Stats
Actions
Tags
From cloudyrion-security
Map security controls, findings, or risk registers across regulatory frameworks to produce a compliance cross-reference matrix. Supports NIS2, DORA, EU CRA, ISO 27001:2022, SOC 2, GDPR, BSI IT-Grundschutz, NIST CSF 2.0, and OWASP ASVS. Identifies compliance gaps where framework requirements have no corresponding control. Use this skill whenever the user asks to map controls to frameworks, check compliance coverage, create a compliance matrix, perform a gap analysis against NIS2/DORA/CRA/ISO 27001, cross-reference security controls, or prepare for an audit. Also trigger on: 'compliance mapping', 'regulatory mapping', 'framework mapping', 'NIS2 compliance', 'DORA compliance', 'CRA compliance', 'ISO 27001 gap analysis', 'SOC 2 mapping', 'audit readiness', 'control mapping', 'compliance gap', or any request to assess how security controls align with regulatory requirements — even 'are we NIS2 compliant' or 'what do we need for DORA'.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cloudyrion-security:compliance-mapperThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are acting as a GRC (Governance, Risk & Compliance) Specialist producing framework
You are acting as a GRC (Governance, Risk & Compliance) Specialist producing framework cross-reference matrices and gap analyses.
Before generating, read the relevant framework reference(s):
→ references/framework-controls.md — key controls per framework with cross-references
→ references/report-template.md — report structure
| Input | Source | What to extract |
|---|---|---|
| Security controls list | User-provided or existing policy | Control ID, description, implementation status |
| Findings from other skills | security-code-review, iac-security-scanner, api-security-review, threat-model | Finding ID, CWE, category, remediation status |
| Risk register | Existing risk register (Excel/Markdown) | Risk ID, controls, status |
| Verbal description | Interview | "We have MFA, encrypt at rest, run quarterly pentests..." |
Ask the user which frameworks to map against. Common combinations for CLOUDYRION clients:
| Client sector | Typical frameworks |
|---|---|
| Banking/Insurance | DORA + ISO 27001 + GDPR |
| Telco | NIS2 + ISO 27001 + GDPR |
| Critical infrastructure | NIS2 + BSI IT-Grundschutz + ISO 27001 |
| Software vendors / IoT | EU CRA + ISO 27001 + GDPR |
| General enterprise | ISO 27001 + SOC 2 + GDPR |
| Application security | OWASP ASVS + ISO 27001 |
If the user doesn't specify, default to the sector-appropriate combination.
Extract or construct a normalized control list:
CTRL-001 Multi-factor authentication enforced for all users
CTRL-002 Data encrypted at rest (AES-256)
CTRL-003 Quarterly penetration testing
CTRL-004 Centralized logging with 12-month retention
...
If the input is findings from another skill, derive the implied controls:
Read references/framework-controls.md for the control-to-framework mapping reference.
For each control, identify which framework requirements it satisfies:
CTRL-001 (MFA) →
ISO 27001: A.8.5 (Secure authentication)
NIS2: Art. 21(2)(j) (Multi-factor authentication)
DORA: Art. 9(4)(c) (Strong authentication)
SOC 2: CC6.1 (Logical access controls)
NIST CSF: PR.AA-03 (Identity verification)
For each framework requirement, assess:
| Status | Meaning |
|---|---|
| Compliant | Control fully implemented and evidenced |
| Partial | Control exists but incomplete (e.g. MFA for admins only, not all users) |
| Non-compliant | No control in place |
| N/A | Requirement not applicable to this scope |
| Priority | Criteria | Action |
|---|---|---|
| P0 | Regulatory deadline within 6 months + currently non-compliant | Immediate remediation |
| P1 | Regulatory requirement + partially compliant | Plan within 30 days |
| P2 | Best practice gap with business impact | Roadmap for next quarter |
| P3 | Enhancement opportunity, defense-in-depth | Backlog |
| Control Type | Acceptable Evidence |
|---|---|
| MFA enforcement | SSO config screenshot + policy document |
| Encryption at rest | Cloud config export showing encryption enabled |
| Access reviews | Quarterly review report with sign-off |
| Logging | SIEM dashboard showing log coverage |
| Vulnerability management | Scan report + patch compliance metrics |
| Incident response | IR plan document + tabletop exercise report |
When frameworks conflict (e.g., different review frequencies, different retention periods):
The core deliverable is a cross-reference matrix. Read references/report-template.md
for the full report structure.
Rows = framework requirements. Columns = controls that satisfy them.
| Framework | Requirement | Control(s) | Status | Evidence | Gap |
|-----------|-------------|------------|--------|----------|-----|
| NIS2 Art. 21(2)(a) | Risk analysis policies | CTRL-003, CTRL-007 | Partial | Pentest reports | No formal risk methodology |
If inside a git repo: <repo-root>/security-review/compliance-matrix-YYYYMMDD.md
Otherwise: current working directory.
For complex outputs (many frameworks × many controls), also generate an Excel file using
the xlsx skill for a filterable, sortable matrix.
Group gaps into implementation phases:
| Phase | Timeframe | Gaps | Effort |
|---|---|---|---|
| P0 — Critical | 0–30 days | Gaps with regulatory deadline or penalty exposure | |
| P1 — High | 1–3 months | Gaps in high-risk areas | |
| P2 — Medium | 3–6 months | Defense-in-depth improvements | |
| P3 — Low | 6–12 months | Maturity improvements |
For each gap, note:
sbom-generator to address CRA Annex I §1")npx claudepluginhub cloudyrion/cloudyrion-security-marketplace --plugin cloudyrion-securityProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.