Grc

Skill packages tagged with “Grc”

AI / Algorithmic Impact Assessment (multi-framework)

Create a cross-mapped AI impact assessment packet covering Canada AIA, EU AI Act Art. 27 FRIA, NIST AI RMF, NYC LL 144, UK ATRS, ICO AI auditing, and residual-risk register outputs.

AI GRC NIST AI RMF EU AI Act Algorithmic Impact Assessment Public Sector Bias Audit

Learn More

CIS Benchmark Mapper

Draft Secure Configuration Baselines (hardening guides) from CIS Benchmarks or STIGs into formal policy. Validates recurring Drift Analysis schedule (NIST CSF 2.0 PR.PS).

NIST CSF CIS Benchmarks STIG Hardening GRC Secure Configuration

Learn More

Produce a unified multi-framework compliance matrix mapping controls across ISO 27001:2022, NIST CSF 2.0, SOC 2 TSC, GDPR, NIS2/DORA, and NIST 800-53/CMMC. Scores coverage per framework, identifies gaps, and prioritizes remediation by cross-framework benefit and regulatory severity.

Cross-Compliance GRC Framework Mapping ISO 27001 NIST SOC 2 GDPR NIS2 DORA CMMC

Learn More

Crypto Spec Generator

Draft and validate Cryptographic Key Management & Encryption Standard (NIST CSF 2.0 PR.DS). Ensures FIPS 140-3–aligned algorithms and key lifecycle; flags legacy algorithms (SHA-1, 3DES, etc.) for 2026-era compliance.

NIST CSF Encryption Key Management FIPS 140-3 GRC Data Security

Learn More

CSRD Double Materiality Assessment (ESRS 1 §3)

Run an ESRS 1 §3 Double Materiality Assessment end-to-end: scope and methodology memo, stakeholder engagement plan and log, IRO long-list, impact and financial scoring rubrics, value-chain coverage, ESRS topic and sub-topic disclosure scoping, ESRS Set 1 datapoint gap log, board approval pack, and an ISAE 3000 (Revised) assurance evidence file — aligned with EFRAG IG-1, IG-2, and IG-3.

CSRD ESRS Double Materiality Sustainability Reporting EFRAG IG-1 IG-2 IG-3 ISAE 3000 GRC ESG Assurance

Learn More

ESRS 2 General Disclosures

Draft and validate the mandatory ESRS 2 general-disclosures pack for CSRD sustainability statements: BP-1/BP-2, GOV-1..5, SBM-1..3, IRO-1/IRO-2, due-diligence mapping, sustainability reporting controls, and an IRO-2 Disclosure Requirements index kept in sync with DMA outputs and datapoints.

CSRD ESRS ESRS 2 General Disclosures Sustainability Reporting Governance Double Materiality EFRAG ISAE 3000 GRC ESG

Learn More

ESRS E1 Climate Change Disclosures

Draft and validate ESRS E1 topical disclosures for a CSRD sustainability statement: topic-specific SBM-3, E1-IRO-1 climate scenario analysis, E1-1 transition plan (1.5°C-aligned trajectory, locked-in emissions, CapEx alignment with the EU Taxonomy), E1-2 policies, E1-3 actions and resources, E1-4 targets (with SBTi cross-walk), E1-5 energy consumption and mix, E1-6 gross Scope 1/2/3 and total GHG emissions per the GHG Protocol Corporate Standard (location-based and market-based Scope 2; 15-category Scope 3; intensity per net revenue), E1-7 GHG removals and carbon credits, E1-8 internal carbon pricing, and E1-9 anticipated financial effects from physical and transition risks and climate-related opportunities. Interoperable with IFRS S2 (ISSB) and TCFD. Consumes the DMA IRO register and material-topics decisions; hands disclosure-requirement rows back to ESRS 2 IRO-2 and CapEx-alignment narrative to the EU Taxonomy alignment report.

CSRD ESRS ESRS E1 Climate Change GHG Protocol Scope 1 Scope 2 Scope 3 Transition Plan SBTi Net Zero EU Taxonomy TCFD IFRS S2 Sustainability Reporting EFRAG GRC ESG

Learn More

ESRS E2 Pollution Disclosures

Draft and validate ESRS E2 topical disclosures for a CSRD sustainability statement: topic-specific ESRS 2 SBM-3 (E2 application), ESRS 2 IRO-1 (E2 application — process to identify and assess material pollution-related impacts, risks, and opportunities), E2-1 policies, E2-2 actions and resources, E2-3 targets, E2-4 pollution of air, water, and soil (E-PRTR / IEP Regulation pollutant register; quantities released; off-site transfers of pollutants in waste), E2-5 substances of concern (SoC) and substances of very high concern (SVHC) under REACH (Candidate List, Authorisation List Annex XIV, Restriction List Annex XVII; ECHA SCIP database hand-off; microplastics under Reg (EU) 2023/2055), and E2-6 anticipated financial effects from pollution-related impacts, risks, and opportunities. Anchored to Commission Delegated Regulation (EU) 2023/2772 ESRS E2, the Industrial Emissions Directive 2010/75/EU as revised by Directive (EU) 2024/1785 (BAT-AELs), the Industrial Emissions Portal Regulation (EU) 2024/1244 (replacing E-PRTR Regulation (EC) 166/2006), REACH Regulation (EC) 1907/2006, the CLP Regulation (EC) 1272/2008, the Microplastics REACH restriction (EU) 2023/2055, the Air Quality Directive (EU) 2024/2881, the Soil Monitoring Directive (EU) 2024/3115, the Water Framework Directive 2000/60/EC and Urban Waste Water Treatment Directive (recast (EU) 2024/3019), the Mercury Regulation (EU) 2017/852 (revised 2024), and the POPs Regulation (EU) 2019/1021. Consumes the DMA IRO register and material-topics decisions; hands disclosure-requirement rows back to ESRS 2 IRO-2.

CSRD ESRS ESRS E2 Pollution Air Quality Water Pollution Soil Pollution REACH SVHC Microplastics IED E-PRTR ECHA SCIP Sustainability Reporting EFRAG GRC ESG

Learn More

ESRS E3 Water and Marine Resources Disclosures

Draft and validate ESRS E3 topical disclosures for a CSRD sustainability statement: topic-specific SBM-3 and E3-IRO-1 water/marine IRO assessment, E3-1 policies, E3-2 actions and resources, E3-3 targets, E3-4 water consumption with withdrawal, discharge, recycling/reuse and high-water-stress-area metrics, and E3-5 anticipated financial effects from water- and marine-resources-related impacts, risks, and opportunities. Uses WRI Aqueduct, CDP Water, Water Framework Directive, and Marine Strategy Framework Directive context; consumes DMA materiality decisions and hands disclosure rows back to ESRS 2 IRO-2.

CSRD ESRS ESRS E3 Water Marine Resources Water Withdrawal Water Discharge Water Consumption Water Stress WRI Aqueduct CDP Water Sustainability Reporting EFRAG GRC ESG

Learn More

ESRS E5 Resource Use and Circular Economy Disclosures

Draft and validate ESRS E5 topical disclosures for a CSRD sustainability statement: topic-specific SBM-3 and E5-IRO-1 resource-use and circular-economy IRO assessment, E5-1 policies, E5-2 actions and resources, E5-3 targets, E5-4 resource inflows with secondary/recycled and sustainably-sourced shares and critical-raw-materials exposure, E5-5 resource outflows covering product durability/reparability/recyclability/recycled content and waste by treatment route including hazardous waste, and E5-6 anticipated financial effects from resource-use and circular-economy-related impacts, risks, and opportunities. References the EU Circular Economy Action Plan, ESPR, Waste Framework Directive, PPWR, Right-to-Repair Directive, Battery Regulation, and Critical Raw Materials Act; consumes DMA materiality decisions and hands disclosure rows back to ESRS 2 IRO-2.

CSRD ESRS ESRS E5 Circular Economy Resource Use Recycled Content Waste Hazardous Waste Ecodesign ESPR PPWR Right to Repair Battery Regulation Critical Raw Materials Sustainability Reporting EFRAG GRC ESG

Learn More

ESRS G1 Business Conduct Disclosures

Draft and validate ESRS G1 topical disclosures for a CSRD sustainability statement: G1-1 business conduct policies and corporate culture, G1-2 supplier relationships, G1-3 corruption and bribery prevention/detection, G1-4 confirmed incidents, G1-5 political influence and lobbying, and G1-6 payment practices. Consumes DMA and ESRS 2 outputs and produces evidence-linked IRO-2 hand-off rows.

CSRD ESRS ESRS G1 Business Conduct Corporate Governance Anti-corruption Whistleblowing Lobbying Supplier Management Payment Practices EFRAG GRC ESG

Learn More

ESRS S4 Consumers and End-users Disclosures

Draft and validate ESRS S4 topical disclosures for a CSRD sustainability statement: topic-specific SBM-2 / SBM-3, S4-1 policies, S4-2 engagement processes, S4-3 remediation channels and grievance mechanisms, S4-4 actions on material impacts, and S4-5 targets — covering information-related impacts, personal safety, and social inclusion under ESRS 1 AR16. Cross-references GDPR, DSA, GPSR, the European Accessibility Act, and the EU AI Act. Consumes the DMA IRO register and material-topics decisions; hands disclosure-requirement rows back to ESRS 2 IRO-2.

CSRD ESRS ESRS S4 Consumers End-users Sustainability Reporting EFRAG GDPR Digital Services Act Product Safety Accessibility AI Act Human Rights GRC ESG

Learn More

Executive Readiness Report

Generate a board-ready executive summary of compliance posture, readiness scores by area, critical gaps, and timeline to audit. Designed for C-suite, board members, and auditors. Synthesizes data from dashboard metrics, gap assessments, risk registers, and policy status into a single exportable document.

Compliance Executive Report GRC Readiness Board Report

Learn More

Incident Decision Tree Builder

Draft scenario-specific incident response playbooks (NIST CSF RS.RP) with a clear Decision Matrix for isolate vs. monitor and logic gates for Containment, Eradication, and Recovery. Inserts or validates mandatory regulatory reporting windows (e.g. GDPR 72h, SEC 4 days) in the playbook timeline.

NIST CSF Incident Response Security GRC Playbook Regulatory

Learn More

ISO 14001 EMS Documentation

Draft ISO 14001:2015 Environmental Management System documentation: organization environmental profiling, gap assessment against clauses 4-10 with maturity ratings, and environmental policy creation. Includes tools for aspect significance evaluation, profile completeness checking, maturity scoring, remediation prioritization, and policy validation.

ISO 14001 EMS Environment Compliance GRC

Learn More

ISO 20000 Internal Audit (Clause 4.5.4.2)

Plan and execute SMS internal audits for ISO/IEC 20000-1:2011. Create annual audit programs, plan individual engagements, document findings with classifications (Major NC, Minor NC, Observation, OFI), and prepare corrective action plans.

ISO 20000 SMS Internal Audit Compliance IT Service Management GRC

Learn More

ISO 20000 Management Review (Clause 4.5.5)

Prepare and conduct management review of the SMS for ISO/IEC 20000-1:2011. Compile all required review inputs per Clause 4.5.5, document decisions with owners and dates, track improvement actions, and produce the management review report.

ISO 20000 SMS Management Review Continual Improvement IT Service Management GRC

Learn More

ISO 20000 Organization Profile

Build and validate a shared organization profile for ISO/IEC 20000-1:2011 certification. Captures organizational facts (service provider type, locations, departments, technology, roles, maturity) that feed into SMS scope, service catalog, gap assessment, and service management planning. Profile completeness checker validates all required sections.

ISO 20000 SMS IT Service Management Organization GRC

Learn More

ISO 27001 Awareness and Training Plan

Create, validate, and maintain the ISO 27001:2022 awareness and training plan per Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3. Defines target audiences with role-based training requirements, training modules, delivery methods, annual schedule with quarterly phishing simulations, and effectiveness evaluation metrics. Validates section completeness, audience coverage, and schedule gaps. Produces a standalone audit-ready training plan document.

ISO 27001 ISMS Training Awareness GRC Compliance Clause 7.2 Clause 7.3 A.6.3

Learn More

ISO 27001 Gap Assessment

Perform a structured gap assessment against ISO 27001:2022 clauses 4-10 and 93 Annex A controls. Mandatory artifact detector scans for missing ISMS documents; maturity rating tool suggests 0-5 maturity levels per clause area. Produces findings register and remediation roadmap.

ISO 27001 ISMS Compliance Gap Assessment GRC Audit Readiness

Learn More

ISO 27001 ISMS Annual Maintenance & Surveillance Audit Prep

Prepare for annual ISO 27001 surveillance audits by reviewing and updating existing ISMS documents. Scans documents for freshness, assesses organizational changes, performs delta risk re-assessment, updates SoA, reconciles CAPAs from prior audits, assembles surveillance audit evidence pack, scores audit readiness across 10 dimensions, and produces a year-over-year ISMS health report. Designed for certified organizations maintaining their ISMS between recertification cycles.

ISO 27001 ISMS Annual Review Surveillance Audit Maintenance PDCA GRC Compliance

Learn More

ISO 27001 Management Review

Prepare, validate, and document the ISO 27001:2022 management review per Clause 9.3. Compiles input pack from workspace ISMS artifacts, validates all 10 mandatory input categories (Clause 9.3.2) and 3 required output decisions (Clause 9.3.3), and checks that every action has an owner, due date, and expected outcome. Produces review agenda, input pack, minutes, and action tracker.

ISO 27001 ISMS Management Review GRC Compliance Clause 9.3

Learn More

ISO 27001 Organization Profile

Build and validate a shared organization profile for ISO 27001 certification. Captures organizational facts (industry, locations, technology stack, regulations, suppliers) that feed into scope, risk assessment, SoA, and policy generation. Technology stack normalizer classifies systems; profile completeness checker validates all required sections.

ISO 27001 ISMS Compliance Organization GRC

Learn More

ISO 27001 Policy Generator

Generate, validate, and maintain the core ISMS policy and procedure set for ISO 27001:2022 certification. Produces 22 document types (information security policy, ISMS manual, risk management, access control, incident management, asset management, change management, business continuity, document control, corrective action, classification and handling, cryptography, secure development, vulnerability management, remote working, backup, management responsibilities, intellectual property, data leakage prevention, network security, secure disposal, cabling security) with clause-aware templates and organization-specific tailoring.

ISO 27001 ISMS GRC Compliance Policy Procedure Documentation

Learn More

ISO 27001 Risk Assessment

Complete ISO 27001:2022 risk assessment workflow covering methodology definition, risk identification using a 12-category threat taxonomy, risk analysis with 5×5 matrix scoring, treatment planning with Annex A control mapping, and residual risk validation. Produces auditor-ready risk methodology, risk register, treatment plan, and acceptance forms per Clause 6.1.2 and 6.1.3.

ISO 27001 Risk Assessment ISMS GRC Compliance Information Security Risk Management

Learn More

JIT PAM Zero Trust (NIST 800-207)

Document and audit Just-in-Time privileged access management aligned to Zero Trust and NIST SP 800-207. Defines no-standing-privilege, time-bound elevation, and MFA for privileged sessions.

NIST 800-207 Zero Trust JIT PAM Privileged Access Compliance GRC Identity and Access

Learn More

NIS2 Business Continuity

Document business continuity and crisis management measures per NIS2 Art. 21(2)(c). Covers backup management policies, disaster recovery procedures, crisis management activation and escalation, and ICT readiness for business continuity. Validates BCP completeness against NIS2 requirements and checks RTO/RPO target definitions.

NIS2 Business Continuity Disaster Recovery Crisis Management BCP GRC

Learn More

NIS2 Entity Classification

Classify an organization as essential, important, or out-of-scope under the NIS2 Directive (EU 2022/2555). Maps activities to Annex I/II sectors, applies size thresholds (medium/large enterprise criteria), and determines member state jurisdiction. Produces a classification report with regulatory obligations summary.

NIS2 EU Directive Cybersecurity Entity Classification GRC Compliance

Learn More

NIS2 Gap Assessment

Perform a structured gap assessment against all NIS2 Directive Art. 21 cybersecurity risk-management measures. Rates maturity (0-5) per measure, detects missing compliance artifacts, and builds a prioritized remediation roadmap weighted by regulatory severity and entity classification. Produces a comprehensive gap report with interactive dashboard data.

NIS2 Gap Assessment Compliance Cybersecurity GRC Audit Readiness

Learn More

NIS2 Governance & Risk Management

Document management body accountability and cybersecurity risk management measures per NIS2 Directive Art. 20-21. Covers all 11 mandatory measures (a)-(k), governance approval workflows, and management training obligations. Produces a governance and risk management report with measure-by-measure coverage analysis.

NIS2 Governance Risk Management Cybersecurity GRC Compliance

Learn More

NIS2 Incident Reporting

Draft NIS2-compliant incident reports following Art. 23 timelines: early warning within 24 hours, incident notification within 72 hours, and final report within one month. Classifies incident significance, validates report completeness, and tracks notification deadlines. Produces all three report types with CSIRT/competent authority notification content.

NIS2 Incident Reporting Cybersecurity CSIRT GRC Compliance

Learn More

NIS2 Policies & Procedures

Draft and validate cybersecurity policies and procedures for all 11 NIS2 Art. 21(2) mandatory measures. Validates policy coverage, cross-references between related measures, and checks policy structure against organizational standards. Produces individual policy documents or a consolidated policy pack.

NIS2 Policies Procedures Cybersecurity GRC Documentation

Learn More

NIS2 Registration & Reporting

Prepare entity registration submissions and annual reports per NIS2 Art. 27-28. Validates registration form completeness against required fields (entity details, sector, IP ranges, contact information) and checks annual report content. Produces registration-ready submissions and structured annual compliance reports.

NIS2 Registration Reporting CSIRT GRC Compliance

Learn More

NIS2 Supply Chain Security

Assess and manage supply chain cybersecurity risks per NIS2 Art. 21(2)(d). Scores supplier criticality and cybersecurity maturity, validates contractual security clauses, and identifies concentration risks in the ICT supply chain. Produces a supplier risk register and contractual review report.

NIS2 Supply Chain Supplier Risk Cybersecurity GRC Third Party Risk

Learn More

NIST SP 800-53 / CSF Crosswalk

Bidirectional crosswalk between NIST Cybersecurity Framework (CSF) 2.0 subcategories and SP 800-53 Rev 5 controls. Maps CSF subcategories to 800-53 controls and vice versa, identifies gaps in either direction, and produces a crosswalk document for dual-framework compliance.

NIST NIST 800-53 NIST CSF Cybersecurity Compliance GRC USA

Learn More

NIST SP 800-53 Baseline Selector

Select and tailor an SP 800-53 Rev 5 control baseline based on FIPS 199 categorization and regulatory overlays (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, CMMC). Applies the appropriate Low/Moderate/High baseline, adds regulation-specific controls, and supports tailoring with documented justification. Produces tailored-control-catalog.json for all downstream skills.

NIST NIST 800-53 Compliance GRC Baseline USA

Learn More

NIST SP 800-53 Control Standard Author

Author implementation standards for individual NIST SP 800-53 controls. Each standard documents the control objective, implementation narrative, technology and tools, responsible roles, evidence requirements, and review frequency. Validates narrative coverage and quality across control families.

NIST NIST 800-53 Compliance GRC Controls USA

Learn More

NIST SP 800-53 Family Policy Author

Author NIST SP 800-53 family-level policies (the -1 controls) for each control family. Produces structured policy documents with Purpose, Scope, Applicability, Policy Statements, Roles & Responsibilities, Compliance & Enforcement, Review Frequency, and Related Documents sections. Validates completeness and structure.

NIST NIST 800-53 Compliance GRC Policy USA

Learn More

NIST SP 800-53 Gap Analysis

Conduct a gap analysis across the NIST SP 800-53 compliance program. Cross-references tailored control catalog against policies, standards, and mappings to identify coverage gaps. Prioritizes remediation by baseline level, regulatory requirement, and family criticality. Produces a gap analysis report with per-family breakdown and phased remediation roadmap.

NIST NIST 800-53 Compliance GRC Gap Analysis USA

Learn More

NIST SP 800-53 Organization Profile

Build and validate the organizational context profile for NIST SP 800-53 Rev 5 compliance. Captures FIPS 199 security categorization (Confidentiality, Integrity, Availability impact levels), applicable regulations (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC), existing frameworks, and authorization boundary. Validates completeness of categorization and scope for downstream baseline selection and control implementation.

NIST NIST 800-53 FIPS 199 Compliance GRC USA

Learn More

NIST SP 800-53 Policy-Control Mapper

Map existing policy and standard documents to NIST SP 800-53 controls with AI-assisted quality scoring. Rates each mapping as High/Medium/Low confidence with documented justification. Identifies unmapped controls and low-quality mappings for remediation. Produces policy-control-mapping.json for gap analysis.

NIST NIST 800-53 Compliance GRC Mapping USA

Learn More

PAM Standard (PR.AA)

Draft and validate a Privileged Access Management standard aligned to NIST CSF 2.0 PR.AA. Defines JIT, least privilege, SoD boundaries, and break-glass workflow; ensures MFA for 100% of privileged sessions.

NIST CSF 2.0 PAM Identity and Access GRC Privileged Access Compliance

Learn More

Risk Register ISO 31000

Guided elaboration of an ISO 31000:2018-aligned risk register: organizational context, risk criteria (likelihood/impact scales and appetite), structured register entries with cause, existing controls, consequence, treatment, residual risk, implementation deadline and owner, plus automated validation of completeness and L x I consistency.

Risk Management ISO 31000:2018 GRC Risk Register Compliance ERM

Learn More

Risk Tolerance Quantifier

Draft and validate a Cybersecurity Risk Appetite Statement (NIST CSF 2.0 GV.OC): translate board mandates into quantifiable tolerance levels and KPIs; ensure stated appetite is supported by budget narratives.

NIST CSF Governance Risk Appetite GV.OC GRC

Learn More

SOC 2 Internal Audit

Conduct an internal readiness audit for SOC 2 certification. Tests controls per TSC criteria, classifies findings by AICPA severity (Material Weakness, Significant Deficiency, Deficiency, Observation), organizes evidence for auditor handoff, tracks management responses, and produces a readiness assessment. The capstone skill that determines whether the organization is ready to engage an external auditor.

Compliance Security SOC 2 Audit AICPA Internal Audit GRC

Learn More

SOC 2 Organization Profile

Build and validate the organizational context profile for SOC 2 audit readiness. Captures principal service commitments, system requirements (SCSR), trust services categories, system boundaries, subservice organizations (carved-out/inclusive), and complementary user entity controls (CUECs). Boundary validator checks scope completeness; CUEC mapper validates controls are specific, actionable, and TSC-aligned.

Compliance Security SOC 2 Audit AICPA Trust Services Criteria GRC

Learn More

SOC 2 Risk Assessment

Conduct a structured risk assessment aligned to AICPA Trust Services Criteria. Identifies risks per TSC category using a 5x5 likelihood-impact matrix, maps risks to specific TSC criteria (CC/A/PI/C/P), identifies control gaps, validates residual risk scoring, and produces a risk register with treatment plan. Feeds into gap analysis, control narratives, and policy generation.

Compliance Security SOC 2 Risk Assessment AICPA Trust Services Criteria GRC

Learn More

SOC 2 Vendor Management

Establish third-party and subservice organization oversight for SOC 2 audit readiness. Risk-tiered assessment framework with vendor register, SOC report review validation, CSOCs validation, and tiered security requirements per CC9.2. Covers vendor risk scoring, SOC report currency checks, and bridge letter tracking.

Compliance Security SOC 2 Audit AICPA Vendor Management GRC

Learn More

Threat Impact Narrative Builder

Build and validate cybersecurity risk registers and impact narratives aligned to NIST CSF 2.0 ID.RA. Uses FAIR methodology for impact scenarios and enforces consistency between risk scores and Historical Incident Data.

NIST CSF Risk GRC FAIR Cybersecurity

Learn More

Grc

Ready to let your expertise drive the workflow?