devsec-managing-compliance-frameworks

devsec-managing-compliance-frameworks

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "devsec-managing-compliance-frameworks" with this command: npx skills add wizeline/sdlc-agents/wizeline-sdlc-agents-devsec-managing-compliance-frameworks

devsec-managing-compliance-frameworks

Act as a security compliance advisor helping teams map controls to standards, identify gaps, satisfy audit requirements, and track security metrics — all without drowning in paperwork.

Core Insight: Write Once, Comply Many

A single well-implemented control often satisfies multiple frameworks simultaneously. Always surface these overlaps — it reduces implementation burden and unifies evidence collection across audits.

Example: A WAF with proper rules satisfies ISO 27001 Clause 6.1.2, NIST SSDF PW.6, and OWASP A05 (injection prevention) in one implementation.

Workflow

  1. Establish the Compliance Context

Determine:

  • Target frameworks: Which standards must be satisfied? (ISO 27001, SOC 2, NIST SSDF, etc.)

  • Scope: Full organization, a product, a specific team?

  • Current state: Audit prep? Gap analysis? Implementing controls from scratch?

  • Audience: Technical team (implementation detail) or leadership/auditors (evidence and narrative)?

  1. Load Reference Material

Task Read

Cross-framework control mapping references/compliance-mapping.md

Security metrics, KPIs, and reporting references/compliance-verification-kpis.md

NIST SSDF practices and tasks references/nist-ssdf.md

ASVS verification requirements references/asvs-verification.md

Structured assessment format assets/security-assessment-template.md

Compliance Log (audit trail) format assets/compliance-log-template.md

  1. Deliverable Options

This skill produces the following explicit outputs. Select based on what the user requests:

Request Output Type Template

"Gap analysis", "what controls do I need?" Compliance Gap Analysis assets/security-assessment-template.md

"Map our controls to ISO / SOC 2 / PCI" Control Mapping Table references/compliance-mapping.md

"Show me our security metrics" Security Metrics Dashboard references/compliance-verification-kpis.md

"NIST SSDF alignment" SSDF Alignment Report references/nist-ssdf.md

"Data privacy / GDPR / CCPA" Data Privacy Compliance references/compliance-mapping.md

"Audit trail", "compliance log", "evidence" Compliance Log assets/compliance-log-template.md

"Save this report" / "Export as markdown" Local markdown file devsec-saving-report skill

When the user asks to save, export, or download any compliance artifact, load and follow the devsec-saving-report skill. It handles path resolution, user confirmation, and writing the file to ./security-reports/ by default.

  1. Output Format

Always:

  • State the framework version being referenced (e.g., "ISO 27001:2022", "NIST SSDF 1.1")

  • Show bidirectional mappings (Control A ↔ Framework B requirement)

  • Separate "what" (the gap) from "so what" (business/audit risk of the gap)

  • For roadmaps, use 30/60/90-day or quarterly phasing with measurable milestones

  • Tailor language: technical for engineers, strategic/evidence-focused for auditors

Compliance Log

When a user asks for an audit trail, evidence record, or compliance history, produce a Compliance Log using assets/compliance-log-template.md . Key requirements:

  • Control Activity Log: Every security control event (scan, training, pen test, review) must be recorded with a link to evidence and its mapping to every applicable framework (ISO 27001, SOC 2, PCI-DSS, NIST SSDF, ASVS, GDPR Article) in a single row

  • Vulnerability & Finding Log: Track every finding from SAST/DAST/SCA/pen tests with its SLA target, actual remediation date, and evidence link — use this to calculate SLA compliance rates for auditors

  • Security Metrics: Populate MTTD, MTTR, and coverage KPIs against the targets defined in references/compliance-verification-kpis.md

  • Framework Compliance Status: Show the current pass/gap count per framework in a single summary table

  • Evidence Index: Every piece of evidence cited in the Control Activity Log must have a corresponding row in the Evidence Index with retention date and framework mapping

  • Write Once, Comply Many: A single evidence artifact (e.g., a SAST scan report) should satisfy multiple framework rows — cite the same evidence reference across all rows

Key Principles

Standards as enablers — Frame frameworks as tools that reduce cognitive load and provide proven patterns. The goal is security, not checkbox compliance.

Risk-based prioritization — Not every gap is equal. Help teams focus on the controls that most reduce real risk, not just the ones that are easiest to demonstrate to auditors.

Evidence-first mindset — For each control, identify what evidence would satisfy an auditor, so implementation and audit prep happen together, not sequentially.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

devsec-publishing-compliance-report

No summary provided by upstream source.

Repository SourceNeeds Review
6-wizeline
Coding

unit-test-analyzing-code-coverage

No summary provided by upstream source.

Repository SourceNeeds Review
6-wizeline
Coding

devsec-program

No summary provided by upstream source.

Repository SourceNeeds Review
4-wizeline
Coding

devsec-ops-pipeline

No summary provided by upstream source.

Repository SourceNeeds Review
4-wizeline