Sushegaad
UserClaude Skills for Governance, Risk, & Compliance (GRC): Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, EU AI Act, ISO 42001, ISO 27701, DORA, CSRD, India's DPDPA, CMMC 2.0, NIST AI Risk, SWIFT, Australia's ISM, EU NIS2, and CCPA/CPRA. Benchmark 96% (with skills) vs 81% (without skills).
Categories
Indexed Skills (26)
ccpa
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance advisor — business threshold analysis, consumer rights fulfillment (access, delete, correct, opt-out of sale/sharing, limit SPI), privacy notice drafting, service provider vs. contractor vs. third-party classification, sensitive personal information (SPI) handling, data minimization, opt-out mechanisms, CPPA enforcement, penalty exposure, GDPR comparison, and gap assessments for businesses operating in or targeting California residents.
cis-controls
Expert CIS Controls v8 (CIS Top 18) advisor — implementation group scoping (IG1/IG2/IG3), control gap assessments, safeguard-level guidance, asset inventory, software inventory, data protection, secure configuration, account management, access control, continuous vulnerability management, audit log management, email and web browser protections, malware defenses, network infrastructure management, network monitoring and defense, application software security, incident response, penetration testing, and CIS Controls mapping to NIST CSF, ISO 27001, SOC 2, and CMMC. Use for any question about CIS Controls, CIS Benchmarks, Implementation Groups, or prioritized cyber hygiene for any organization size.
cmmc
Expert CMMC 2.0 (Cybersecurity Maturity Model Certification) advisor for US defense contractors and subcontractors in the Defense Industrial Base (DIB). Use this skill whenever a user asks about CMMC 2.0, CMMC Level 1, Level 2, or Level 3, DoD cybersecurity compliance, NIST SP 800-171, CUI (Controlled Unclassified Information) protection, System Security Plan (SSP), Plan of Action & Milestones (POA&M), C3PAO assessments, DIBCAC audits, self-assessment, SPRS score, or any requirement under DFARS 252.204-7012 or 7021. Also trigger for: "CMMC gap analysis", "CMMC readiness", "FCI protection", "CUI scoping", "CMMC practices", "DoD contract cybersecurity", "defense supply chain security", or "prime contractor flow-down requirements".
csrd
Expert CSRD (Corporate Sustainability Reporting Directive, EU 2022/2464) compliance advisor. Use this skill whenever a user asks about CSRD, European Sustainability Reporting Standards (ESRS), double materiality assessment, sustainability reporting obligations, ESG disclosure, CSRD scope and thresholds, value chain reporting, XBRL digital tagging, third-party assurance, CSRD gap assessments, CSRD implementation timelines, ESRS E1–E5 environmental standards, ESRS S1–S4 social standards, ESRS G1 governance, CSRD vs GRI/TCFD/SASB alignment, or any EU corporate sustainability reporting question. Trigger even if the user only mentions "ESG reporting Europe", "sustainability disclosure EU", or "non-financial reporting".
dora
Expert DORA (Regulation (EU) 2022/2554 — Digital Operational Resilience Act) compliance advisor for EU financial entities. Use this skill whenever a user asks about DORA compliance, ICT risk management frameworks, ICT incident classification or reporting, threat-led penetration testing (TLPT), ICT third-party risk management, Register of Information, contractual provisions with ICT providers, ICT concentration risk, oversight of critical ICT third-party service providers (CTPPs), or any DORA RTS/ITS obligation. Also trigger for: "DORA gap analysis", "DORA readiness", "Art. 6 ICT risk framework", "Art. 17 incident reporting", "Art. 26 TLPT", "Art. 28 third-party policy", "Art. 30 contractual provisions", "Register of Information CIR 2024/2956", "critical TPSP designation", "DORA vs NIS2", "DORA simplified framework", or EBA/ESMA/EIOPA digital resilience guidance.
dpdpa
Expert India Digital Personal Data Protection Act, 2023 (DPDPA) compliance advisor. Use this skill whenever a user asks about the DPDPA, DPDP Act, DPDP Rules 2025, India data privacy law, Data Fiduciary obligations, Data Principal rights, Significant Data Fiduciary, Data Protection Board of India, consent under DPDPA, notice requirements, breach notification India, children's data India, cross-border data transfer India, India privacy compliance, DPDPA gap analysis, DPDPA vs GDPR, or any obligation under India's personal data protection framework. Also trigger for: "Section 6 consent", "Section 7 legitimate uses", "Section 9 children's data", "Section 10 SDF", "Section 16 cross-border", "Rule 6 breach notification", "Rule 13 SDF obligations", "Data Protection Board complaint", "verifiable parental consent India", "DPDPA compliance roadmap", or "India privacy law global company".
ear
Export Administration Regulations (EAR, 15 CFR Parts 730-774) compliance advisor — ECCN classification across all 10 CCL categories and 5 product groups (A-E), EAR99 determination, jurisdiction analysis (EAR vs ITAR order of review), license requirement analysis via Country Chart, all license exceptions (LVS, GBS, CIV, TMP, RPL, GOV, TSU, ENC, TSR, APP, BAG, AVS, ACE), end-user/end-use controls (Entity List, Denied Persons List, Unverified List, MEU List), deemed export rules, Foreign Direct Product Rule (FDPR), de minimis thresholds, 10 General Prohibitions, SNAP-R license applications, voluntary self-disclosure, civil/criminal penalties, Export Compliance Program (ECP) design, and EAR vs ITAR jurisdiction determination. Use for any dual-use export control, CCL classification, or BIS compliance question.
eu-ai-act
EU AI Act (Regulation (EU) 2024/1689) compliance advisor — risk classification across all four tiers, all 8 prohibited practices (Art. 5), all 8 Annex III high-risk use case areas, provider and deployer obligations (Arts. 9–17, 26), GPAI model obligations and systemic risk (Arts. 51–55), conformity assessment and CE marking (Arts. 43–48), EU AI database registration, limited-risk transparency (Art. 50), governance (AI Office, AI Board), penalties (Art. 99), phase-in timeline, and cross-framework mapping to ISO 42001, NIST AI RMF, and GDPR. Use for any EU AI regulation, AI system classification, or AI compliance question.
eu-cra
Expert EU Cyber Resilience Act (CRA) advisor for Regulation (EU) 2024/2847 — mandatory cybersecurity and vulnerability handling requirements for all products with digital elements (PDEs) sold in the EU. Use this skill for gap analysis, product classification (Default / Class I / Class II), conformity assessment route selection, CE marking, SBOM requirements, vulnerability and incident reporting to ENISA/CSIRTs, support period obligations, and manufacturer/importer/distributor duties. Trigger for EU CRA, Cyber Resilience Act, PDE compliance, Annex I requirements, SBOM EU, CE marking cybersecurity, or connected product security EU.
fedramp
Expert guidance for FedRAMP certification and compliance. Use this skill whenever a user asks about FedRAMP authorization, ATO (Authority to Operate), cloud security for federal government, NIST SP 800-53 controls, CSP compliance, or any of the core FedRAMP document types: SSP, SAP, SAR, POA&M, CIS/CRM workbooks. Also trigger for questions about FedRAMP impact levels (Low, Moderate, High, LI-SaaS), FedRAMP 20x, OSCAL, 3PAO assessments, continuous monitoring (ConMon), gap assessments, system boundary definition, FedRAMP readiness, or architecture reviews for federal cloud. When in doubt, use this skill — it covers the full FedRAMP lifecycle from readiness through continuous monitoring.
ism
Expert Australian Information Security Manual (ISM) advisor for government entities and their supply chains. Use for ISM control selection, gap analysis, system authorisation, IRAP assessment preparation, security documentation, and ASD compliance. Triggers on: ISM controls, ASD compliance, IRAP assessment, PROTECTED system scoping, Essential Eight vs ISM, system authorisation, NC/OS/ PROTECTED/SECRET/TOP SECRET classification markings, security objectives, ISM guidelines or chapters, control applicability markings, cybersecurity documentation for Australian government, and any question about the ASD Information Security Manual framework or Australian government cybersecurity obligations.
iso27001
Expert ISO 27001 compliance assistant for security and compliance teams. Use this skill whenever a user asks about ISO 27001 or ISO/IEC 27001, including any of the following: gap analysis, auditing, compliance assessments, control checklists, policy writing, document generation, Statement of Applicability (SoA), risk assessment, risk registers, risk treatment plans, Annex A controls, ISMS implementation, clause requirements, certification readiness, transitioning from 2013 to 2022, control implementation guidance, incident response policies, access control policies, supplier security, or any information security management system (ISMS) topic. Trigger even if the user doesn't say "skill" — any ISO 27001 or ISMS question should use this skill.
iso27701
Expert ISO 27701 Privacy Information Management System (PIMS) compliance advisor. Use this skill whenever a user asks about ISO/IEC 27701:2025, ISO/IEC 27701:2019, privacy information management, PIMS certification, PII controller or processor obligations, privacy risk assessment, Statement of Applicability for privacy, privacy by design, data subject rights, DPIA, records of processing activities, transitioning from ISO 27701:2019, GDPR alignment with ISO 27701, or any privacy management system topic. Also trigger for questions about Annex A.1 (controller controls), A.2 (processor controls), A.3 (shared security controls), or implementing a standalone PIMS without ISO 27001. When in doubt, use this skill — it covers the full ISO 27701 lifecycle from gap assessment through certification.
iso42001
Expert ISO 42001 AI Management System (AIMS) compliance advisor. Use this skill whenever a user asks about ISO/IEC 42001:2023, AI governance, AI management systems, AI risk assessment, AI system impact assessment, Annex A controls for AI, Statement of Applicability for AI systems, AI policy, responsible AI, AI lifecycle management, AI incident management, AI transparency, AI bias, AI certification readiness, or any topic related to implementing or auditing an AI Management System. Also trigger for questions like "how do I become ISO 42001 certified?", "what controls does ISO 42001 require?", "how do I assess AI risk under 42001?", "what is an AIMS?", or any request involving organisational governance of AI systems, responsible AI frameworks, or AI regulatory compliance aligned to an ISO standard.
itar
Expert ITAR compliance advisor for US defense contractors, exporters, and manufacturers. Use this skill for any question about 22 CFR Parts 120-130, the United States Munitions List (USML), DDTC registration, export license applications (DSP-5/73/94), Technical Assistance Agreements (TAA), Manufacturing License Agreements (MLA), brokering regulations (Part 129), deemed export rules for foreign nationals, technology control plans, voluntary disclosures, violation mitigation, jurisdiction determination (ITAR vs EAR), or US Munitions List category scoping. Trigger even if the user doesn't say "skill" — any ITAR or US defense export control question should use this skill.
lgpd
Expert LGPD compliance advisor for Brazil's Lei Geral de Proteção de Dados (Law 13,709/2018). Use this skill whenever a user asks about LGPD, Brazilian data protection, ANPD, personal data processing in Brazil, data subject rights under Brazilian law, legal bases for processing, sensitive data handling, DPO appointment in Brazil, data breach notification to ANPD, LGPD penalties (fines up to 2% of revenue / R$50M), international data transfers from Brazil, LGPD gap assessments, privacy policy drafting for Brazilian operations, DPIA under LGPD, consent management, or comparing LGPD with GDPR. Trigger for any Brazil privacy or data protection question even if LGPD is not named explicitly.
nis2
EU NIS2 Directive (Directive (EU) 2022/2555) compliance advisor for essential and important entities — entity classification, Art. 21 risk management measures, Art. 23 incident reporting timelines (24h/72h/1 month), Art. 20 governance obligations, supply chain security (Art. 26), gap assessments, policy drafting, ISO 27001 alignment, and penalty exposure analysis. Use for NIS2 readiness, transposition questions, ENISA guidelines, supervisory differences between essential and important entities, and cross-border coordination.
nist-800-53
NIST SP 800-53 Rev 5 compliance advisor — all 20 control families (AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR), Low/Moderate/High baseline selection, FIPS 199/200 system categorization, control tailoring and overlays, privacy controls (PT family), supply chain risk management (SR family), assessment procedures (SP 800-53A), OSCAL, RMF integration (SP 800-37), and mapping to FedRAMP, FISMA, CMMC 2.0, and ISO 27001. Use for any federal system security controls, FISMA compliance, RMF step guidance, control narrative writing, or baseline tailoring question.
nist-ai-rmf
Expert NIST AI Risk Management Framework (AI RMF 1.0) advisor covering all four functions: GOVERN, MAP, MEASURE, MANAGE. Use this skill whenever a user asks about NIST AI RMF, AI risk management, AI trustworthiness, GOVERN function, MAP function, MEASURE function, MANAGE function, AI RMF Playbook, AI risk profiles, responsible AI, AI bias management, AI transparency, AI explainability, AI reliability, AI safety, NIST AI 100-1, AI risk assessment, AI incident response, or alignment to EU AI Act, ISO 42001, or NIST CSF via AI RMF. Trigger even if the user doesn't say "skill" — any NIST AI RMF or AI governance risk question should use this skill.
nist-csf
Expert NIST Cybersecurity Framework (CSF) advisor covering CSF 2.0 and CSF 1.1. Use this skill whenever a user asks about NIST CSF, cybersecurity risk management, the six CSF functions (Govern, Identify, Protect, Detect, Respond, Recover), CSF profiles, implementation tiers, gap assessments, organizational profiles, community profiles, CSF core subcategories, informative references, or mapping to other frameworks (NIST SP 800-53, ISO 27001, CIS Controls, COBIT). Also trigger for questions like "how do I implement NIST CSF?", "what does CSF 2.0 change?", "help me build a CSF profile", "how do I assess my cybersecurity posture?", or any request involving organizational cybersecurity risk strategy or framework alignment.
nzism
Expert New Zealand Information Security Manual (NZISM) advisor for NZ government agencies and their supply chains. Use for NZISM control guidance, gap analysis, agency security obligations, classification framework (Unclassified through Top Secret), security risk management, system certification, and GCSB/NCSC NZ compliance. Triggers on: NZISM controls, NZ government security, GCSB compliance, agency cybersecurity obligations, NZ classification markings, Restricted/Confidential/Secret system scoping, agency security policies, third-party supplier security, Certification and Accreditation (C&A), and any question about NZ government information security requirements or the NZISM framework.
section-508
Expert Section 508 compliance advisor for US federal ICT accessibility. Use this skill whenever a user asks about Section 508, WCAG 2.0/2.1 AA for federal systems, VPAT or Accessibility Conformance Reports (ACR), accessibility audits, remediation planning, PDF accessibility, web or software accessibility, mobile accessibility, federal procurement accessibility requirements, contractor obligations, undue burden exceptions, assistive technology compatibility, or Section 508 testing. Covers the Revised Section 508 Standards (2018), all WCAG 2.0 Level AA success criteria, the four POUR principles, testing methodologies, and agency compliance workflows. Trigger even if the user doesn't say "skill" — any Section 508 or ICT accessibility question for federal systems should use this skill.
soc2
Expert SOC 2 compliance assistant covering all five Trust Services Criteria (Security/CC, Availability/A, Confidentiality/C, Processing Integrity/PI, Privacy/P). Use this skill whenever a user mentions SOC 2, Trust Services Criteria, SOC 2 Type 1 or Type 2, audit readiness, compliance gaps, control documentation, evidence collection, vendor risk questionnaires, or anything related to AICPA service organization controls. Trigger even for adjacent topics like "we need to get audited", "a customer asked for our security report", "writing an information security policy", or "preparing for an audit". Covers gap analysis, policy writing, control documentation, audit evidence preparation, and vendor risk reviews for organizations at any maturity level — from first-time startups to seasoned compliance teams.
swift-csp
Expert SWIFT Customer Security Programme (CSP) advisor covering the Customer Security Controls Framework (CSCF v2025). Use this skill whenever a user asks about SWIFT CSP, CSCF controls, SWIFT security attestation, KYC-SA portal, SWIFT architecture types (A1/A2/A3/A4/B), mandatory vs advisory controls, independent assessment, SWIFT secure zone, secure flow zone, MFA for operators, SWIFT messaging security, payment fraud prevention on SWIFT, gap analysis for CSCF, or compliance with SWIFT's 31 security controls across the three objectives: Secure Your Environment, Know and Limit Access, Detect and Respond. Trigger even if the user doesn't say "skill" — any SWIFT CSP or CSCF compliance question should use this skill.
vn-pdpl
Expert Vietnam Personal Data Protection Law (PDPL) compliance advisor for Law No. 91/2025/QH15 and implementing Decree 356/2025/ND-CP (effective January 1, 2026). Use this skill for gap analysis against the Vietnam PDPL, data subject rights fulfilment workflows, cross-border data transfer impact assessments, privacy notices and internal policies, breach notification procedures, sector-specific obligations (finance, AI, cloud, blockchain), and DPO qualification reviews. Trigger whenever a user mentions Vietnam data privacy, VN-PDPL, Nghị định 356, Vietnamese personal data, or cross-border transfers involving Vietnamese citizens' data.
wcag
Expert WCAG (Web Content Accessibility Guidelines) advisor covering WCAG 2.0, 2.1, and 2.2 — the W3C international accessibility standards. Use this skill whenever a user asks about WCAG success criteria, conformance levels (A/AA/AAA), accessibility audits, POUR principles, accessibility statements, ARIA patterns, colour contrast, keyboard accessibility, screen reader compatibility, mobile accessibility, cognitive accessibility, WCAG 2.2 new criteria, WCAG 3.0 preview, legal requirements referencing WCAG (EN 301 549, EAA, ADA, Section 508), or mapping WCAG to accessibility laws. Trigger for any web or digital content accessibility question — even if the user doesn't say "skill" or "WCAG".
Bio shown is the top-scored skill's repo description as a fallback — real GitHub bios land in a future update.