compliance-frameworks

name: compliance-frameworks description: Multi-framework compliance (ISO 27001, NIST CSF, CIS Controls, GDPR, NIS2, EU CRA, SOC 2), control mapping license: Apache-2.0

Compliance Frameworks Skill

Purpose

This skill provides unified compliance mapping across ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, GDPR, NIS2, EU CRA, and SOC 2 for the CIA platform. It enables developers to implement controls that satisfy multiple frameworks simultaneously, reducing compliance overhead.

When to Use This Skill

Apply this skill when:

• ✅ Implementing a new security control or feature
• ✅ Documenting compliance evidence for audits
• ✅ Mapping requirements across multiple frameworks
• ✅ Assessing regulatory impact of platform changes
• ✅ Preparing for ISO 27001 certification audits
• ✅ Evaluating NIS2 or EU CRA applicability
• ✅ Creating compliance reports for stakeholders

Do NOT use for:

• ❌ Detailed implementation of specific controls (use dedicated skills)
• ❌ Runtime security monitoring
• ❌ Code-level vulnerability fixing

Framework Overview

Compliance Framework Hierarchy for CIA Platform
│
├─ MANDATORY COMPLIANCE
│  ├─ GDPR (data protection, Swedish political data)
│  ├─ NIS2 (network and information security, if applicable)
│  └─ EU CRA (cyber resilience for open-source software)
│
├─ VOLUNTARY STANDARDS (Hack23 ISMS)
│  ├─ ISO 27001:2022 (information security management)
│  ├─ NIST CSF 2.0 (cybersecurity framework)
│  └─ CIS Controls v8 (critical security controls)
│
└─ INDUSTRY BEST PRACTICES
   ├─ SOC 2 Type II (service organization controls)
   ├─ OWASP Top 10 (web application security)
   └─ OpenSSF Scorecard (open-source security posture)

Cross-Framework Control Mapping

Access Control

Data Protection

Vulnerability Management

Incident Response

CIA Platform Compliance Decision Tree

New Feature Compliance Assessment
│
├─→ Does it process personal data?
│   ├─ YES → GDPR (Art. 6 legal basis, Art. 25 privacy by design)
│   └─ NO → Continue
│
├─→ Does it affect network/information security?
│   ├─ YES → NIS2 (Art. 21 risk management measures)
│   └─ NO → Continue
│
├─→ Is it a software product/component?
│   ├─ YES → EU CRA (Art. 10 vulnerability handling)
│   └─ NO → Continue
│
├─→ Does it change security controls?
│   ├─ YES → ISO 27001 (Annex A controls)
│   │        NIST CSF (relevant function)
│   │        CIS Controls (implementation group)
│   └─ NO → Continue
│
└─→ Apply general secure development practices
    └─ OWASP Top 10, secure coding standards

NIS2 Directive Compliance

Applicability Assessment

NIS2 applies to CIA platform if:
- Essential entity: Public administration ICT services
- Important entity: Digital infrastructure providers
- Open-source steward: Maintained open-source project (Art. 15a)

Hack23/CIA classification: Open-Source Steward
Obligations: Due diligence, vulnerability handling, coordination

Key Requirements

EU Cyber Resilience Act (CRA)

Open-Source Software Obligations

EU CRA Open-Source Steward Requirements:
├─ Vulnerability disclosure policy (SECURITY.md)
├─ Coordinated vulnerability handling
├─ Security update distribution
├─ Software Bill of Materials (SBOM)
├─ CE marking considerations
└─ Documentation of security properties

Implementation Evidence

Compliance Evidence Collection

Per-Sprint Evidence

Sprint Compliance Artifacts:
□ Code review records (GitHub PR reviews)
□ Security scan results (CodeQL, OWASP)
□ Test coverage reports (JaCoCo)
□ Dependency audit (Dependabot alerts)
□ Access control changes (audit log)
□ Configuration changes (git history)

Annual Evidence

Annual Compliance Review:
□ ISMS policy review and update
□ Risk assessment update
□ Penetration testing results
□ Business continuity test
□ Access rights review
□ Security awareness training records
□ Supplier security assessments
□ Incident response drill results

ISMS Alignment

References

• Hack23 ISMS Public
• ISO 27001:2022
• NIST CSF 2.0
• CIS Controls v8
• NIS2 Directive
• EU Cyber Resilience Act
• GDPR