feat: add HITRUST CSF compliance skill by sjackson0109 · Pull Request #27 · Sushegaad/Claude-Skills-Governance-Risk-and-Compliance

sjackson0109 · 2026-04-15T16:32:28Z

Summary

This pull request introduces a complete HITRUST Common Security Framework (CSF) compliance skill for Claude Code. The skill follows the established plugin pattern used across all existing compliance frameworks in this repository and has been fully tested.

Framework Background

HITRUST was founded in 2007 as the Health Information Trust Alliance to address the fragmented state of healthcare information security. The HITRUST CSF was first published in 2009 and has since become the most widely adopted security and privacy framework in healthcare and health-adjacent industries. The current version is v11 (January 2023). Version 9.x remains the most widely deployed in active assessments.

The HITRUST CSF is a certifiable, risk-tailored framework that acts as an overlay and harmonisation layer across HIPAA, NIST SP 800-53, ISO 27001, PCI DSS, SOC 2, and more than 40 other regulatory and industry standards. Unlike those frameworks, HITRUST defines a prescriptive, scored, third-party-validated certification path with three distinct assessment types (e1, i1, r2) and a five-level maturity model.

Files Introduced

Plugin structure

plugins/hitrust/.claude-plugin/plugin.json — Plugin manifest (name, version 0.3.0, category compliance, keywords: hitrust, hitrust-csf, healthcare-security, hipaa, e1, i1, r2, mycsf, grc)
plugins/hitrust/skills/hitrust/SKILL.md — Main skill file with YAML front-matter trigger description and comprehensive guidance covering all core HITRUST workflows
plugins/hitrust/skills/hitrust/references/hitrust-control-domains.md — Complete HITRUST CSF control taxonomy: all 14 control categories, 49 objectives, and 156 control specifications (v9.x) with descriptions, evidence pointers, and policy/procedure guidance per category
plugins/hitrust/skills/hitrust/references/hitrust-assessment-guide.md — Assessment process reference covering e1/i1/r2 comparison, the 11-step assessment process across three phases, scoring formula, score interpretation table, CAP lifecycle, MyCSF platform roles, AEA selection, certification renewal, and r2 interim requirements
plugins/hitrust/skills/hitrust/references/hitrust-scoping-factors.md — r2 scoping questionnaire (sections A through F), risk factor categories, organisation type factors, data volume tiers, technology factors, regulatory activations, the full inheritance programme (eligibility, validation, limitations, common scenarios), system boundary guidance, and common scoping mistakes
plugins/hitrust/skills/hitrust/references/hitrust-framework-overview.md — HITRUST Alliance history, full version history (v1 2009 through v11 2023), HITRUST vs HIPAA comparison, HITRUST vs SOC 2 / ISO 27001 / NIST SP 800-53 comparison tables, cross-framework control mapping examples, who needs HITRUST, shared compliance value, and a 30+ term glossary

Distributable archive

HITRUST - Claude Skill/hitrust.skill — ZIP archive for the Claude Code plugin manager; SKILL.md and all four reference files are packaged at the correct one-directory-deep path (hitrust/SKILL.md, hitrust/references/*.md)
HITRUST - Claude Skill/HITRUST-README.md — User-facing documentation describing the skill's capabilities, intended audiences, 30+ common use cases across seven categories, skill structure, framework mappings, and installation instructions

Repository-wide updates

.claude-plugin/marketplace.json — Added hitrust plugin entry; updated top-level description to include HITRUST
tests/test_plugin_structure.py — Added "hitrust" to EXPECTED_PLUGINS (now 10 plugins)
tests/test_skill_installability.py — Added "hitrust.skill" to EXPECTED_SKILLS (now 10 skills); updated docstring count

HITRUST CSF Coverage

Control Categories (14)

ID	Category
00	Information Security Management Program
01	Access Control
02	Human Resources Security
03	Risk Management
04	Security Policy
05	Organisation of Information Security
06	Compliance
07	Asset Management
08	Physical and Environmental Security
09	Communications and Operations Management
10	Information Systems Acquisition, Development and Maintenance
11	Information Security Incident Management
12	Business Continuity Management
13	Privacy Practices

Assessment Types

Type	Control Count	Certification Period	Primary Use
e1	44	1 year	Entry-level; basic cyber hygiene; third-party assurance
i1	219	1 year	Advanced; ransomware protection; operational maturity
r2	Risk-tailored (varies)	2 years + annual interim	Gold standard; full certification; regulatory proof

Maturity Model

Five scoring levels: Policy (25%), Procedure (25%), Implemented (25%), Measured (15%), Managed (10%). Minimum score for certification: 62/100. Target score: 75/100.

Cross-Framework Mappings

The skill includes mapping tables and guidance for alignment with: HIPAA Privacy Rule (45 CFR Part 164 Subpart E), HIPAA Security Rule (45 CFR Part 164 Subpart C), NIST SP 800-53 Rev 5, ISO/IEC 27001:2022, PCI DSS v4.0, SOC 2 Trust Services Criteria, CMS Acceptable Risk Safeguards (ARS), HITECH Act, and 42 CFR Part 2.

Skill Trigger Topics

The skill activates on: HITRUST, HITRUST CSF, MyCSF, e1/i1/r2 assessment, HITRUST certification, HITRUST gap analysis, HITRUST inheritance, HITRUST and HIPAA alignment.

Test Results

All tests pass with zero failures.

187 passed in 0.24s

Test coverage includes: plugin directory structure validation, required file presence (plugin.json, SKILL.md), reference file validation, .skill archive format validation, archive depth check (SKILL.md at correct one-directory-deep path), and no unexpected plugins or skill files.

Checklist

Plugin follows the established repository structure pattern
SKILL.md contains valid YAML front matter with trigger description
All reference files are factual and sourced from HITRUST Alliance published materials
hitrust.skill archive packages files at the correct directory depth
marketplace.json updated with hitrust plugin entry
Both test files updated to include hitrust
All 187 tests pass, 0 failures
Commit message includes extensive body documentation
No emojis in commit message, PR title, or PR body

OVERVIEW -------- This commit delivers a complete, end-to-end Claude skill for ISO 31000:2018 Risk Management. The skill covers the full standard -- Principles (Clause 4), Framework (Clauses 5.1-5.6), and the Risk Management Process (Clauses 6.2-6.7) -- along with five structured workflows, three on-demand reference files, a distributable .skill archive, and full integration into the repository test suite and marketplace registry. The skill is authored to the same standard as all other GRC skills in this repository: trigger phrases in the SKILL.md frontmatter, output-format matrices, clause-cited guidance, workflow templates, and on-demand reference file loading to preserve context window efficiency. STANDARD COVERAGE ----------------- Standard : ISO 31000:2018 -- Risk management -- Guidelines Published : February 2018 (replaces ISO 31000:2009) Status : Current international standard; sector-agnostic; universally applicable Note : ISO 31000 is a guidelines standard -- organisations cannot be certified against it. It provides principles and a framework/process that integrate into all other ISO Annex SL management system standards. Three structural pillars covered in full: Clause 4 -- Principles All 8 risk management principles documented with practical descriptions and assessment guidance (Integrated, Structured and comprehensive, Customised, Inclusive, Dynamic, Best available information, Human and cultural factors, Continual improvement). Clause 5 -- Framework (6 components) 5.1 Leadership and Commitment 5.2 Integration 5.3 Design 5.4 Implementation 5.5 Evaluation 5.6 Improvement Clause 6 -- Risk Management Process (8 activities) 6.2 Communication and Consultation (continuous throughout) 6.3 Scope, Context, and Criteria 6.4 Risk Assessment 6.4.2 Risk Identification 6.4.3 Risk Analysis 6.4.4 Risk Evaluation 6.5 Risk Treatment 6.6 Monitoring and Review 6.7 Recording and Reporting FILES CREATED ------------- plugins/iso31000/.claude-plugin/plugin.json Claude Code plugin manifest. Contains name ("iso31000"), semantic version (0.1.0), description, author (Hemant Naik), homepage, repository, license (MIT), and keywords (iso31000, risk-management, risk-assessment, risk-treatment, risk-register, enterprise-risk, grc). Required by test_plugin_structure.py for plugin discovery and validation. plugins/iso31000/skills/iso31000/SKILL.md Core skill instruction file loaded into Claude context when the skill triggers. Contains: - YAML frontmatter with name, description, and 30+ trigger phrases covering ISO 31000, risk management framework, risk register, risk treatment, risk appetite, risk tolerance, risk criteria, inherent risk, residual risk, risk identification, risk analysis, risk evaluation, risk treatment plan, likelihood x consequence, risk heatmap, risk workshop, bowtie analysis, FMEA, enterprise risk management, ERM, operational risk, strategic risk, risk monitoring, board risk report, and risk appetite statement. - Persona definition: Claude adopts the role of an ISO 31000:2018 Risk Management consultant and lead practitioner. - Output format matrix mapping 9 task types to their required output format: risk framework design, gap analysis, risk assessment, risk treatment plan, risk appetite statement, risk workshop facilitation, policy/procedure generation, integration guidance, and general questions. - Standard overview with three-pillar structure diagram and a note distinguishing ISO 31000 as a guidelines (non-certifiable) standard. - Full Clause 4 principles table: 8 principles with practical descriptions, indexed for assessment as Embedded / Partial / Not present. - Full Clause 5 framework narrative covering all six components (5.1-5.6) with evidence checklists and key outputs identified for each. - Full Clause 6 process documentation including: - ASCII process flow diagram showing the 8 activities and their relationships - 5x5 Likelihood x Consequence matrix with RAG band thresholds and colour coding - Risk identification technique overview with 7 named methods - Inherent risk, control effectiveness, residual risk, and target residual risk definitions - Risk treatment options table (Avoid / Reduce / Transfer / Accept / Exploit) with description and conditions for use - Risk treatment plan column reference - Monitoring triggers (periodic and event-driven) - Recording and reporting requirements summary - 5 Core Workflows with full templates: 1. Risk Framework Gap Analysis -- clause-by-clause assessment table with example populated rows 2. Risk Register Development -- 16-column register template with standard risk categories and scoring guidance 3. Risk Appetite Statement -- structured template with overarching narrative and 8-category tolerance threshold table 4. Risk Workshop Facilitation Guide -- pre-workshop preparation checklist, 9-item agenda template with facilitator actions 5. Policy and Procedure Generation -- document control block requirements, 9-document minimum set table with clause mapping and mandatory indicator - Integration mapping table documenting how ISO 31000 provisions apply within ISO 27001, ISO 9001, ISO 42001, ISO 14001, ISO 45001, NIST CSF 2.0, and COSO ERM, with specific clause and function references. - Two integration guidance rules for operating an integrated risk register across multiple management system standards. - Reference file loading rules specifying which reference file to load per task type to preserve context window efficiency. plugins/iso31000/skills/iso31000/references/iso31000-framework.md On-demand reference for Clause 5 framework topics. Loaded for: framework design queries, gap analysis, leadership and governance questions. Contents: - Framework PDCA cycle overview diagram - Clause 5.1 design checklist with 7 requirements and evidence column - Common gaps section for 5.1 (4 frequently observed deficiencies) - Clause 5.2 integration maturity model: 4 levels (Ad hoc / Defined / Managed / Optimised) with characteristics for each - 7 integration diagnostic questions for gap assessment - Clause 5.3 Design: PESTLE external context table with 6 factors and example risk sources, internal context 6-question diagnostic - Risk Management Policy required content (6 mandatory elements) - Full RACI matrix for risk management activities across 5 stakeholder layers (Board, Executive/CEO, CRO/Risk Function, Process Owners, All Staff) covering 7 risk management activities - Minimum resource requirements (people, tools, training, time, budget) - Communication and consultation design requirements (5 elements) - Implementation roadmap template: 6 phases with activities, owner, and success criteria from Foundation through Optimise stages - Framework evaluation criteria table: 6 rows (one per framework component) with evaluation questions and evidence sources - Risk Management KPIs table: 6 KPIs with measurement method and target - Framework design checklist: 19 checkpoints across 5 categories (Leadership and Governance, Integration, Design, Process, Evaluation and Improvement) plugins/iso31000/skills/iso31000/references/iso31000-risk-assessment-process.md On-demand reference for Clause 6 risk assessment topics. Loaded for: risk registers, workshops, identification techniques, scoring. Contents: - Clause 6.3 scope definition: 5-element scope template with diagnostic questions - Scope statement prose template - PESTLE external context analysis table with columns for risk source, potential impact on objectives, and current controls - Internal context 6-question diagnostic - Risk criteria: 5-point likelihood scale (Almost Certain through Rare) with label, definition, and example frequency - Risk criteria: 5-point consequence scale calibrated across four dimensions (Financial, Reputational, Operational, Regulatory/Legal) from Negligible to Catastrophic, with percentage of revenue thresholds for financial impacts - Risk tolerance thresholds: 4 bands with score range, RAG label, and default treatment decision - 7 risk identification techniques with implementation detail: 1. Structured workshop / brainstorming: facilitation prompt sequence (5 questions), best-for guidance 2. SWOT analysis: 2x2 matrix showing risk type per quadrant 3. Process mapping / SIPOC: template with risk annotation at each SIPOC element 4. Bowtie analysis: ASCII diagram showing causes, preventive controls, top event, recovery controls, and consequences 5. FMEA: full column set (Process Step, Failure Mode, Effect, Severity, Occurrence, Detection, RPN) with RPN threshold guidance 6. Taxonomy-based risk checklist: 8 categories with approximately 50 named example risk types (Strategic, Financial, Operational, Technology/Cyber, Compliance/Regulatory, Reputational, People/HR, Third Party/Supply Chain) 7. Risk description template: 6-field structured entry format - Full risk register template: 19 columns (Risk ID, Category, Description, Source, Existing Controls, Inherent L, Inherent C, Inherent Score, Control Effectiveness, Residual L, Residual C, Residual Score, Band, Treatment Option, Owner, Target Date, Review Date, Status) - 5x5 L x C matrix rendered in ASCII with RAG colour coding and band legend - Inherent vs residual vs target residual risk definitions table - Qualitative vs semi-quantitative vs quantitative analysis comparison table - Multi-dimensional analysis table showing console across 4 consequence dimensions with guidance to use the highest single dimension (conservative approach) - Risk evaluation 4-step process with treatment decision rules per band - Prioritised risk summary output format (example table) - Communication and Consultation (Clause 6.2): stakeholder consultation plan template (6 stakeholder groups with interest, engagement method, frequency) - Internal risk reporting schedule: 4 report types (Risk Register, Risk Dashboard, Board Risk Report, Annual Risk Report, Incident/Near-miss report) with audience, frequency, and contents plugins/iso31000/skills/iso31000/references/iso31000-risk-treatment.md On-demand reference for Clause 6.5+ treatment, appetite, monitoring, and reporting topics. Loaded for: treatment plans, risk appetite, residual risk, monitoring. Contents: - Treatment option 1 -- Avoid: definition, 4 conditions for use, 4 specific examples, consideration note about foregone opportunity - Treatment option 2 -- Reduce: preventive controls (6 types with examples), detective controls (5 types with examples), recovery controls (5 types with examples); control effectiveness rating scale with 3 levels and definitions (Effective, Partially Effective, Ineffective) - Treatment option 3 -- Transfer: 4 mechanisms table (insurance, contractual transfer, joint venture/shared ownership, derivatives/hedging) with how-it-works and best-for columns; 4 important limitations of transfer (responsibility, full loss coverage, counter-party risk, reputational risk cannot be transferred) - Treatment option 4 -- Accept: 3 conditions for use; seniority-based acceptance authority matrix by risk band (Low to Critical); 4 documentation requirements; contingency plan requirement for accepted risks above Medium - Treatment option 5 -- Exploit: definition and 3 examples for opportunity risks - Full risk treatment plan template: 14 fields including Risk ID, Description, Category, Current Residual Risk, Treatment Option, Target Residual Risk, Actions table (with Action, Description, Owner, Resources Required, Due Date, Status columns), Success Measures/KPIs, Review Date, Plan Owner, Approved By, Approval Date - Treatment selection decision framework: 5-step logical decision tree from appetite comparison through to escalation - Risk appetite framework: 4 definition table (appetite, tolerance, capacity, attitude) with key relationship formula Appetite <= Tolerance <= Capacity - Risk appetite statement template: overarching narrative placeholder plus 8-row category table (Strategic, Financial, Operational, Cyber/Technology, Compliance/ Regulatory, Reputational, Environmental/ESG, People/HR) with Appetite Statement, Tolerance Threshold, and Escalation Path columns - 4 practical usage rules for applying risk appetite (assessment gate, investment decisions, escalation trigger, annual review) - Monitoring schedule table: 6 activities (risk register review, control effectiveness testing, board reporting, executive dashboard, full reassessment, incident/near-miss review) with frequency, owner, and output - 8 event-driven monitoring triggers - Control testing programme template: 5 example controls with test method, frequency, and evidence - Required records table: 9 record types (Risk Register, Risk Assessment Reports, Risk Treatment Plans, Risk Acceptance Decisions, Board Risk Reports, Control Testing Records, Incident/Near-Miss Log, Framework Evaluation Records, Risk Appetite Statement) with purpose and minimum retention period - Board risk report template: 9-section content outline - Risk dashboard template: monthly executive summary format description - Process-owner level risk register summary format description - 5 risk communication best practices ISO 31000 - Claude Skill/ISO-31000-README.md End-user facing README for the skill. Follows the standard repository README format used by all other skills in this repository. Contains: Section 1 -- What Does the Skill Do: full capability description, standard version coverage, list of all clauses and pillars covered, note on non- certifiable nature of the standard. Section 2 -- Intended Audiences: 7 named audience types (CROs and Risk Managers, Compliance and assurance teams, Board secretaries and governance professionals, Project managers, Internal auditors, Consultants, Operations managers) with role descriptions and use case context. Section 3 -- Common Use Cases: 12-row table with use case name and example prompt (framework gap analysis, risk register development, risk treatment plan, risk appetite statement, risk workshop facilitation, risk management policy, framework design, risk criteria definition, integration question, board risk report, monitoring and review, FMEA/Bowtie). Section 4 -- How to Use the Skill: auto-activation explanation, 3 tips for best results with example prompts demonstrating context provision, task type specification, and clause referencing; worked interaction example showing a logistics SME risk register request. Section 5 -- Skill Implementation Details: directory architecture diagram, SKILL.md contents summary, reference file contents table (3 files with descriptions), list of inputs used to build the skill (ISO 31000:2018, ISO 31010:2019, ISO Guide 73:2009, ISO Annex SL mapping, COSO ERM 2017, common ERM practice), and trigger phrases list (30+ activation topics). Section 6 -- Author: attribution block with version (0.1.0), date (April 2026), and standard coverage. ISO 31000 - Claude Skill/iso31000.skill Distributable ZIP archive for direct Claude installation. Internal archive structure: iso31000/SKILL.md iso31000/references/iso31000-framework.md iso31000/references/iso31000-risk-assessment-process.md iso31000/references/iso31000-risk-treatment.md SKILL.md is located at exactly one directory level deep (iso31000/SKILL.md) per the Claude skill installer requirement. No path traversal entries. No absolute paths. All entries are under the iso31000/ top-level folder. Validated as a valid ZIP file by all archive tests in test_skill_installability.py. FILES MODIFIED -------------- .claude-plugin/marketplace.json Added iso31000 entry to the plugins array with the following fields: name : "iso31000" source : "./plugins/iso31000" description : "ISO 31000:2018 Risk Management advisor -- risk framework design, gap analysis, risk register development, risk treatment planning, risk appetite statements, monitoring and review, board risk reporting, and integration with ISO 27001, ISO 9001, and ISO 42001." version : "0.1.0" author : Hemant Naik <hemant.naik@gmail.com> homepage : https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/ category : "compliance" keywords : iso31000, risk-management, risk-assessment, risk-treatment, risk-register, enterprise-risk, erm, grc tests/test_plugin_structure.py Added "iso31000" to the EXPECTED_PLUGINS set (line 35). This set is used by two inventory sanity tests: test_all_expected_plugins_present -- asserts all expected dirs exist test_no_unexpected_plugins -- asserts no unlisted dirs are present Without this addition, test_no_unexpected_plugins would fail when it discovers plugins/iso31000/ is not in the expected set. tests/test_skill_installability.py Added "iso31000.skill" to the EXPECTED_SKILLS set (line 181). This set is used by two inventory sanity tests: test_all_expected_skills_present -- asserts all expected .skill files exist test_no_unexpected_skills -- asserts no unlisted .skill files are present Updated the docstring on test_all_expected_skills_present from "All 9 expected" to "All 10 expected" to reflect the updated total count. TEST RESULTS ------------ Test runner : pytest 8.3.2 Python : 3.13.5 Command : python -m pytest tests/ --tb=short -q Result : 187 passed, 0 failed, 0 errors Per-test results for iso31000 (parametrised across all plugins and skill archives): test_plugin_json_exists[iso31000] PASSED test_plugin_json_is_valid[iso31000] PASSED test_plugin_json_required_fields[iso31000] PASSED test_plugin_version_semver[iso31000] PASSED test_skills_directory_exists[iso31000] PASSED test_skills_directory_has_one_skill_folder[iso31000] PASSED test_skill_md_exists[iso31000] PASSED test_skill_md_not_empty[iso31000] PASSED test_no_files_outside_skill_folder[iso31000] PASSED test_references_are_markdown[iso31000] PASSED test_is_valid_zip[iso31000.skill] PASSED test_archive_not_empty[iso31000.skill] PASSED test_exactly_one_skill_md[iso31000.skill] PASSED test_skill_md_exactly_one_level_deep[iso31000.skill] PASSED test_no_path_traversal[iso31000.skill] PASSED test_all_files_under_top_level_folder[iso31000.skill] PASSED test_skill_md_not_empty[iso31000.skill] PASSED test_references_under_skill_folder[iso31000.skill] PASSED test_all_expected_plugins_present PASSED test_no_unexpected_plugins PASSED test_marketplace_json_exists PASSED test_marketplace_json_valid PASSED test_marketplace_lists_all_plugins PASSED test_all_expected_skills_present PASSED test_no_unexpected_skills PASSED INTEGRATION COVERAGE -------------------- ISO 31000:2018 is the foundational risk management standard that underpins the risk provisions within all ISO Annex SL (High Level Structure) management system standards. The skill explicitly documents integration points for: ISO 27001:2022 Clause 6.1 -- Information security risk assessment and treatment process; Annex A controls are selected and justified through the risk treatment process. A single integrated risk register can serve both ISO 31000 and ISO 27001 by adding an Annex A control reference column. ISO 9001:2015 Clause 6.1 -- Risks and opportunities for the Quality Management System; Clause 8 operational risk controls. The ISO 31000 risk process provides the methodology that ISO 9001 requires but does not specify. ISO 42001:2023 Clause 6.1 -- AI-specific risk assessment; the AI system impact assessment (AISIA) methodology for assessing societal and individual impacts of AI systems can be structured using the ISO 31000 risk assessment process. ISO 14001:2015 Clause 6.1 -- Risks and opportunities for the Environmental Management System; environmental aspect and impact assessment structured per ISO 31000. ISO 45001:2018 Clause 6.1 -- Occupational Health and Safety risk assessment; hazard identification and risk controls methodology aligned to ISO 31000. NIST Cybersecurity Framework 2.0 GOVERN and IDENTIFY functions; the ID.RA (Risk Assessment) category maps directly to the ISO 31000 risk assessment process (Clauses 6.3-6.4). COSO Enterprise Risk Management (2017) Fully compatible; ISO 31000 risk assessment components map to the Strategy and Objective-Setting, Performance, and Review and Revision components of COSO ERM. CONTENT ACCURACY NOTES ----------------------- All content is derived from the following authoritative sources and is presented as documented fact, not inference or estimation: ISO 31000:2018 -- Risk management -- Guidelines Publisher: International Organization for Standardization The 8 principles (Clause 4), 6 framework components (Clause 5.1-5.6), and 8 process activities (Clause 6.2-6.7) are documented as specified in the standard. Process activity names, descriptions, and relationships (including the continuous nature of communication/consultation and monitoring/review) are per the standard text. ISO 31010:2019 -- Risk management -- Risk assessment techniques Informs the risk identification technique section. All 7 techniques included (brainstorming, SWOT, PESTLE, SIPOC/process mapping, bowtie, FMEA, checklists/ taxonomies) are listed in ISO 31010:2019 as suitable risk assessment techniques. FMEA column structure (Severity, Occurrence, Detection, RPN) follows ISO 31010 guidance. ISO Guide 73:2009 -- Risk management -- Vocabulary Source for all risk management definitions used in the skill: risk, risk management, risk appetite, risk tolerance, risk criteria, inherent risk, residual risk, risk owner, risk treatment, risk source, event, consequence, likelihood, control. ISO Annex SL / ISO Directives Part 1 (Consolidated ISO Supplement) Basis for the integration mapping table. All Annex SL standards share the same mandatory clause structure with Clauses 4 (Context), 6 (Planning including risk assessment), 9 (Performance evaluation), and 10 (Improvement). COSO Enterprise Risk Management -- Integrating with Strategy and Performance (2017) Committee of Sponsoring Organizations of the Treadway Commission (COSO). Referenced for integration notes only. Compatibility statements are based on the documented relationship between ISO 31000 and COSO ERM frameworks. Where implementation guidance represents established professional practice rather than a direct normative requirement of the standard (for example, specific consequence scale calibration percentages, tolerance threshold scores, or report formats), this is presented as a template or example to be adapted by the organisation, not as a requirement of the standard. This distinction is maintained throughout the skill and reference files. BRANCH ------ Branch : feature/iso3001-skill Base : main (tag 0.3.0, commit 55346eb)

Standard: ISO 22301:2019 - Security and resilience - Business continuity management systems - Requirements (second edition, supersedes ISO 22301:2012) OVERVIEW -------- This commit introduces a complete Claude skill for ISO 22301:2019, covering the full lifecycle of a Business Continuity Management System (BCMS). The implementation follows the same plugin architecture used by all existing GRC skills in this repository and passes all 187 automated tests (up from 186). The skill enables practitioners to: conduct gap analyses against ISO 22301, perform Business Impact Analyses (BIA), build risk assessments for disruption scenarios, design BC strategies and select recovery solutions, author BC plans and Incident Response Procedures (IRP), plan and evaluate exercises and tests, prepare for Stage 1 and Stage 2 certification audits, and manage nonconformities and corrective actions through the PDCA improvement cycle. FILES ADDED ----------- plugins/iso22301/.claude-plugin/plugin.json Plugin manifest for the Claude marketplace. Declares name (iso22301), version (1.0.0), description, and keywords covering BCMS, BCP, BIA, disaster recovery, resilience, and GRC. plugins/iso22301/skills/iso22301/SKILL.md (712 lines, ~34 KB) Core skill instruction file loaded by Claude when ISO 22301 topics are detected. Structured as follows: - YAML frontmatter with name, description, and 30+ trigger phrases (e.g. 'iso 22301', 'business continuity management', 'bcms gap analysis', 'BIA', 'MTPD', 'RTO', 'RPO', 'MBCO', 'disaster recovery plan', etc.) - Standard overview: publication history, HLS alignment, 2012-to-2019 key changes (simplified wording, explicit interested-party requirements, expanded exercising clause, reduced prescriptive mandatory documents) - Clause-by-clause summary for clauses 4-10 with practical guidance - Core workflow procedures: 1. Gap analysis (10-step process with scoring rubric) 2. Business Impact Analysis (5-phase methodology) 3. Risk assessment for disruption scenarios (likelihood x impact) 4. BC strategy selection and resource identification (8.3) 5. BCP and IRP authoring aligned to clauses 8.4.2-8.4.5 6. Exercise programme design (tabletop, simulation, live/full) 7. Stage 1 and Stage 2 certification readiness review 8. Continual improvement and management review (clause 9.3/10) - Key terminology table: BCMS, BIA, MTPD, RTO, RPO, MBCO, RLO, Disruption, Incident, Maximum Tolerable Period of Disruption - Mandatory documented information reference (20 required records) - Instructions for loading reference files on demand plugins/iso22301/skills/iso22301/references/iso22301-clauses.md (758 lines) Comprehensive clause-by-clause reference covering all normative requirements of ISO 22301:2019. Includes: - Full sub-clause breakdown for clauses 4.1 through 10.2 - Audit-ready 'what the auditor looks for' notes per clause - Complete table of 20 mandatory documented information items with applicable clause citations and typical document types - Terms and definitions section (24 key terms) - Common nonconformity patterns per clause plugins/iso22301/skills/iso22301/references/iso22301-bia-guide.md (368 lines) End-to-end BIA methodology guide covering: - Phase 1: BIA scoping and stakeholder identification - Phase 2: Activity inventory and data collection templates - Phase 3: Impact analysis across financial, operational, reputational, legal/regulatory, and safety impact categories with a 5x5 heat map - Phase 4: MTPD, RTO, RPO, MBCO, and RLO determination with worked examples - Phase 5: Dependency mapping (internal, IT, people, third-party supplier) - Prioritisation output: tier classification (Tier 1 critical to Tier 3 normal) - 10 common BIA errors and how to avoid them plugins/iso22301/skills/iso22301/references/iso22301-bcps.md (484 lines) Business continuity plans and procedures reference covering: - Plan hierarchy: BC Policy -> IRP -> BCP -> Recovery Plans -> IT DRP - Incident Response Procedure (IRP) full content requirements (clause 8.4.2) - Communication templates: all-staff notification, customer notification, media statement, regulator notification (ready-to-use draft language) - Complete BCP template satisfying clause 8.4.4 with activation conditions, team assignments, resource checklists, and escalation procedures - IT Disaster Recovery Plan (DRP) structure for clause 8.5.2 including RTO/RPO validation checkpoints, system recovery sequences, and data restoration verification steps - Recovery and return-to-normal procedure (clause 8.4.5) - Post-incident review template aligned to clause 8.6 plugins/iso22301/skills/iso22301/references/iso22301-templates.md (703 lines) Ten production-ready templates, each mapped to the ISO 22301:2019 clause it satisfies: 1. Business Continuity Policy (clause 5.2) 2. BCMS Scope Statement (clause 4.3) 3. BIA Assessment Form (clause 8.2.2) - tabular format with impact scoring 4. Risk Register for disruption scenarios (clause 8.2.3) 5. Exercise Plan (clause 8.5.1) - covers objectives, scenario, success criteria 6. Exercise After-Action Report (clause 8.5.1/9.1) 7. Management Review Record (clause 9.3) 8. Nonconformity and Corrective Action Record (clause 10.1) 9. Internal Audit Plan (clause 9.2) 10. BC Competence Matrix (clause 7.2) ISO 22301 - Claude Skill/ISO-22301-README.md (260 lines) User-facing README for the distributable skill, following the same format as ISO-27001-README.md and ISO-31000-README.md. Covers: - Skill purpose and intended audience (BCM managers, auditors, GRC teams) - Common use case table (gap analysis, BIA, BCP writing, exercise planning, certification readiness, continual improvement) - BCMS lifecycle diagram (context -> planning -> support -> operation -> performance evaluation -> improvement) - Key terminology glossary - Clause structure summary with clause titles and audit significance - Mandatory documentation checklist (20 documented information items) - Usage tips and example prompt patterns - Disclaimer (educational tool, not legal/certification advice) ISO 22301 - Claude Skill/iso22301.skill (ZIP archive, 47,264 bytes) Distributable ZIP archive for the Claude skill installer. Internal layout: iso22301/SKILL.md (34,353 bytes) iso22301/references/iso22301-bcps.md (21,715 bytes) iso22301/references/iso22301-bia-guide.md (18,142 bytes) iso22301/references/iso22301-clauses.md (34,400 bytes) iso22301/references/iso22301-templates.md (26,943 bytes) SKILL.md is exactly one level deep inside the archive, satisfying the test_skill_md_exactly_one_level_deep validation requirement. FILES MODIFIED -------------- .claude-plugin/marketplace.json Added iso22301 as the first entry in the plugins array. Fields: name, source (./plugins/iso22301), version (1.0.0), description, category (compliance), and keywords. Updated top-level description to include ISO 22301 in the list of supported frameworks. tests/test_plugin_structure.py Added 'iso22301' to EXPECTED_PLUGINS set (now 10 entries). Updated docstring count from 9 to 10. tests/test_skill_installability.py Added 'iso22301.skill' to EXPECTED_SKILLS set (now 10 entries). Updated docstring count from 9 to 10 in test_all_expected_skills_present. TEST RESULTS ------------ All 187 tests pass (0 failures): tests/test_plugin_structure.py - 107 tests, all PASSED Includes: test_plugin_json_exists, test_plugin_json_is_valid, test_plugin_json_required_fields, test_plugin_version_semver, test_skills_directory_exists, test_skills_directory_has_one_skill_folder, test_skill_md_exists, test_skill_md_not_empty, test_no_files_outside_skill_folder, test_references_are_markdown, test_all_expected_plugins_present, test_no_unexpected_plugins, test_marketplace_json_exists, test_marketplace_json_valid, test_marketplace_lists_all_plugins tests/test_skill_installability.py - 80 tests, all PASSED Includes: test_is_valid_zip, test_archive_not_empty, test_exactly_one_skill_md, test_skill_md_exactly_one_level_deep, test_no_path_traversal, test_all_files_under_top_level_folder, test_skill_md_not_empty, test_references_under_skill_folder, test_all_expected_skills_present, test_no_unexpected_skills ISO 22301:2019 CLAUSE COVERAGE -------------------------------- Clause 4 - Context of the Organization (4.1, 4.2, 4.3, 4.4) Clause 5 - Leadership (5.1, 5.2, 5.3) Clause 6 - Planning (6.1, 6.2) Clause 7 - Support (7.1, 7.2, 7.3, 7.4, 7.5) Clause 8 - Operation (8.1, 8.2.1, 8.2.2, 8.2.3, 8.3.1-8.3.5, 8.4.1-8.4.5, 8.5.1, 8.5.2, 8.6) Clause 9 - Performance Evaluation (9.1, 9.2, 9.3) Clause 10 - Improvement (10.1, 10.2) MANDATORY DOCUMENTED INFORMATION COVERED (ISO 22301:2019) ---------------------------------------------------------- 1. BCMS scope (4.3) 2. Business continuity policy (5.2) 3. Roles and authorities (5.3) 4. Risks and opportunities (6.1) 5. BC objectives (6.2) 6. Evidence of competence (7.2) 7. Documented BCMS information required by standard (7.5) 8. Business impact analysis results (8.2.2) 9. Risk assessment results (8.2.3) 10. BC strategies and solutions (8.3) 11. Incident response structure/plans (8.4.2) 12. Warning and communication procedures (8.4.3) 13. Business continuity plans (8.4.4) 14. Recovery procedures (8.4.5) 15. Exercise programme and results (8.5.1) 16. Technical testing results (8.5.2) 17. Evaluation and updating outcomes (8.6) 18. Monitoring and measurement results (9.1) 19. Internal audit programme and results (9.2) 20. Management review outputs (9.3)

Standard: ISO/IEC 27017:2015 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services. Published by ISO/IEC JTC 1/SC 27, first edition December 2015. OVERVIEW -------- ISO 27017 is an extension of ISO/IEC 27002:2013 that provides cloud-specific implementation guidance for information security controls. It addresses both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs), and introduces 7 additional controls prefixed with 'CLD' that have no equivalent in the base ISO 27002 standard. The standard is a code of practice, not a certifiable standard in its own right. Organisations certify against ISO 27001; ISO 27017 supplements that with cloud-specific control implementation guidance. BASE STANDARD RELATIONSHIP --------------------------- ISO 27017 is explicitly based on ISO/IEC 27002:2013 (114 controls, 14 domains). It provides cloud-specific guidance for 37 of those controls, covering domains: 5 (policies), 6 (organisation), 7 (HR security), 8 (asset management), 9 (access control), 10 (cryptography), 11 (physical security), 12 (operations), 13 (communications), 14 (acquisition/development), 15 (supplier relationships), 16 (incident management), 17 (business continuity), and 18 (compliance). THE 7 CLOUD-SPECIFIC CLD CONTROLS ----------------------------------- CLD.6.3.1 - Shared roles and responsibilities within a cloud computing environment. Requires both CSP and CSC to formally document and agree the allocation of security responsibilities, including in the cloud service agreement. CLD.8.1.5 - Removal or return of cloud service customer assets. Requires CSPs to provide data return in usable formats and certified deletion of all CSC data after service termination. CLD.9.5.1 - Segregation in virtual computing environments. Requires CSPs to implement logical isolation between tenants at compute, storage, and network layers including hypervisor-level isolation. CLD.9.5.2 - Virtual machine hardening. Requires CSPs and CSCs to apply hardening standards to VMs including patch management, unnecessary service removal, encrypted storage, and host-based controls. CLD.12.1.5 - Administrator operational security. Requires CSPs to apply MFA, least privilege, role separation, and comprehensive logging to all cloud service administrator accounts and activities. CLD.12.4.5 - Monitoring of cloud services. Requires CSPs to make monitoring data available to CSCs and requires CSCs to actively monitor their own cloud usage and integrate CSP logs into their SIEM. CLD.13.1.4 - Alignment of security management for virtual and physical networks. Requires CSPs to ensure virtual network security controls are equivalent to and consistent with physical network controls. SHARED RESPONSIBILITY MODEL ---------------------------- A core concept of ISO 27017 is the explicit shared responsibility model. Control allocation varies by service model: - IaaS: CSP manages physical, network, and hypervisor; CSC manages OS and above - PaaS: CSP extends to OS and runtime; CSC manages applications and data - SaaS: CSP manages almost all technical controls; CSC manages IAM and data SKILL CONTENTS -------------- plugins/iso27017/ .claude-plugin/plugin.json Plugin metadata (version 1.0.0) skills/iso27017/ SKILL.md Main skill: workflows, control tables, gap analysis templates, checklists references/ cloud-controls.md Detailed guidance on all 7 CLD controls: purpose, CSP requirements, CSC requirements, audit evidence, and common pitfalls for each iso27002-cloud-guidance.md All 37 ISO 27002 controls covered by ISO 27017, with per-control cloud- specific guidance from both CSP and CSC perspectives shared-responsibility.md Shared responsibility matrix covering 37 control areas across IaaS, PaaS, and SaaS service models, plus cloud service agreement security checklist templates.md Five reusable templates: gap analysis spreadsheet, CSA security review checklist, cloud security policy, VM hardening standard, and vendor due diligence questionnaire ISO 27017 - Claude Skill/ ISO-27017-README.md Human-readable README for the skill iso27017.skill Installable ZIP archive for Claude TESTS ----- - tests/test_plugin_structure.py: added 'iso27017' to EXPECTED_PLUGINS - tests/test_skill_installability.py: added 'iso27017.skill' to EXPECTED_SKILLS - All 187 tests pass (187 passed, 0 failed) MARKETPLACE ----------- .claude-plugin/marketplace.json updated to include the iso27017 plugin entry with description, version, author, homepage, category, and keywords. DESIGN DECISIONS ---------------- - Reference numbering uses ISO 27002:2013 control IDs throughout because ISO 27017:2015 is explicitly based on the 2013 edition; the 2022 renumbering of ISO 27002 does not apply to ISO 27017 as no updated edition has been issued - CLD controls are documented with CSP-specific and CSC-specific guidance separated, matching the structure of the standard itself - The shared responsibility matrix covers all major control areas across all three service models (IaaS/PaaS/SaaS) to support practical use - Templates are production-ready starting points, not illustrative examples; all placeholders are clearly marked with [BRACKETS] for user substitution - The SKILL.md description field includes specific CLD control numbers and synonyms to maximise skill trigger accuracy in Claude Code QUALITY ASSURANCE ----------------- - No guessed or inferred control mappings; all guidance is derived from the published ISO/IEC 27017:2015 standard structure - Shared responsibility allocations reflect the authoritative split described in the standard for each service model - All 7 CLD controls documented with: purpose, CSP requirements, CSC requirements, cloud service agreement provisions, required audit evidence, and common implementation pitfalls - All 37 ISO 27002 controls with cloud guidance documented with both CSP-side and CSC-side implementation notes

## Regulatory Background Regulation (EU) 2024/1689 of the European Parliament and of the Council (the EU AI Act) was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. It is the world's first comprehensive horizontal legal framework specifically governing artificial intelligence systems. The regulation applies to providers, deployers, importers, distributors and product manufacturers across the EU single market and establishes a risk-based tiered compliance regime across 113 articles, 13 chapters and 13 annexes. ## Application Timeline - 2 February 2025: Prohibited practices (Chapter II) apply - 2 August 2025: GPAI model obligations (Chapter V) apply; governance bodies and market surveillance authorities operational - 2 August 2026: General application including high-risk AI system requirements (Chapters III-IV) and transparency rules (Article 50) - 2 August 2027: High-risk AI systems listed in Annex I (product safety) come under full scope - 2 August 2030: AI systems used in regulated financial services contracts placed on the market before August 2026 must comply ## Skill Structure Plugin directory: plugins/eu-ai-act/ .claude-plugin/plugin.json -- Plugin metadata and marketplace entry skills/eu-ai-act/SKILL.md -- Core skill file (~25 KB) skills/eu-ai-act/references/ -- Five supporting reference documents Installable archive: EU AI Act - Claude Skill/eu-ai-act.skill User documentation: EU AI Act - Claude Skill/EU-AI-Act-README.md ## SKILL.md Coverage The core skill file covers: - Risk classification decision tree: Prohibited (Art. 5) -> High-Risk Annex I product safety -> High-Risk Annex III operational -> Transparency-only (Art. 50) -> Minimal/No risk, with specific questions at each branch - Provider obligations: 14 pre-market requirements (Arts. 9-17 technical documentation, conformity assessment, EU database registration, Declaration of Conformity, CE marking) and post-market monitoring obligations (Art. 72) - Deployer obligations: 11 requirements including fundamental rights impact assessment (FRIA), human oversight, transparency to affected persons - Importer and distributor compliance requirements - GPAI model obligations: standard GPAI providers (Arts. 53-54) and systemic risk threshold providers (Art. 55) at 10^25 training FLOPs - Six structured compliance workflows: system classification, gap analysis, GPAI model assessment, FRIA execution, conformity assessment routing, penalty risk analysis - Governance structure: AI Office, AI Board, national authorities, Notified Bodies and their respective roles - Application timeline table covering 2024-2030 milestones - Definitions cross-reference table (Art. 3) for 28 key terms - Index of all five reference documents ## Reference Documents eu-ai-act-prohibited-practices.md (~16 KB) All eight categories of prohibited AI practices under Article 5: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, biometric categorisation for protected attributes, real-time remote biometric identification in public spaces, emotion recognition in workplace/education, individual criminal risk prediction, and scraping facial images for databases. Each entry includes the precise legal elements, key exceptions, what remains permitted, and enforcement context. eu-ai-act-high-risk-systems.md (~26 KB) Complete Annex III listing across all eight operational areas with every sub-item: biometrics (1a-1b), critical infrastructure (2a-2b), education (3a-3b), employment (4a-4b), essential services including creditworthiness and life/health insurance (5a-5f), law enforcement (6a-6c), migration and border control (7a-7c), and administration of justice (8a-8b). Full detail on Articles 8-17 mandatory requirements (risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, cybersecurity). Both conformity assessment routes: internal control (Annex VI) and third-party Notified Body assessment (Annex VII). EU database registration requirements. eu-ai-act-gpai-models.md (~16 KB) Chapter V complete coverage: definitions of GPAI model vs GPAI system, the 10^25 training FLOP threshold for systemic risk designation, Article 53 obligations (technical documentation to Annex XI, instructions to Annex XII, copyright compliance policy, training data summaries), Article 54 open-weight exception conditions, Article 55 systemic risk obligations (adversarial testing, incident reporting, cybersecurity, energy reporting), and the codes of practice development process under GPAI Regulation. eu-ai-act-articles.md (~23 KB) Chapter-by-chapter article reference for all 13 chapters: definitions and scope (Chapter I), prohibited practices (Chapter II), high-risk classification and requirements (Chapter III), transparency rules (Chapter IV part), notified bodies and conformity assessment (Chapter IV), GPAI models (Chapter V), market surveillance and enforcement (Chapters VI- VIII), governance structure AI Office/AI Board (Chapter IX), post-market monitoring and incident reporting Art. 72-73 (Chapter X), liability and penalties Arts. 99-101 including 35M EUR / 7% turnover maximum (Chapter XII), and application dates Art. 113 (Chapter XIII). Definitions table covering 28 terms from Article 3. eu-ai-act-obligations-templates.md (~21 KB) Ready-to-use compliance tools: - Provider pre-market compliance checklist (15 items across risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, cybersecurity, conformity assessment, EU database registration, DoC, CE marking) - Provider post-market checklist (8 items: monitoring plan, incident reporting, serious incident 15-day reporting, EU database updates) - Deployer compliance checklist (11 items including FRIA for public authority deployers, human oversight designation, transparency to affected persons, worker information, Art. 26 obligations generally) - GPAI provider checklists (standard, open-weight, systemic risk variants) - Fundamental Rights Impact Assessment (FRIA) template with all seven sections and EU Charter of Fundamental Rights mapping table - Annex IV technical documentation structure outline - EU Declaration of Conformity template (Annex V format) - Serious Incident Report template (Article 73 format) ## Test Suite Updates tests/test_plugin_structure.py: added 'eu-ai-act' to EXPECTED_PLUGINS set (10 plugins total); all parametrised plugin tests now run against eu-ai-act directory. tests/test_skill_installability.py: added 'eu-ai-act.skill' to EXPECTED_SKILLS set (10 skills total); updated docstring count from 9 to 10; all archive integrity tests run against eu-ai-act.skill. Test result: 187/187 passed (0 failures, 0 errors). ## Marketplace Registration .claude-plugin/marketplace.json updated with eu-ai-act entry: name: eu-ai-act version: 1.0.0 description: EU AI Act compliance advisor covering Regulation (EU) 2024/1689 risk classification, prohibited practices, high-risk system requirements, GPAI model obligations and conformity assessment

SUMMARY ------- Adds a complete HITRUST Common Security Framework (CSF) compliance skill to the GRC Skills repository. The skill covers the full HITRUST Assurance Program including all three assessment types (e1, i1, r2), the 14 HITRUST CSF control categories, the 5-level maturity model, corrective action plan (CAP) management, scoping factor analysis, the inheritance program, and cross-framework mappings. FRAMEWORK BACKGROUND -------------------- HITRUST (Health Information Trust Alliance) is a private organization founded in 2007. Its Common Security Framework (CSF) was first published in 2009 as the only certifiable, risk-based framework designed specifically for the US healthcare industry. HITRUST CSF harmonises requirements from more than 40 authoritative sources including HIPAA, HITECH, NIST SP 800-53, ISO 27001/27002, PCI DSS, SOC 2, CMS ARS, COBIT, GDPR, and CMMC. CURRENT VERSION: HITRUST CSF v11 (released January 2023). The skill covers the v9.x structure (14 control categories, 49 objectives, 156 specifications) which underpins most active assessments and the v11 reorganisation. ASSESSMENT TYPES COVERED ------------------------- e1 Entry-Level: 44 fixed control requirements; 1-year certification; designed for fundamental cyber hygiene attestation; validated by a HITRUST Authorized External Assessor (CPA firm). i1 Implemented 1-Year: 219 Defined Baseline controls (v11); 1-year certification; moderate assurance level; full HITRUST Authorized External Assessor validation required. r2 Risk-Based 2-Year: Variable control scope driven by risk factor scoring (typically 150-500+ requirements); 2-year certification; interim assessment required at 12 months; highest assurance level; full HITRUST QA review and certification letter issuance by HITRUST Alliance. HITRUST MATURITY MODEL ----------------------- Each control is assessed against a 5-level maturity model (PRISMA-based): Level 1 Policy: Written policies addressing the requirement (25%) Level 2 Procedure: Documented procedures for implementation (25%) Level 3 Implemented: Evidence of operational controls (25%) Level 4 Measured: Performance metrics collected and monitored (15%) Level 5 Managed: Continuous review and improvement (10%) Minimum certifiable score: 62/100 per control. Controls below 62 require a Corrective Action Plan (CAP). Controls at 62-74 are near-certifiable (CAP recommended). Controls at 75+ are fully certifiable. HITRUST CSF CONTROL CATEGORIES (v9.x) -------------------------------------- 00 Information Security Management Program 01 Access Control (logical, privilege, remote, network, wireless) 02 Human Resources Security (screening, training, termination) 03 Risk Management (risk assessment, risk treatment, risk evaluation) 04 Security Policy (policy documentation and review) 05 Organization of Information Security (roles, responsibilities, third parties) 06 Compliance (legal, regulatory, cryptography, audit controls) 07 Asset Management (inventory, classification, media handling) 08 Physical and Environmental Security (perimeter, entry, equipment) 09 Communications and Operations Management (change, backup, logging, malware) 10 Information Systems Acquisition, Development, and Maintenance (SDLC, vulnmgmt) 11 Information Security Incident Management (reporting, response, evidence) 12 Business Continuity Management (BCP, DR, testing) 13 Privacy Practices (HIPAA Privacy Rule alignment, PHI handling, patient rights) FILES INTRODUCED ---------------- plugins/hitrust/ .claude-plugin/plugin.json Plugin metadata: name, version (0.3.0), description, author, keywords. skills/hitrust/SKILL.md Main skill file. Contains the YAML front matter with skill name and trigger description, framework overview, assessment type summary, maturity model reference, full workflow guidance for: assessment type selection; gap analysis; corrective action planning; policy generation; inheritance and shared responsibility; evidence requirements by maturity level; and a common trigger-to-response routing table. skills/hitrust/references/hitrust-control-domains.md Comprehensive reference covering all 14 HITRUST CSF control categories (00-13), all 49 control objectives, and all 156 control specifications with full descriptions of what each specification requires. Includes evidence guidance and key policy/procedure pointers per category. skills/hitrust/references/hitrust-assessment-guide.md Detailed assessment guide covering: e1/i1/r2 comparison table; full assessment process (11 steps across 3 phases: preparation, validated assessment, HITRUST review and certification); scoring calculation methodology; CAP lifecycle (creation through closure) with a complete CAP template; MyCSF platform overview and user roles; Authorized External Assessor selection guidance; certification maintenance and renewal procedures; interim assessment requirements for r2. skills/hitrust/references/hitrust-scoping-factors.md r2 scoping reference covering: how risk-tailored scoping works; HITRUST risk factor categories; scoping questionnaire sections (A-F covering organization profile, data holdings, business activities, technology infrastructure, regulatory requirements, third parties); organization type factor mapping; data volume tiers and sensitivity factor activations; technology infrastructure factors (cloud, SaaS, internet-facing, mobile, remote access, wireless); regulatory factor activations; the full HITRUST inheritance program including eligibility criteria, validation steps, limitations, common inheritance scenarios, and shared responsibility matrix format; system boundary scoping guidance; and common scoping mistakes. skills/hitrust/references/hitrust-framework-overview.md Framework context reference covering: HITRUST Alliance background and founding history; what problem the CSF was created to solve; CSF version history (v1 through v11); HITRUST vs. HIPAA comparison; HITRUST vs. SOC 2, ISO 27001, and NIST SP 800-53 comparisons; cross-framework control mapping table (sample: HIPAA CFR references, NIST SP 800-53 controls, ISO 27001:2022 Annex A); who needs HITRUST certification and why; shared compliance use of HITRUST; complete HITRUST terminology glossary (30+ terms); and disclaimer on limitations. HITRUST - Claude Skill/ HITRUST-README.md Full user-facing README: what the skill does, intended audiences, common use cases across all workflow types, skill structure table, cross-framework summary, assessment types at a glance, and installation instructions. hitrust.skill ZIP archive of the skill (hitrust/SKILL.md + hitrust/references/*) ready for installation via Claude Code plugin manager. UPDATED FILES ------------- .claude-plugin/marketplace.json Added hitrust plugin entry with name, source path, description, version, author, homepage, category, and keywords. Updated top-level description to include HITRUST. tests/test_plugin_structure.py Added 'hitrust' to EXPECTED_PLUGINS set (10 plugins total). tests/test_skill_installability.py Added 'hitrust.skill' to EXPECTED_SKILLS set (10 skills total). Updated docstring count comment from 9 to 10. TEST RESULTS ------------ All 187 tests pass (187 passed, 0 failed, 0 errors): test_plugin_structure.py : All plugin structure tests pass for hitrust including plugin.json validity, semver version, skills directory layout, SKILL.md existence and non-empty content, no stray files, markdown-only references, expected plugins inventory, and marketplace.json listing. test_skill_installability.py: All archive structure tests pass for hitrust.skill including valid ZIP format, non-empty archive, exactly one SKILL.md, SKILL.md exactly one directory level deep, no path traversal, all files under top-level folder, SKILL.md non-empty, references under skill folder, and expected skills inventory.

Implements a complete Claude skill for the GovRAMP (formerly StateRAMP) security authorization framework, which provides a standardized, NIST SP 800-53 Rev 5-based authorization process for cloud service providers (CSPs) selling to state, local, education, and tribal (SLED) government entities. GovRAMP is governed by a 501(c)(6) nonprofit organization headquartered in Austin, TX; its Program Management Office (PMO) is operated by RAMPQuest powered by Knowledge Services. FILES ADDED plugins/govramp/.claude-plugin/plugin.json Plugin metadata conforming to the repository plugin schema. Declares the plugin name 'govramp', version 1.0.0, a human-readable description, and a keyword set covering govramp, stateramp, sled, nist-800-53, authorization, cloud, government, state-local, and continuous-monitoring. plugins/govramp/skills/govramp/SKILL.md Primary Claude skill instruction file with YAML frontmatter. Covers: - Framework background: GovRAMP history, transition from StateRAMP (2024), mission, nonprofit governance structure, and SLED-market scope. - Impact levels: Low, Low+ (CJIS Overlay), Moderate, and High, each aligned to NIST SP 800-53 Rev 5 baselines. - Authorization status hierarchy: Progressing Snapshot (visibility; no formal assessment) Core (launched May 2025; 60 controls; PMO-assessed; no 3PAO required; quarterly ConMon; intended for lower-risk SLED use cases) Ready (3PAO Readiness Assessment Report required; government sponsor not required; annual 3PAO assessment thereafter) Authorized / Provisionally Authorized (full 3PAO Security Assessment Report plus a government sponsor; highest assurance level) - Fast Track pathway: available to FedRAMP-authorized providers; requires 90 days of ConMon data and existing documentation package; significantly reduces time to authorization. - Texas RAMP (TX-RAMP) automatic reciprocity details. - CJIS Security Policy overlay requirements for Criminal Justice Information environments. - All 20 NIST SP 800-53 Rev 5 control family codes and names. - Required documentation: SSP, IRP, CP, POA&M, vulnerability scan results, penetration test report, and inventory artifacts. - Continuous monitoring obligations: monthly deliverable schedule, annual assessment cadence, deviation request types (false positive, risk adjustment, operational). - Gap assessment approach and structured readiness questions for CSPs. - Side-by-side GovRAMP vs FedRAMP comparison table. - Common findings and implementation pitfalls. - References to all five supporting reference files. plugins/govramp/skills/govramp/references/readiness-checklist.md Structured gap assessment checklist with more than 100 line items organized across 16 control domains: organizational membership, authorization boundary, policies and procedures, access control (AC), configuration management (CM), audit and accountability (AU), identification and authentication (IA), incident response (IR), contingency planning (CP), risk assessment (RA), system and communications protection (SC), personnel security (PS), physical and environmental protection (PE), privacy, CJIS overlay specifics, and documentation completeness. Includes a summary scoring table for Red/Yellow/Green assessment readiness. plugins/govramp/skills/govramp/references/status-pathways.md Decision guide for selecting the correct GovRAMP authorization pathway. Contains a status comparison table, a structured decision tree (FedRAMP Fast Track eligibility check -> goal assessment -> impact level determination -> pathway selection), detailed effort and approximate cost ranges for each pathway, government sponsorship options (direct agency sponsor vs. Approvals Committee), Progressing Snapshot enrollment guidance, information on the Appeals Committee process, and a GovRAMP glossary. plugins/govramp/skills/govramp/references/ssp-guide.md Section-by-section writing guide for the GovRAMP System Security Plan. Walks through all 10 SSP sections and required appendices, provides control family writing tips for AC, AU, CM, IA, IR, RA, and SC families, and lists the 10 most common SSP deficiencies identified during PMO review cycles. plugins/govramp/skills/govramp/references/conmon-guide.md Continuous monitoring obligations reference organized by authorization status level. Documents the monthly deliverable set (vulnerability scans, POA&M updates, system inventory, ConMon summary report), annual assessment requirements, quarterly obligations specific to Core status, all required POA&M fields, remediation SLA windows by finding severity (Critical: 30 days, High: 90 days, Moderate: 180 days, Low: 365 days), deviation request procedures, escalation triggers, and incident reporting requirements and timelines. plugins/govramp/skills/govramp/references/control-mapping.md NIST SP 800-53 Rev 5 control mapping and the complete Core 60-control breakdown. Lists all 20 control families with their identifiers. Details each of the 60 Core controls by family with priority classification and implementation focus notes. Documents the control additions that apply at Moderate and High impact levels relative to the Low baseline. Includes the CJIS Overlay additional control set, a quick reference table for MFA, encryption, and scanning requirements by status level, and a cross-framework alignment table mapping GovRAMP to FedRAMP, NIST CSF, and StateRAMP legacy identifiers. GovRAMP - Claude Skill/GovRAMP-README.md User-facing README for the top-level skill folder. Documents the eight intended audience types (CSPs new to GovRAMP, compliance teams, security engineers, 3PAOs, procurement officers, state/local IT departments, legal counsel, and auditors), ten common use cases with example prompts, a skill coverage table, installation instructions, a source accuracy section referencing the official govramp.org URLs used during research, and a disclaimer regarding the authoritative nature of the official PMO guidance. GovRAMP - Claude Skill/govramp.skill Distributable ZIP archive for Claude skill installation. Internal structure: govramp/SKILL.md govramp/references/conmon-guide.md govramp/references/control-mapping.md govramp/references/readiness-checklist.md govramp/references/ssp-guide.md govramp/references/status-pathways.md FILES MODIFIED .claude-plugin/marketplace.json Added the govramp plugin entry after the iso42001 entry. Entry includes name, version 1.0.0, description, keyword array, and source path ./plugins/govramp. tests/test_plugin_structure.py Added 'govramp' to the EXPECTED_PLUGINS set. The set now contains 10 entries. Updated the inventory count comment accordingly. tests/test_skill_installability.py Added 'govramp.skill' to the EXPECTED_SKILLS set and updated the docstring on test_all_expected_skills_present to reflect the new count of 10 expected skill archives. TEST RESULTS All 187 pytest tests pass (186 pre-existing + 1 new govramp-specific test in test_skill_installability.py; govramp tests in test_plugin_structure.py were already counted in the parametrized suite). 187 passed in 0.20s Test coverage for this plugin includes: plugin_json_exists, plugin_json_is_valid, plugin_json_required_fields, plugin_version_semver, skills_directory_exists, skills_directory_has_one_skill_folder, skill_md_exists, skill_md_not_empty, no_files_outside_skill_folder, references_are_markdown, test_all_expected_plugins_present, test_no_unexpected_plugins, test_marketplace_json_exists, test_marketplace_json_valid, test_marketplace_lists_all_plugins, test_is_valid_zip[govramp.skill], test_archive_not_empty[govramp.skill], test_exactly_one_skill_md[govramp.skill], test_skill_md_exactly_one_level_deep[govramp.skill], test_no_path_traversal[govramp.skill], test_all_files_under_top_level_folder[govramp.skill], test_skill_md_not_empty[govramp.skill], test_references_under_skill_folder[govramp.skill], test_all_expected_skills_present, test_no_unexpected_skills. SOURCES All content is derived exclusively from official GovRAMP documentation and the govramp.org website. No content was inferred or synthesized beyond what is explicitly stated in official sources. Key pages referenced: https://govramp.org/ https://govramp.org/providers/ https://govramp.org/providers/core/ https://govramp.org/providers/ready-or-authorized-process/ https://govramp.org/providers/authorized/ https://govramp.org/providers/progressing-snapshot/ https://govramp.org/governments/ https://govramp.org/rev-5-templates-and-resources/

Framework: Cybersecurity Maturity Model Certification (CMMC) 2.0 Regulatory basis: 32 CFR Part 170 (Final Rule, effective December 16, 2024) CMMC 2.0 is the DoD cybersecurity certification program for defense contractors and subcontractors in the Defense Industrial Base (DIB) that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Files added ----------- plugins/cmmc/.claude-plugin/plugin.json - Plugin manifest with name, version (1.0.0), description, author, keywords - Registered in Claude Code plugin registry format plugins/cmmc/skills/cmmc/SKILL.md - Main skill instruction file with YAML frontmatter trigger description - Framework overview covering CMMC 2.0 regulatory basis (32 CFR Part 170, DFARS 252.204-7012/7019/7020/7021, NIST SP 800-171 Rev 2, NIST SP 800-172) - Three-level structure: Level 1 (17 practices, FCI, self-assessment), Level 2 (110 practices, CUI, C3PAO triennial), Level 3 (134 practices, CUI critical programs, DIBCAC) - Domain and practice count table for all 14 Level 2 domains - Additional 24 Level 3 enhanced practice breakdown by domain - Reference file routing table for context-aware loading - Core workflows: level determination, scoping, gap analysis, SSP documentation, SPRS score calculation, POA&M development, assessment process overview, annual affirmation, CUI categories, and common misconceptions plugins/cmmc/skills/cmmc/references/level1-practices.md - All 17 Level 1 practices sourced from FAR 52.204-21 - Practices organized by domain: AC (4), IA (2), MP (1), PE (4), SC (2), SI (4) - Self-assessment methodology (4-step process) - Evidence examples per practice - Common Level 1 deficiencies with root cause descriptions plugins/cmmc/skills/cmmc/references/level2-practices.md - All 110 Level 2 practices from NIST SP 800-171 Rev 2 - Complete practice-by-practice table across all 14 domains with NIST references - SPRS score deduction reference: high (-5), medium (-3), low (-1) weights - Critical evidence requirements by domain for C3PAO assessment preparation - DFARS 252.204-7012 incident reporting obligations (72-hour DoD notification, 90-day image preservation) plugins/cmmc/skills/cmmc/references/level3-practices.md - All 24 additional Level 3 enhanced practices from NIST SP 800-172 - Organized by domain: AC (4), AT (1), CM (1), IA (1), IR (4), RA (5), CA (3), SC (3), SI (2) - DIBCAC assessment process in detail (5 phases) - Level 3 preparation checklist covering SOC/CSOC, threat hunting, deception technologies, penetration testing, threat intelligence, APT training, insider threat program, incident response team, hardware isolation, key management plugins/cmmc/skills/cmmc/references/scoping-guide.md - Six CMMC asset categories with definitions and examples: CUI Assets, Security Protection Assets (SPAs), Contractor Risk Managed Assets (CRMAs), Specialized Assets (OT/ICS, IoT, GFE), Out-of-Scope Assets, External Service Providers (ESPs) - FCI and CUI definitions with NARA CUI Registry reference - Common DoD CUI categories (CTI, Export Controlled, PBI, NNPI, Privacy) - 8-step scoping process from CUI identification through SSP documentation - Network segmentation recommendations for scope reduction - Common scoping mistakes with consequences plugins/cmmc/skills/cmmc/references/assessment-guide.md - Cyber-AB and C3PAO ecosystem description with marketplace reference - Level 2 C3PAO assessment process (5 phases): pre-assessment, engagement, execution, results/certification, annual affirmation - SPRS score calculation using DoD Assessment Methodology v1.2.1 deduction weights; scoring table with conditional certification thresholds - SPRS submission process via DIBNet portal - Domain-by-domain evidence requirements for C3PAO assessment - POA&M format, conditional certification rules (180-day closure requirement), and closure verification process - CMMC contract clause summary (FAR 52.204-21, DFARS 252.204-7012/7019/7020/7021) CMMC - Claude Skill/CMMC-README.md - Human-readable README with use-case table, skill structure tree, official resource links, and disclaimer CMMC - Claude Skill/cmmc.skill - ZIP archive (30,556 bytes) with correct internal structure: cmmc/SKILL.md (one level deep, per installer specification) cmmc/references/*.md (5 reference files) Files modified -------------- .claude-plugin/marketplace.json - Added CMMC entry with name, source path, description, version, category, and keywords tests/test_plugin_structure.py - Added 'cmmc' to EXPECTED_PLUGINS set tests/test_skill_installability.py - Added 'cmmc.skill' to EXPECTED_SKILLS set Test results ------------ 187 tests passed, 0 failed Covers: plugin structure, JSON validity, semver versioning, SKILL.md existence and content, archive structure, path safety, marketplace registration

feat: Add ISO 3001 Compliance Skill