GRC

Skill packages tagged with “GRC”

CIS Benchmark Mapper

Draft Secure Configuration Baselines (hardening guides) from CIS Benchmarks or STIGs into formal policy. Validates recurring Drift Analysis schedule (NIST CSF 2.0 PR.PS).

NIST CSF CIS Benchmarks STIG Hardening GRC Secure Configuration

Learn More

Produce a unified multi-framework compliance matrix mapping controls across ISO 27001:2022, NIST CSF 2.0, SOC 2 TSC, GDPR, NIS2/DORA, and NIST 800-53/CMMC. Scores coverage per framework, identifies gaps, and prioritizes remediation by cross-framework benefit and regulatory severity.

Cross-Compliance GRC Framework Mapping ISO 27001 NIST SOC 2 GDPR NIS2 DORA CMMC

Learn More

Crypto Spec Generator

Draft and validate Cryptographic Key Management & Encryption Standard (NIST CSF 2.0 PR.DS). Ensures FIPS 140-3–aligned algorithms and key lifecycle; flags legacy algorithms (SHA-1, 3DES, etc.) for 2026-era compliance.

NIST CSF Encryption Key Management FIPS 140-3 GRC Data Security

Learn More

Executive Readiness Report

Generate a board-ready executive summary of compliance posture, readiness scores by area, critical gaps, and timeline to audit. Designed for C-suite, board members, and auditors. Synthesizes data from dashboard metrics, gap assessments, risk registers, and policy status into a single exportable document.

Compliance Executive Report GRC Readiness Board Report

Learn More

Incident Decision Tree Builder

Draft scenario-specific incident response playbooks (NIST CSF RS.RP) with a clear Decision Matrix for isolate vs. monitor and logic gates for Containment, Eradication, and Recovery. Inserts or validates mandatory regulatory reporting windows (e.g. GDPR 72h, SEC 4 days) in the playbook timeline.

NIST CSF Incident Response Security GRC Playbook Regulatory

Learn More

ISO 14001 EMS Documentation

Draft ISO 14001:2015 Environmental Management System documentation: organization environmental profiling, gap assessment against clauses 4-10 with maturity ratings, and environmental policy creation. Includes tools for aspect significance evaluation, profile completeness checking, maturity scoring, remediation prioritization, and policy validation.

ISO 14001 EMS Environment Compliance GRC

Learn More

ISO 20000 Internal Audit (Clause 4.5.4.2)

Plan and execute SMS internal audits for ISO/IEC 20000-1:2011. Create annual audit programs, plan individual engagements, document findings with classifications (Major NC, Minor NC, Observation, OFI), and prepare corrective action plans.

ISO 20000 SMS Internal Audit Compliance IT Service Management GRC

Learn More

ISO 20000 Management Review (Clause 4.5.5)

Prepare and conduct management review of the SMS for ISO/IEC 20000-1:2011. Compile all required review inputs per Clause 4.5.5, document decisions with owners and dates, track improvement actions, and produce the management review report.

ISO 20000 SMS Management Review Continual Improvement IT Service Management GRC

Learn More

ISO 20000 Organization Profile

Build and validate a shared organization profile for ISO/IEC 20000-1:2011 certification. Captures organizational facts (service provider type, locations, departments, technology, roles, maturity) that feed into SMS scope, service catalog, gap assessment, and service management planning. Profile completeness checker validates all required sections.

ISO 20000 SMS IT Service Management Organization GRC

Learn More

ISO 27001 Awareness and Training Plan

Create, validate, and maintain the ISO 27001:2022 awareness and training plan per Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3. Defines target audiences with role-based training requirements, training modules, delivery methods, annual schedule with quarterly phishing simulations, and effectiveness evaluation metrics. Validates section completeness, audience coverage, and schedule gaps. Produces a standalone audit-ready training plan document.

ISO 27001 ISMS Training Awareness GRC Compliance Clause 7.2 Clause 7.3 A.6.3

Learn More

ISO 27001 Gap Assessment

Perform a structured gap assessment against ISO 27001:2022 clauses 4-10 and 93 Annex A controls. Mandatory artifact detector scans for missing ISMS documents; maturity rating tool suggests 0-5 maturity levels per clause area. Produces findings register and remediation roadmap.

ISO 27001 ISMS Compliance Gap Assessment GRC Audit Readiness

Learn More

ISO 27001 ISMS Annual Maintenance & Surveillance Audit Prep

Prepare for annual ISO 27001 surveillance audits by reviewing and updating existing ISMS documents. Scans documents for freshness, assesses organizational changes, performs delta risk re-assessment, updates SoA, reconciles CAPAs from prior audits, assembles surveillance audit evidence pack, scores audit readiness across 10 dimensions, and produces a year-over-year ISMS health report. Designed for certified organizations maintaining their ISMS between recertification cycles.

ISO 27001 ISMS Annual Review Surveillance Audit Maintenance PDCA GRC Compliance

Learn More

ISO 27001 Management Review

Prepare, validate, and document the ISO 27001:2022 management review per Clause 9.3. Compiles input pack from workspace ISMS artifacts, validates all 10 mandatory input categories (Clause 9.3.2) and 3 required output decisions (Clause 9.3.3), and checks that every action has an owner, due date, and expected outcome. Produces review agenda, input pack, minutes, and action tracker.

ISO 27001 ISMS Management Review GRC Compliance Clause 9.3

Learn More

ISO 27001 Organization Profile

Build and validate a shared organization profile for ISO 27001 certification. Captures organizational facts (industry, locations, technology stack, regulations, suppliers) that feed into scope, risk assessment, SoA, and policy generation. Technology stack normalizer classifies systems; profile completeness checker validates all required sections.

ISO 27001 ISMS Compliance Organization GRC

Learn More

ISO 27001 Policy Generator

Generate, validate, and maintain the core ISMS policy and procedure set for ISO 27001:2022 certification. Produces 22 document types (information security policy, ISMS manual, risk management, access control, incident management, asset management, change management, business continuity, document control, corrective action, classification and handling, cryptography, secure development, vulnerability management, remote working, backup, management responsibilities, intellectual property, data leakage prevention, network security, secure disposal, cabling security) with clause-aware templates and organization-specific tailoring.

ISO 27001 ISMS GRC Compliance Policy Procedure Documentation

Learn More

ISO 27001 Risk Assessment

Complete ISO 27001:2022 risk assessment workflow covering methodology definition, risk identification using a 12-category threat taxonomy, risk analysis with 5×5 matrix scoring, treatment planning with Annex A control mapping, and residual risk validation. Produces auditor-ready risk methodology, risk register, treatment plan, and acceptance forms per Clause 6.1.2 and 6.1.3.

ISO 27001 Risk Assessment ISMS GRC Compliance Information Security Risk Management

Learn More

JIT PAM Zero Trust (NIST 800-207)

Document and audit Just-in-Time privileged access management aligned to Zero Trust and NIST SP 800-207. Defines no-standing-privilege, time-bound elevation, and MFA for privileged sessions.

NIST 800-207 Zero Trust JIT PAM Privileged Access Compliance GRC Identity and Access

Learn More

NIS2 Business Continuity

Document business continuity and crisis management measures per NIS2 Art. 21(2)(c). Covers backup management policies, disaster recovery procedures, crisis management activation and escalation, and ICT readiness for business continuity. Validates BCP completeness against NIS2 requirements and checks RTO/RPO target definitions.

NIS2 Business Continuity Disaster Recovery Crisis Management BCP GRC

Learn More

NIS2 Entity Classification

Classify an organization as essential, important, or out-of-scope under the NIS2 Directive (EU 2022/2555). Maps activities to Annex I/II sectors, applies size thresholds (medium/large enterprise criteria), and determines member state jurisdiction. Produces a classification report with regulatory obligations summary.

NIS2 EU Directive Cybersecurity Entity Classification GRC Compliance

Learn More

NIS2 Gap Assessment

Perform a structured gap assessment against all NIS2 Directive Art. 21 cybersecurity risk-management measures. Rates maturity (0-5) per measure, detects missing compliance artifacts, and builds a prioritized remediation roadmap weighted by regulatory severity and entity classification. Produces a comprehensive gap report with interactive dashboard data.

NIS2 Gap Assessment Compliance Cybersecurity GRC Audit Readiness

Learn More

NIS2 Governance & Risk Management

Document management body accountability and cybersecurity risk management measures per NIS2 Directive Art. 20-21. Covers all 11 mandatory measures (a)-(k), governance approval workflows, and management training obligations. Produces a governance and risk management report with measure-by-measure coverage analysis.

NIS2 Governance Risk Management Cybersecurity GRC Compliance

Learn More

NIS2 Incident Reporting

Draft NIS2-compliant incident reports following Art. 23 timelines: early warning within 24 hours, incident notification within 72 hours, and final report within one month. Classifies incident significance, validates report completeness, and tracks notification deadlines. Produces all three report types with CSIRT/competent authority notification content.

NIS2 Incident Reporting Cybersecurity CSIRT GRC Compliance

Learn More

NIS2 Policies & Procedures

Draft and validate cybersecurity policies and procedures for all 11 NIS2 Art. 21(2) mandatory measures. Validates policy coverage, cross-references between related measures, and checks policy structure against organizational standards. Produces individual policy documents or a consolidated policy pack.

NIS2 Policies Procedures Cybersecurity GRC Documentation

Learn More

NIS2 Registration & Reporting

Prepare entity registration submissions and annual reports per NIS2 Art. 27-28. Validates registration form completeness against required fields (entity details, sector, IP ranges, contact information) and checks annual report content. Produces registration-ready submissions and structured annual compliance reports.

NIS2 Registration Reporting CSIRT GRC Compliance

Learn More

NIS2 Supply Chain Security

Assess and manage supply chain cybersecurity risks per NIS2 Art. 21(2)(d). Scores supplier criticality and cybersecurity maturity, validates contractual security clauses, and identifies concentration risks in the ICT supply chain. Produces a supplier risk register and contractual review report.

NIS2 Supply Chain Supplier Risk Cybersecurity GRC Third Party Risk

Learn More

NIST SP 800-53 / CSF Crosswalk

Bidirectional crosswalk between NIST Cybersecurity Framework (CSF) 2.0 subcategories and SP 800-53 Rev 5 controls. Maps CSF subcategories to 800-53 controls and vice versa, identifies gaps in either direction, and produces a crosswalk document for dual-framework compliance.

NIST NIST 800-53 NIST CSF Cybersecurity Compliance GRC USA

Learn More

NIST SP 800-53 Baseline Selector

Select and tailor an SP 800-53 Rev 5 control baseline based on FIPS 199 categorization and regulatory overlays (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, CMMC). Applies the appropriate Low/Moderate/High baseline, adds regulation-specific controls, and supports tailoring with documented justification. Produces tailored-control-catalog.json for all downstream skills.

NIST NIST 800-53 Compliance GRC Baseline USA

Learn More

NIST SP 800-53 Control Standard Author

Author implementation standards for individual NIST SP 800-53 controls. Each standard documents the control objective, implementation narrative, technology and tools, responsible roles, evidence requirements, and review frequency. Validates narrative coverage and quality across control families.

NIST NIST 800-53 Compliance GRC Controls USA

Learn More

NIST SP 800-53 Family Policy Author

Author NIST SP 800-53 family-level policies (the -1 controls) for each control family. Produces structured policy documents with Purpose, Scope, Applicability, Policy Statements, Roles & Responsibilities, Compliance & Enforcement, Review Frequency, and Related Documents sections. Validates completeness and structure.

NIST NIST 800-53 Compliance GRC Policy USA

Learn More

NIST SP 800-53 Gap Analysis

Conduct a gap analysis across the NIST SP 800-53 compliance program. Cross-references tailored control catalog against policies, standards, and mappings to identify coverage gaps. Prioritizes remediation by baseline level, regulatory requirement, and family criticality. Produces a gap analysis report with per-family breakdown and phased remediation roadmap.

NIST NIST 800-53 Compliance GRC Gap Analysis USA

Learn More

NIST SP 800-53 Organization Profile

Build and validate the organizational context profile for NIST SP 800-53 Rev 5 compliance. Captures FIPS 199 security categorization (Confidentiality, Integrity, Availability impact levels), applicable regulations (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC), existing frameworks, and authorization boundary. Validates completeness of categorization and scope for downstream baseline selection and control implementation.

NIST NIST 800-53 FIPS 199 Compliance GRC USA

Learn More

NIST SP 800-53 Policy-Control Mapper

Map existing policy and standard documents to NIST SP 800-53 controls with AI-assisted quality scoring. Rates each mapping as High/Medium/Low confidence with documented justification. Identifies unmapped controls and low-quality mappings for remediation. Produces policy-control-mapping.json for gap analysis.

NIST NIST 800-53 Compliance GRC Mapping USA

Learn More

PAM Standard (PR.AA)

Draft and validate a Privileged Access Management standard aligned to NIST CSF 2.0 PR.AA. Defines JIT, least privilege, SoD boundaries, and break-glass workflow; ensures MFA for 100% of privileged sessions.

NIST CSF 2.0 PAM Identity and Access GRC Privileged Access Compliance

Learn More

Risk Register ISO 31000

Guided elaboration of an ISO 31000:2018-aligned risk register: organizational context, risk criteria (likelihood/impact scales and appetite), structured register entries with cause, existing controls, consequence, treatment, residual risk, implementation deadline and owner, plus automated validation of completeness and L x I consistency.

Risk Management ISO 31000:2018 GRC Risk Register Compliance ERM

Learn More

Risk Tolerance Quantifier

Draft and validate a Cybersecurity Risk Appetite Statement (NIST CSF 2.0 GV.OC): translate board mandates into quantifiable tolerance levels and KPIs; ensure stated appetite is supported by budget narratives.

NIST CSF Governance Risk Appetite GV.OC GRC

Learn More

SOC 2 Internal Audit

Conduct an internal readiness audit for SOC 2 certification. Tests controls per TSC criteria, classifies findings by AICPA severity (Material Weakness, Significant Deficiency, Deficiency, Observation), organizes evidence for auditor handoff, tracks management responses, and produces a readiness assessment. The capstone skill that determines whether the organization is ready to engage an external auditor.

Compliance Security SOC 2 Audit AICPA Internal Audit GRC

Learn More

SOC 2 Organization Profile

Build and validate the organizational context profile for SOC 2 audit readiness. Captures principal service commitments, system requirements (SCSR), trust services categories, system boundaries, subservice organizations (carved-out/inclusive), and complementary user entity controls (CUECs). Boundary validator checks scope completeness; CUEC mapper validates controls are specific, actionable, and TSC-aligned.

Compliance Security SOC 2 Audit AICPA Trust Services Criteria GRC

Learn More

SOC 2 Risk Assessment

Conduct a structured risk assessment aligned to AICPA Trust Services Criteria. Identifies risks per TSC category using a 5x5 likelihood-impact matrix, maps risks to specific TSC criteria (CC/A/PI/C/P), identifies control gaps, validates residual risk scoring, and produces a risk register with treatment plan. Feeds into gap analysis, control narratives, and policy generation.

Compliance Security SOC 2 Risk Assessment AICPA Trust Services Criteria GRC

Learn More

SOC 2 Vendor Management

Establish third-party and subservice organization oversight for SOC 2 audit readiness. Risk-tiered assessment framework with vendor register, SOC report review validation, CSOCs validation, and tiered security requirements per CC9.2. Covers vendor risk scoring, SOC report currency checks, and bridge letter tracking.

Compliance Security SOC 2 Audit AICPA Vendor Management GRC

Learn More

Threat Impact Narrative Builder

Build and validate cybersecurity risk registers and impact narratives aligned to NIST CSF 2.0 ID.RA. Uses FAIR methodology for impact scenarios and enforces consistency between risk scores and Historical Incident Data.

NIST CSF Risk GRC FAIR Cybersecurity

Learn More

GRC

Ready to let your expertise drive the workflow?