from claude-grc-plugin132
Provides senior GRC analyst capabilities: control lookups, cross-framework mapping, document review, audit prep, and evidence checklists across 15 compliance fr
This skill adds deep Governance, Risk, and Compliance (GRC) domain knowledge to an agent. It lets the agent cite specific control IDs, map controls across frameworks (NIST, FedRAMP, ISO, PCI, SOC 2, etc.), review SSPs/POA&Ms/policies for structural completeness, and generate evidence-checklists and audit preparation guidance. It emphasizes structural, non-sensitive feedback and includes extensive reference material.
Use this skill when preparing for audits (FedRAMP, SOC 2, ISO), drafting or reviewing SSPs and POA&Ms, mapping controls between frameworks, or when you need precise references to control IDs and expected evidence. It is intended for compliance engineers, ISSOs, and audit prep workflows rather than hands-on security configuration guidance.
frameworks/, mappings/, audits/, and oscal/ collections are present in the repoBest suited for agents that can handle long-form reference docs and structured prompts (Claude-style assistants, Claude Code / similar).
GRC Knowledge is a comprehensive, well-structured reference skill covering 15 compliance frameworks (NIST 800-53, FedRAMP, SOC 2, ISO 27001, PCI DSS, HIPAA, CMMC, CIS, COBIT, CSA CCM, GDPR, SLSA, OSCAL). It has no executable scripts — it's a pure knowledge/prompt skill that guides an agent through control lookups, cross-framework mapping, document review, audit preparation, and evidence checklists. The SKILL.md is exceptionally detailed with reference tables, response guidelines, data-handling redaction rules, and progressive disclosure via referenced files. The security posture is strong: explicit redaction reminders, no network calls, and clear boundaries around structural (not security) assessment.
Impressively thorough GRC knowledge base. The skill explicitly enforces data redaction before reviewing user documents and carefully separates structural document review from security posture evaluation. No scripts, no executable code — purely a structured prompt with reference navigation. The cross-framework mapping approach (NIST as hub) is industry-standard and well-documented. Main limitation is the narrow audience (GRC/compliance professionals) and dependency on external reference files not bundled in the skill itself.
