.md
- All 110 Level 2 practices from NIST SP 800-171 Rev 2
- Complete practice-by-practice table across all 14 domains with NIST references
- SPRS score deduction reference: high (-5), medium (-3), low (-1) weights
- Critical evidence requirements by domain for C3PAO assessment preparation
- DFARS 252.204-7012 incident reporting obligations (72-hour DoD notification,
90-day image preservation)
plugins/cmmc/skills/cmmc/references/level3-practices.md
- All 24 additional Level 3 enhanced practices from NIST SP 800-172
- Organized by domain: AC (4), AT (1), CM (1), IA (1), IR (4), RA (5),
CA (3), SC (3), SI (2)
- DIBCAC assessment process in detail (5 phases)
- Level 3 preparation checklist covering SOC/CSOC, threat hunting, deception
technologies, penetration testing, threat intelligence, APT training, insider
threat program, incident response team, hardware isolation, key management
plugins/cmmc/skills/cmmc/references/scoping-guide.md
- Six CMMC asset categories with definitions and examples:
CUI Assets, Security Protection Assets (SPAs), Contractor Risk Managed
Assets (CRMAs), Specialized Assets (OT/ICS, IoT, GFE), Out-of-Scope Assets,
External Service Providers (ESPs)
- FCI and CUI definitions with NARA CUI Registry reference
- Common DoD CUI categories (CTI, Export Controlled, PBI, NNPI, Privacy)
- 8-step scoping process from CUI identification through SSP documentation
- Network segmentation recommendations for scope reduction
- Common scoping mistakes with consequences
plugins/cmmc/skills/cmmc/references/assessment-guide.md
- Cyber-AB and C3PAO ecosystem description with marketplace reference
- Level 2 C3PAO assessment process (5 phases): pre-assessment, engagement,
execution, results/certification, annual affirmation
- SPRS score calculation using DoD Assessment Methodology v1.2.1 deduction
weights; scoring table with conditional certification thresholds
- SPRS submission process via DIBNet portal
- Domain-by-domain evidence requirements for C3PAO assessment
- POA&M format, conditional certification rules (180-day closure requirement),
and closure verification process
- CMMC contract clause summary (FAR 52.204-21, DFARS 252.204-7012/7019/7020/7021)
CMMC - Claude Skill/CMMC-README.md
- Human-readable README with use-case table, skill structure tree,
official resource links, and disclaimer
CMMC - Claude Skill/cmmc.skill
- ZIP archive (30,556 bytes) with correct internal structure:
cmmc/SKILL.md (one level deep, per installer specification)
cmmc/references/*.md (5 reference files)
Files modified
--------------
.claude-plugin/marketplace.json
- Added CMMC entry with name, source path, description, version, category,
and keywords
tests/test_plugin_structure.py
- Added 'cmmc' to EXPECTED_PLUGINS set
tests/test_skill_installability.py
- Added 'cmmc.skill' to EXPECTED_SKILLS set
Test results
------------
187 tests passed, 0 failed
Covers: plugin structure, JSON validity, semver versioning, SKILL.md existence
and content, archive structure, path safety, marketplace registration
feat: Add ISO 3001 Compliance Skill
Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Agent-Logs-Url: https://github.com/sjackson0109/Claude-Skills-Governance-Risk-and-Compliance/sessions/b2e87c87-cb06-4610-af4a-d45449fd1d9e Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Agent-Logs-Url: https://github.com/sjackson0109/Claude-Skills-Governance-Risk-and-Compliance/sessions/b2e87c87-cb06-4610-af4a-d45449fd1d9e Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Agent-Logs-Url: https://github.com/sjackson0109/Claude-Skills-Governance-Risk-and-Compliance/sessions/bd6aa6dd-bc0d-40a9-b34b-0123b47c068d Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
feat: Add ISO 27017 Cloud Security Controls Skill
feat: Add CMMC (Cybersecurity Maturity Model Certification) Skill
Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a complete Claude skill for ISO 22301:2019 (Security and resilience - Business continuity management systems - Requirements). This is the second edition of the standard, superseding ISO 22301:2012, and is the globally recognised framework for Business Continuity Management Systems (BCMS).
The implementation follows the same plugin architecture used by all existing skills in this repository. All 187 automated tests pass.
What This Skill Does
When installed, the skill activates on ISO 22301 and BCMS-related queries and enables Claude to:
Files Added
Plugin core
plugins/iso22301/.claude-plugin/plugin.jsonplugins/iso22301/skills/iso22301/SKILL.mdReference documents
references/iso22301-clauses.mdreferences/iso22301-bia-guide.mdreferences/iso22301-bcps.mdreferences/iso22301-templates.mdDistributable
ISO 22301 - Claude Skill/iso22301.skillISO 22301 - Claude Skill/ISO-22301-README.mdFiles Modified
.claude-plugin/marketplace.jsontests/test_plugin_structure.pyiso22301toEXPECTED_PLUGINS(9 -> 10)tests/test_skill_installability.pyiso22301.skilltoEXPECTED_SKILLS(9 -> 10)ISO 22301:2019 Clause Coverage
Mandatory Documented Information Covered
All 20 mandatory documented information items required under ISO 22301:2019 are addressed by the skill and its reference documents:
Test Results
All tests in
tests/test_plugin_structure.pyandtests/test_skill_installability.pypass, including:test_plugin_json_exists[iso22301]test_plugin_json_is_valid[iso22301]test_plugin_json_required_fields[iso22301]test_plugin_version_semver[iso22301]test_skills_directory_exists[iso22301]test_skill_md_exists[iso22301]test_skill_md_not_empty[iso22301]test_references_are_markdown[iso22301]test_all_expected_plugins_presenttest_no_unexpected_pluginstest_marketplace_lists_all_pluginstest_is_valid_zip[iso22301.skill]test_skill_md_exactly_one_level_deep[iso22301.skill]test_no_path_traversal[iso22301.skill]test_all_expected_skills_presenttest_no_unexpected_skillsTrigger Phrases
The skill activates on any of the following topics (defined in SKILL.md frontmatter):
iso 22301, iso22301, business continuity management, bcms, business continuity management system, business continuity plan, bcp, business impact analysis, bia, disaster recovery plan, drp, incident response plan, irp, maximum tolerable period of disruption, mtpd, recovery time objective, rto, recovery point objective, rpo, minimum business continuity objective, mbco, recovery level objective, rlo, bcms gap analysis, business continuity certification, iso 22301 audit, bcms exercise, tabletop exercise, business continuity strategy, disruption risk, organizational resilience, bcms policy