feat: add ISO/IEC 27017:2015 cloud security controls skill#17
Open
sjackson0109 wants to merge 6 commits intoSushegaad:mainfrom
Open
feat: add ISO/IEC 27017:2015 cloud security controls skill#17sjackson0109 wants to merge 6 commits intoSushegaad:mainfrom
sjackson0109 wants to merge 6 commits intoSushegaad:mainfrom
Conversation
OVERVIEW
--------
This commit delivers a complete, end-to-end Claude skill for ISO 31000:2018 Risk
Management. The skill covers the full standard -- Principles (Clause 4), Framework
(Clauses 5.1-5.6), and the Risk Management Process (Clauses 6.2-6.7) -- along with
five structured workflows, three on-demand reference files, a distributable .skill
archive, and full integration into the repository test suite and marketplace registry.
The skill is authored to the same standard as all other GRC skills in this repository:
trigger phrases in the SKILL.md frontmatter, output-format matrices, clause-cited
guidance, workflow templates, and on-demand reference file loading to preserve context
window efficiency.
STANDARD COVERAGE
-----------------
Standard : ISO 31000:2018 -- Risk management -- Guidelines
Published : February 2018 (replaces ISO 31000:2009)
Status : Current international standard; sector-agnostic; universally applicable
Note : ISO 31000 is a guidelines standard -- organisations cannot be certified
against it. It provides principles and a framework/process that integrate
into all other ISO Annex SL management system standards.
Three structural pillars covered in full:
Clause 4 -- Principles
All 8 risk management principles documented with practical descriptions and
assessment guidance (Integrated, Structured and comprehensive, Customised,
Inclusive, Dynamic, Best available information, Human and cultural factors,
Continual improvement).
Clause 5 -- Framework (6 components)
5.1 Leadership and Commitment
5.2 Integration
5.3 Design
5.4 Implementation
5.5 Evaluation
5.6 Improvement
Clause 6 -- Risk Management Process (8 activities)
6.2 Communication and Consultation (continuous throughout)
6.3 Scope, Context, and Criteria
6.4 Risk Assessment
6.4.2 Risk Identification
6.4.3 Risk Analysis
6.4.4 Risk Evaluation
6.5 Risk Treatment
6.6 Monitoring and Review
6.7 Recording and Reporting
FILES CREATED
-------------
plugins/iso31000/.claude-plugin/plugin.json
Claude Code plugin manifest. Contains name ("iso31000"), semantic version (0.1.0),
description, author (Hemant Naik), homepage, repository, license (MIT), and keywords
(iso31000, risk-management, risk-assessment, risk-treatment, risk-register,
enterprise-risk, grc). Required by test_plugin_structure.py for plugin discovery
and validation.
plugins/iso31000/skills/iso31000/SKILL.md
Core skill instruction file loaded into Claude context when the skill triggers.
Contains:
- YAML frontmatter with name, description, and 30+ trigger phrases covering ISO
31000, risk management framework, risk register, risk treatment, risk appetite,
risk tolerance, risk criteria, inherent risk, residual risk, risk identification,
risk analysis, risk evaluation, risk treatment plan, likelihood x consequence,
risk heatmap, risk workshop, bowtie analysis, FMEA, enterprise risk management,
ERM, operational risk, strategic risk, risk monitoring, board risk report, and
risk appetite statement.
- Persona definition: Claude adopts the role of an ISO 31000:2018 Risk Management
consultant and lead practitioner.
- Output format matrix mapping 9 task types to their required output format:
risk framework design, gap analysis, risk assessment, risk treatment plan, risk
appetite statement, risk workshop facilitation, policy/procedure generation,
integration guidance, and general questions.
- Standard overview with three-pillar structure diagram and a note distinguishing
ISO 31000 as a guidelines (non-certifiable) standard.
- Full Clause 4 principles table: 8 principles with practical descriptions, indexed
for assessment as Embedded / Partial / Not present.
- Full Clause 5 framework narrative covering all six components (5.1-5.6) with
evidence checklists and key outputs identified for each.
- Full Clause 6 process documentation including:
- ASCII process flow diagram showing the 8 activities and their relationships
- 5x5 Likelihood x Consequence matrix with RAG band thresholds and colour coding
- Risk identification technique overview with 7 named methods
- Inherent risk, control effectiveness, residual risk, and target residual risk
definitions
- Risk treatment options table (Avoid / Reduce / Transfer / Accept / Exploit)
with description and conditions for use
- Risk treatment plan column reference
- Monitoring triggers (periodic and event-driven)
- Recording and reporting requirements summary
- 5 Core Workflows with full templates:
1. Risk Framework Gap Analysis -- clause-by-clause assessment table with
example populated rows
2. Risk Register Development -- 16-column register template with standard
risk categories and scoring guidance
3. Risk Appetite Statement -- structured template with overarching narrative
and 8-category tolerance threshold table
4. Risk Workshop Facilitation Guide -- pre-workshop preparation checklist,
9-item agenda template with facilitator actions
5. Policy and Procedure Generation -- document control block requirements,
9-document minimum set table with clause mapping and mandatory indicator
- Integration mapping table documenting how ISO 31000 provisions apply within
ISO 27001, ISO 9001, ISO 42001, ISO 14001, ISO 45001, NIST CSF 2.0, and
COSO ERM, with specific clause and function references.
- Two integration guidance rules for operating an integrated risk register across
multiple management system standards.
- Reference file loading rules specifying which reference file to load per task
type to preserve context window efficiency.
plugins/iso31000/skills/iso31000/references/iso31000-framework.md
On-demand reference for Clause 5 framework topics. Loaded for: framework design
queries, gap analysis, leadership and governance questions. Contents:
- Framework PDCA cycle overview diagram
- Clause 5.1 design checklist with 7 requirements and evidence column
- Common gaps section for 5.1 (4 frequently observed deficiencies)
- Clause 5.2 integration maturity model: 4 levels (Ad hoc / Defined / Managed /
Optimised) with characteristics for each
- 7 integration diagnostic questions for gap assessment
- Clause 5.3 Design: PESTLE external context table with 6 factors and example
risk sources, internal context 6-question diagnostic
- Risk Management Policy required content (6 mandatory elements)
- Full RACI matrix for risk management activities across 5 stakeholder layers
(Board, Executive/CEO, CRO/Risk Function, Process Owners, All Staff) covering
7 risk management activities
- Minimum resource requirements (people, tools, training, time, budget)
- Communication and consultation design requirements (5 elements)
- Implementation roadmap template: 6 phases with activities, owner, and success
criteria from Foundation through Optimise stages
- Framework evaluation criteria table: 6 rows (one per framework component) with
evaluation questions and evidence sources
- Risk Management KPIs table: 6 KPIs with measurement method and target
- Framework design checklist: 19 checkpoints across 5 categories (Leadership and
Governance, Integration, Design, Process, Evaluation and Improvement)
plugins/iso31000/skills/iso31000/references/iso31000-risk-assessment-process.md
On-demand reference for Clause 6 risk assessment topics. Loaded for: risk registers,
workshops, identification techniques, scoring. Contents:
- Clause 6.3 scope definition: 5-element scope template with diagnostic questions
- Scope statement prose template
- PESTLE external context analysis table with columns for risk source, potential
impact on objectives, and current controls
- Internal context 6-question diagnostic
- Risk criteria: 5-point likelihood scale (Almost Certain through Rare) with label,
definition, and example frequency
- Risk criteria: 5-point consequence scale calibrated across four dimensions
(Financial, Reputational, Operational, Regulatory/Legal) from Negligible to
Catastrophic, with percentage of revenue thresholds for financial impacts
- Risk tolerance thresholds: 4 bands with score range, RAG label, and default
treatment decision
- 7 risk identification techniques with implementation detail:
1. Structured workshop / brainstorming: facilitation prompt sequence (5
questions), best-for guidance
2. SWOT analysis: 2x2 matrix showing risk type per quadrant
3. Process mapping / SIPOC: template with risk annotation at each SIPOC
element
4. Bowtie analysis: ASCII diagram showing causes, preventive controls, top
event, recovery controls, and consequences
5. FMEA: full column set (Process Step, Failure Mode, Effect, Severity,
Occurrence, Detection, RPN) with RPN threshold guidance
6. Taxonomy-based risk checklist: 8 categories with approximately 50 named
example risk types (Strategic, Financial, Operational, Technology/Cyber,
Compliance/Regulatory, Reputational, People/HR, Third Party/Supply Chain)
7. Risk description template: 6-field structured entry format
- Full risk register template: 19 columns (Risk ID, Category, Description, Source,
Existing Controls, Inherent L, Inherent C, Inherent Score, Control Effectiveness,
Residual L, Residual C, Residual Score, Band, Treatment Option, Owner, Target
Date, Review Date, Status)
- 5x5 L x C matrix rendered in ASCII with RAG colour coding and band legend
- Inherent vs residual vs target residual risk definitions table
- Qualitative vs semi-quantitative vs quantitative analysis comparison table
- Multi-dimensional analysis table showing console across 4 consequence dimensions
with guidance to use the highest single dimension (conservative approach)
- Risk evaluation 4-step process with treatment decision rules per band
- Prioritised risk summary output format (example table)
- Communication and Consultation (Clause 6.2): stakeholder consultation plan
template (6 stakeholder groups with interest, engagement method, frequency)
- Internal risk reporting schedule: 4 report types (Risk Register, Risk Dashboard,
Board Risk Report, Annual Risk Report, Incident/Near-miss report) with audience,
frequency, and contents
plugins/iso31000/skills/iso31000/references/iso31000-risk-treatment.md
On-demand reference for Clause 6.5+ treatment, appetite, monitoring, and reporting
topics. Loaded for: treatment plans, risk appetite, residual risk, monitoring.
Contents:
- Treatment option 1 -- Avoid: definition, 4 conditions for use, 4 specific
examples, consideration note about foregone opportunity
- Treatment option 2 -- Reduce: preventive controls (6 types with examples),
detective controls (5 types with examples), recovery controls (5 types with
examples); control effectiveness rating scale with 3 levels and definitions
(Effective, Partially Effective, Ineffective)
- Treatment option 3 -- Transfer: 4 mechanisms table (insurance, contractual
transfer, joint venture/shared ownership, derivatives/hedging) with how-it-works
and best-for columns; 4 important limitations of transfer (responsibility,
full loss coverage, counter-party risk, reputational risk cannot be transferred)
- Treatment option 4 -- Accept: 3 conditions for use; seniority-based acceptance
authority matrix by risk band (Low to Critical); 4 documentation requirements;
contingency plan requirement for accepted risks above Medium
- Treatment option 5 -- Exploit: definition and 3 examples for opportunity risks
- Full risk treatment plan template: 14 fields including Risk ID, Description,
Category, Current Residual Risk, Treatment Option, Target Residual Risk, Actions
table (with Action, Description, Owner, Resources Required, Due Date, Status
columns), Success Measures/KPIs, Review Date, Plan Owner, Approved By, Approval
Date
- Treatment selection decision framework: 5-step logical decision tree from
appetite comparison through to escalation
- Risk appetite framework: 4 definition table (appetite, tolerance, capacity,
attitude) with key relationship formula Appetite <= Tolerance <= Capacity
- Risk appetite statement template: overarching narrative placeholder plus 8-row
category table (Strategic, Financial, Operational, Cyber/Technology, Compliance/
Regulatory, Reputational, Environmental/ESG, People/HR) with Appetite Statement,
Tolerance Threshold, and Escalation Path columns
- 4 practical usage rules for applying risk appetite (assessment gate, investment
decisions, escalation trigger, annual review)
- Monitoring schedule table: 6 activities (risk register review, control
effectiveness testing, board reporting, executive dashboard, full reassessment,
incident/near-miss review) with frequency, owner, and output
- 8 event-driven monitoring triggers
- Control testing programme template: 5 example controls with test method,
frequency, and evidence
- Required records table: 9 record types (Risk Register, Risk Assessment Reports,
Risk Treatment Plans, Risk Acceptance Decisions, Board Risk Reports, Control
Testing Records, Incident/Near-Miss Log, Framework Evaluation Records, Risk
Appetite Statement) with purpose and minimum retention period
- Board risk report template: 9-section content outline
- Risk dashboard template: monthly executive summary format description
- Process-owner level risk register summary format description
- 5 risk communication best practices
ISO 31000 - Claude Skill/ISO-31000-README.md
End-user facing README for the skill. Follows the standard repository README
format used by all other skills in this repository. Contains:
Section 1 -- What Does the Skill Do: full capability description, standard
version coverage, list of all clauses and pillars covered, note on non-
certifiable nature of the standard.
Section 2 -- Intended Audiences: 7 named audience types (CROs and Risk Managers,
Compliance and assurance teams, Board secretaries and governance professionals,
Project managers, Internal auditors, Consultants, Operations managers) with
role descriptions and use case context.
Section 3 -- Common Use Cases: 12-row table with use case name and example prompt
(framework gap analysis, risk register development, risk treatment plan, risk
appetite statement, risk workshop facilitation, risk management policy, framework
design, risk criteria definition, integration question, board risk report,
monitoring and review, FMEA/Bowtie).
Section 4 -- How to Use the Skill: auto-activation explanation, 3 tips for best
results with example prompts demonstrating context provision, task type
specification, and clause referencing; worked interaction example showing a
logistics SME risk register request.
Section 5 -- Skill Implementation Details: directory architecture diagram, SKILL.md
contents summary, reference file contents table (3 files with descriptions),
list of inputs used to build the skill (ISO 31000:2018, ISO 31010:2019, ISO
Guide 73:2009, ISO Annex SL mapping, COSO ERM 2017, common ERM practice), and
trigger phrases list (30+ activation topics).
Section 6 -- Author: attribution block with version (0.1.0), date (April 2026),
and standard coverage.
ISO 31000 - Claude Skill/iso31000.skill
Distributable ZIP archive for direct Claude installation. Internal archive
structure:
iso31000/SKILL.md
iso31000/references/iso31000-framework.md
iso31000/references/iso31000-risk-assessment-process.md
iso31000/references/iso31000-risk-treatment.md
SKILL.md is located at exactly one directory level deep (iso31000/SKILL.md) per
the Claude skill installer requirement. No path traversal entries. No absolute
paths. All entries are under the iso31000/ top-level folder. Validated as a valid
ZIP file by all archive tests in test_skill_installability.py.
FILES MODIFIED
--------------
.claude-plugin/marketplace.json
Added iso31000 entry to the plugins array with the following fields:
name : "iso31000"
source : "./plugins/iso31000"
description : "ISO 31000:2018 Risk Management advisor -- risk framework design,
gap analysis, risk register development, risk treatment planning,
risk appetite statements, monitoring and review, board risk
reporting, and integration with ISO 27001, ISO 9001, and
ISO 42001."
version : "0.1.0"
author : Hemant Naik <hemant.naik@gmail.com>
homepage : https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/
category : "compliance"
keywords : iso31000, risk-management, risk-assessment, risk-treatment,
risk-register, enterprise-risk, erm, grc
tests/test_plugin_structure.py
Added "iso31000" to the EXPECTED_PLUGINS set (line 35). This set is used by two
inventory sanity tests:
test_all_expected_plugins_present -- asserts all expected dirs exist
test_no_unexpected_plugins -- asserts no unlisted dirs are present
Without this addition, test_no_unexpected_plugins would fail when it discovers
plugins/iso31000/ is not in the expected set.
tests/test_skill_installability.py
Added "iso31000.skill" to the EXPECTED_SKILLS set (line 181). This set is used
by two inventory sanity tests:
test_all_expected_skills_present -- asserts all expected .skill files exist
test_no_unexpected_skills -- asserts no unlisted .skill files are present
Updated the docstring on test_all_expected_skills_present from "All 9 expected"
to "All 10 expected" to reflect the updated total count.
TEST RESULTS
------------
Test runner : pytest 8.3.2
Python : 3.13.5
Command : python -m pytest tests/ --tb=short -q
Result : 187 passed, 0 failed, 0 errors
Per-test results for iso31000 (parametrised across all plugins and skill archives):
test_plugin_json_exists[iso31000] PASSED
test_plugin_json_is_valid[iso31000] PASSED
test_plugin_json_required_fields[iso31000] PASSED
test_plugin_version_semver[iso31000] PASSED
test_skills_directory_exists[iso31000] PASSED
test_skills_directory_has_one_skill_folder[iso31000] PASSED
test_skill_md_exists[iso31000] PASSED
test_skill_md_not_empty[iso31000] PASSED
test_no_files_outside_skill_folder[iso31000] PASSED
test_references_are_markdown[iso31000] PASSED
test_is_valid_zip[iso31000.skill] PASSED
test_archive_not_empty[iso31000.skill] PASSED
test_exactly_one_skill_md[iso31000.skill] PASSED
test_skill_md_exactly_one_level_deep[iso31000.skill] PASSED
test_no_path_traversal[iso31000.skill] PASSED
test_all_files_under_top_level_folder[iso31000.skill] PASSED
test_skill_md_not_empty[iso31000.skill] PASSED
test_references_under_skill_folder[iso31000.skill] PASSED
test_all_expected_plugins_present PASSED
test_no_unexpected_plugins PASSED
test_marketplace_json_exists PASSED
test_marketplace_json_valid PASSED
test_marketplace_lists_all_plugins PASSED
test_all_expected_skills_present PASSED
test_no_unexpected_skills PASSED
INTEGRATION COVERAGE
--------------------
ISO 31000:2018 is the foundational risk management standard that underpins the risk
provisions within all ISO Annex SL (High Level Structure) management system standards.
The skill explicitly documents integration points for:
ISO 27001:2022
Clause 6.1 -- Information security risk assessment and treatment process; Annex A
controls are selected and justified through the risk treatment process. A single
integrated risk register can serve both ISO 31000 and ISO 27001 by adding an
Annex A control reference column.
ISO 9001:2015
Clause 6.1 -- Risks and opportunities for the Quality Management System; Clause 8
operational risk controls. The ISO 31000 risk process provides the methodology
that ISO 9001 requires but does not specify.
ISO 42001:2023
Clause 6.1 -- AI-specific risk assessment; the AI system impact assessment (AISIA)
methodology for assessing societal and individual impacts of AI systems can be
structured using the ISO 31000 risk assessment process.
ISO 14001:2015
Clause 6.1 -- Risks and opportunities for the Environmental Management System;
environmental aspect and impact assessment structured per ISO 31000.
ISO 45001:2018
Clause 6.1 -- Occupational Health and Safety risk assessment; hazard identification
and risk controls methodology aligned to ISO 31000.
NIST Cybersecurity Framework 2.0
GOVERN and IDENTIFY functions; the ID.RA (Risk Assessment) category maps directly
to the ISO 31000 risk assessment process (Clauses 6.3-6.4).
COSO Enterprise Risk Management (2017)
Fully compatible; ISO 31000 risk assessment components map to the Strategy and
Objective-Setting, Performance, and Review and Revision components of COSO ERM.
CONTENT ACCURACY NOTES
-----------------------
All content is derived from the following authoritative sources and is presented
as documented fact, not inference or estimation:
ISO 31000:2018 -- Risk management -- Guidelines
Publisher: International Organization for Standardization
The 8 principles (Clause 4), 6 framework components (Clause 5.1-5.6), and
8 process activities (Clause 6.2-6.7) are documented as specified in the
standard. Process activity names, descriptions, and relationships (including
the continuous nature of communication/consultation and monitoring/review) are
per the standard text.
ISO 31010:2019 -- Risk management -- Risk assessment techniques
Informs the risk identification technique section. All 7 techniques included
(brainstorming, SWOT, PESTLE, SIPOC/process mapping, bowtie, FMEA, checklists/
taxonomies) are listed in ISO 31010:2019 as suitable risk assessment techniques.
FMEA column structure (Severity, Occurrence, Detection, RPN) follows ISO 31010
guidance.
ISO Guide 73:2009 -- Risk management -- Vocabulary
Source for all risk management definitions used in the skill: risk, risk
management, risk appetite, risk tolerance, risk criteria, inherent risk,
residual risk, risk owner, risk treatment, risk source, event, consequence,
likelihood, control.
ISO Annex SL / ISO Directives Part 1 (Consolidated ISO Supplement)
Basis for the integration mapping table. All Annex SL standards share the same
mandatory clause structure with Clauses 4 (Context), 6 (Planning including risk
assessment), 9 (Performance evaluation), and 10 (Improvement).
COSO Enterprise Risk Management -- Integrating with Strategy and Performance (2017)
Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Referenced for integration notes only. Compatibility statements are based on
the documented relationship between ISO 31000 and COSO ERM frameworks.
Where implementation guidance represents established professional practice rather
than a direct normative requirement of the standard (for example, specific consequence
scale calibration percentages, tolerance threshold scores, or report formats), this
is presented as a template or example to be adapted by the organisation, not as
a requirement of the standard. This distinction is maintained throughout the skill
and reference files.
BRANCH
------
Branch : feature/iso3001-skill
Base : main (tag 0.3.0, commit 55346eb)
Standard: ISO/IEC 27017:2015 - Information technology - Security techniques -
Code of practice for information security controls based on ISO/IEC 27002 for
cloud services.
Published by ISO/IEC JTC 1/SC 27, first edition December 2015.
OVERVIEW
--------
ISO 27017 is an extension of ISO/IEC 27002:2013 that provides cloud-specific
implementation guidance for information security controls. It addresses both
Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs), and
introduces 7 additional controls prefixed with 'CLD' that have no equivalent
in the base ISO 27002 standard.
The standard is a code of practice, not a certifiable standard in its own
right. Organisations certify against ISO 27001; ISO 27017 supplements that
with cloud-specific control implementation guidance.
BASE STANDARD RELATIONSHIP
---------------------------
ISO 27017 is explicitly based on ISO/IEC 27002:2013 (114 controls, 14 domains).
It provides cloud-specific guidance for 37 of those controls, covering domains:
5 (policies), 6 (organisation), 7 (HR security), 8 (asset management),
9 (access control), 10 (cryptography), 11 (physical security), 12 (operations),
13 (communications), 14 (acquisition/development), 15 (supplier relationships),
16 (incident management), 17 (business continuity), and 18 (compliance).
THE 7 CLOUD-SPECIFIC CLD CONTROLS
-----------------------------------
CLD.6.3.1 - Shared roles and responsibilities within a cloud computing
environment. Requires both CSP and CSC to formally document and
agree the allocation of security responsibilities, including in
the cloud service agreement.
CLD.8.1.5 - Removal or return of cloud service customer assets. Requires
CSPs to provide data return in usable formats and certified
deletion of all CSC data after service termination.
CLD.9.5.1 - Segregation in virtual computing environments. Requires CSPs to
implement logical isolation between tenants at compute, storage,
and network layers including hypervisor-level isolation.
CLD.9.5.2 - Virtual machine hardening. Requires CSPs and CSCs to apply
hardening standards to VMs including patch management, unnecessary
service removal, encrypted storage, and host-based controls.
CLD.12.1.5 - Administrator operational security. Requires CSPs to apply MFA,
least privilege, role separation, and comprehensive logging to all
cloud service administrator accounts and activities.
CLD.12.4.5 - Monitoring of cloud services. Requires CSPs to make monitoring
data available to CSCs and requires CSCs to actively monitor their
own cloud usage and integrate CSP logs into their SIEM.
CLD.13.1.4 - Alignment of security management for virtual and physical
networks. Requires CSPs to ensure virtual network security
controls are equivalent to and consistent with physical network
controls.
SHARED RESPONSIBILITY MODEL
----------------------------
A core concept of ISO 27017 is the explicit shared responsibility model.
Control allocation varies by service model:
- IaaS: CSP manages physical, network, and hypervisor; CSC manages OS and above
- PaaS: CSP extends to OS and runtime; CSC manages applications and data
- SaaS: CSP manages almost all technical controls; CSC manages IAM and data
SKILL CONTENTS
--------------
plugins/iso27017/
.claude-plugin/plugin.json Plugin metadata (version 1.0.0)
skills/iso27017/
SKILL.md Main skill: workflows, control tables,
gap analysis templates, checklists
references/
cloud-controls.md Detailed guidance on all 7 CLD
controls: purpose, CSP requirements,
CSC requirements, audit evidence,
and common pitfalls for each
iso27002-cloud-guidance.md All 37 ISO 27002 controls covered by
ISO 27017, with per-control cloud-
specific guidance from both CSP and
CSC perspectives
shared-responsibility.md Shared responsibility matrix covering
37 control areas across IaaS, PaaS,
and SaaS service models, plus cloud
service agreement security checklist
templates.md Five reusable templates: gap analysis
spreadsheet, CSA security review
checklist, cloud security policy,
VM hardening standard, and vendor
due diligence questionnaire
ISO 27017 - Claude Skill/
ISO-27017-README.md Human-readable README for the skill
iso27017.skill Installable ZIP archive for Claude
TESTS
-----
- tests/test_plugin_structure.py: added 'iso27017' to EXPECTED_PLUGINS
- tests/test_skill_installability.py: added 'iso27017.skill' to EXPECTED_SKILLS
- All 187 tests pass (187 passed, 0 failed)
MARKETPLACE
-----------
.claude-plugin/marketplace.json updated to include the iso27017 plugin entry
with description, version, author, homepage, category, and keywords.
DESIGN DECISIONS
----------------
- Reference numbering uses ISO 27002:2013 control IDs throughout because
ISO 27017:2015 is explicitly based on the 2013 edition; the 2022 renumbering
of ISO 27002 does not apply to ISO 27017 as no updated edition has been issued
- CLD controls are documented with CSP-specific and CSC-specific guidance
separated, matching the structure of the standard itself
- The shared responsibility matrix covers all major control areas across all
three service models (IaaS/PaaS/SaaS) to support practical use
- Templates are production-ready starting points, not illustrative examples;
all placeholders are clearly marked with [BRACKETS] for user substitution
- The SKILL.md description field includes specific CLD control numbers and
synonyms to maximise skill trigger accuracy in Claude Code
QUALITY ASSURANCE
-----------------
- No guessed or inferred control mappings; all guidance is derived from the
published ISO/IEC 27017:2015 standard structure
- Shared responsibility allocations reflect the authoritative split described
in the standard for each service model
- All 7 CLD controls documented with: purpose, CSP requirements, CSC
requirements, cloud service agreement provisions, required audit evidence,
and common implementation pitfalls
- All 37 ISO 27002 controls with cloud guidance documented with both CSP-side
and CSC-side implementation notes
feat: Add ISO 3001 Compliance Skill
Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Agent-Logs-Url: https://github.com/sjackson0109/Claude-Skills-Governance-Risk-and-Compliance/sessions/b2e87c87-cb06-4610-af4a-d45449fd1d9e Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Agent-Logs-Url: https://github.com/sjackson0109/Claude-Skills-Governance-Risk-and-Compliance/sessions/b2e87c87-cb06-4610-af4a-d45449fd1d9e Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request adds a complete Claude skill for ISO/IEC 27017:2015 — the international code of practice for information security controls based on ISO/IEC 27002 for cloud services.
ISO 27017 is a companion standard to ISO 27001 and ISO 27002 that extends information security controls specifically for cloud computing environments. It applies to both cloud service providers (CSPs) and cloud service customers (CSCs).
Standard Background
The 7 Cloud-Specific CLD Controls
ISO 27017 introduces 7 controls unique to cloud computing environments:
Files Added
Plugin Structure
Distributable Skill Archive
Test and Registry Updates
Test Results
All tests pass with no failures:
Tests validated:
Skill Capabilities
The skill enables Claude to:
Design Notes
Related Standards Not Included
The following companion standards are referenced within the skill for completeness but are not implemented in this PR: