CMS Obligations Elaborator
Get Started with This SkillOverview
Guided elaboration of CMS documentation for ISO 37301: compliance obligations register, compliance risk assessment, compliance policy and objectives, and controls mapping. Ensures each obligation has controls and review date and flags high compliance risks without mitigation.
Getting Started
Add your source materials to the project workspace, then activate the CMS Obligations Elaborator skill. The agent will guide you through the process step by step.
Example Conversation
You: We’re building our compliance obligations register for ISO 37301. Each obligation needs a review date and we need to map controls (policies/procedures) to obligations. We also have a few high compliance risks that need mitigation.
Agent: I’ll create an obligations register template (source, applicability, review date, compliance status) and a control-to-obligation mapping section. Then I’ll run
check_obligation_control_coverageto flag obligations without review date or controls, and high compliance risks without mitigation.Agent: The tool found obligations content but warned that the register should include a review date for each obligation and that each obligation should be linked to controls. It also flagged that high compliance risks should have mitigation. I’ve added “Next review” and “Control(s)” columns to the register and a compliance risk table with a “Mitigation” column. I’ve drafted mitigation for the two high risks you listed (e.g. control owner, procedure reference).
You: Add one more obligation and link it to our code of conduct.
Agent: Done. Re-run
check_obligation_control_coverageto confirm all obligations have controls and review dates and high risks have mitigation.
Sample Output Excerpt
Excerpt from a CMS obligations register and control mapping.
Compliance obligations register (excerpt)
| Obligation | Source | Applicability | Next review | Control(s) |
|---|---|---|---|---|
| Anti-bribery | National law §12; group policy | All entities | 2025-06-01 | Code of conduct; ABC policy; training |
| Data protection | GDPR; local DPA | EU processing | 2025-09-01 | Privacy policy; DPIA procedure; DPO |
| Export control | Regulation 123/2020 | Sales to listed countries | 2025-12-01 | Export checklist; compliance sign-off |
Compliance risk (excerpt)
| Risk | Level | Mitigation |
|---|---|---|
| Breach of anti-bribery in high-risk markets | High | Mandatory ABC training; due diligence procedure; annual review by Legal |
| Data breach (processor failure) | High | Processor agreement; audit clause; incident procedure and DPO notification |
Built-in Validation Tools
The skill includes an extension tool that checks CMS documentation for obligation and control coverage.
What the tool checks
| Check | check_obligation_control_coverage |
|---|---|
| Obligations register | Detects compliance obligation, obligations register, 37301, legal requirement |
| Review date | Looks for review date, review cycle, next review, or date pattern |
| Controls | Looks for control, procedure, policy, mapping, traceability, addresses |
| High compliance risk | Looks for high risk, significant risk, compliance risk in risk section |
| Mitigation | Looks for mitigation, control, action, owner, remediation |
| Findings | WARNING if obligations lack review date or controls, or high risks lack mitigation; INFO when present |
Example validation output
======================================================================
CMS OBLIGATION & CONTROL COVERAGE REPORT
ISO 37301:2021
======================================================================
Document: docs/cms-manual.md
--- FINDINGS ---
[WARNING] Each obligation should be linked to controls (policies, procedures) that address it. Add control-to-obligation mapping.
[INFO] Obligations, controls, and review dates found; verify every obligation has at least one control and a review date.
--- SUMMARY ---
Errors: 0
Warnings: 1
======================================================================
Run the tool on your obligations register or CMS manual after drafting or updating.