Skills

security-frameworks

Installation
SKILL.md

Security Frameworks Planning

Comprehensive guidance for security framework alignment and control mapping before development begins.

When to Use This Skill

  • Preparing for ISO 27001 certification
  • Planning SOC 2 Type I or Type II audits
  • Implementing NIST Cybersecurity Framework 2.0
  • Mapping CIS Controls to your environment
  • Creating cross-framework control mappings

Framework Comparison

When to Use Which Framework

Framework Best For Certification? Geography
ISO 27001 Enterprise ISMS, international recognition Yes (3rd party) Global
SOC 2 SaaS/Cloud providers, customer trust Yes (CPA firm) Primarily US
NIST CSF Risk management, federal requirements No US-focused
CIS Controls Tactical implementation, prioritization No Global

Framework Relationships

                    ┌─────────────────┐
                    │   Regulations   │
                    │ (GDPR, HIPAA)   │
                    └────────┬────────┘
                             │ drives
                    ┌────────▼────────┐
                    │   Frameworks    │
                    │(ISO, NIST, CIS) │
                    └────────┬────────┘
                             │ implements
                    ┌────────▼────────┐
                    │    Controls     │
                    │ (specific tech) │
                    └────────┬────────┘
                             │ evidenced by
                    ┌────────▼────────┐
                    │    Audits       │
                    │ (SOC 2, ISO)    │
                    └─────────────────┘

ISO 27001:2022

Structure Overview

Clauses 4-10: Management System Requirements
├── 4. Context of the organization
├── 5. Leadership
├── 6. Planning
├── 7. Support
├── 8. Operation
├── 9. Performance evaluation
└── 10. Improvement

Annex A: 93 Controls in 4 Themes
├── A.5 Organizational controls (37)
├── A.6 People controls (8)
├── A.7 Physical controls (14)
└── A.8 Technological controls (34)

Key Controls for Development

Control Title Implementation
A.5.1 Policies for information security Document security policies
A.5.15 Access control RBAC, least privilege
A.5.23 Information security for cloud services Cloud security controls
A.8.4 Access to source code Git access, code review
A.8.8 Management of technical vulnerabilities Vulnerability scanning
A.8.9 Configuration management IaC, hardening
A.8.25 Secure development lifecycle SSDLC
A.8.28 Secure coding OWASP, static analysis
A.8.29 Security testing DAST, penetration testing
A.8.31 Separation of environments Dev/Test/Prod isolation

ISMS Implementation Approach

// Control implementation tracking
public class IsmsControlTracker
{
    public record ControlStatus
    {
        public required string ControlId { get; init; } // e.g., "A.8.28"
        public required string ControlTitle { get; init; }
        public required ImplementationStatus Status { get; init; }
        public required string Owner { get; init; }
        public required List<string> Evidence { get; init; }
        public required DateTimeOffset LastReviewDate { get; init; }
        public required DateTimeOffset NextReviewDate { get; init; }
        public string? GapDescription { get; init; }
        public string? RemediationPlan { get; init; }
    }

    public enum ImplementationStatus
    {
        NotApplicable,
        NotImplemented,
        PartiallyImplemented,
        FullyImplemented
    }

    public GapAnalysisReport GenerateGapAnalysis(
        IEnumerable<ControlStatus> controls)
    {
        var gaps = controls
            .Where(c => c.Status != ImplementationStatus.FullyImplemented
                     && c.Status != ImplementationStatus.NotApplicable)
            .OrderBy(c => c.ControlId);

        return new GapAnalysisReport
        {
            TotalControls = controls.Count(),
            FullyImplemented = controls.Count(c =>
                c.Status == ImplementationStatus.FullyImplemented),
            PartiallyImplemented = controls.Count(c =>
                c.Status == ImplementationStatus.PartiallyImplemented),
            NotImplemented = controls.Count(c =>
                c.Status == ImplementationStatus.NotImplemented),
            NotApplicable = controls.Count(c =>
                c.Status == ImplementationStatus.NotApplicable),
            Gaps = gaps.ToList()
        };
    }
}

SOC 2

Trust Services Criteria (TSC)

Category Description Key Criteria
Security (Required) System protected against unauthorized access CC6.x
Availability System available for operation A1.x
Processing Integrity System processing is complete, accurate PI1.x
Confidentiality Confidential information protected C1.x
Privacy Personal information protected P1.x-P8.x

Common Criteria (Security)

CC1 - Control Environment
CC2 - Communication and Information
CC3 - Risk Assessment
CC4 - Monitoring Activities
CC5 - Control Activities
CC6 - Logical and Physical Access Controls
CC7 - System Operations
CC8 - Change Management
CC9 - Risk Mitigation

SOC 2 Control Examples

## CC6.1 - Logical Access Security

### Control Description
The entity implements logical access security software, infrastructure,
and architectures over protected information assets to protect them
from security events to meet the entity's objectives.

### Implementation
- Authentication via Azure AD with MFA required
- RBAC with least privilege principle
- Service accounts with managed identities
- API access via OAuth 2.0 tokens

### Evidence
- Azure AD configuration export
- Role assignment documentation
- Access review reports (quarterly)
- MFA enforcement policy

Type I vs Type II

Aspect Type I Type II
Scope Point in time Period of time (6-12 months)
Focus Design of controls Design AND operating effectiveness
Evidence Policies, configurations Logs, samples, testing
Use Case First audit, quick report Customer assurance, ongoing

NIST Cybersecurity Framework 2.0

Core Functions

┌────────────────────────────────────────────────────┐
│                      GOVERN                         │
│   Organizational context, strategy, oversight       │
├────────────┬────────────┬────────────┬─────────────┤
│  IDENTIFY  │  PROTECT   │   DETECT   │   RESPOND   │
│  Assets &  │ Safeguards │ Continuous │  Incident   │
│   Risks    │            │ Monitoring │  Response   │
├────────────┴────────────┴────────────┴─────────────┤
│                      RECOVER                        │
│             Resilience & Recovery                   │
└────────────────────────────────────────────────────┘

Function Breakdown

Function Category Key Activities
GOVERN Organizational Context Establish risk management strategy
Risk Management Strategy Define risk tolerance
Roles & Responsibilities Assign accountability
Policy Document policies
Oversight Board/executive involvement
IDENTIFY Asset Management Inventory systems and data
Risk Assessment Identify and assess risks
Improvement Continuous improvement
PROTECT Identity Management Access control, authentication
Awareness & Training Security training
Data Security Encryption, classification
Platform Security Secure configurations
Technology Infrastructure Secure architecture
DETECT Continuous Monitoring Security monitoring
Adverse Event Analysis Threat detection
RESPOND Incident Management Incident response
Incident Analysis Root cause analysis
Incident Response Containment, eradication
Incident Mitigation Limit impact
RECOVER Incident Recovery Restore operations
Improvements Post-incident learning

Implementation Tiers

Tier Name Description
1 Partial Ad hoc, reactive
2 Risk Informed Risk aware but informal
3 Repeatable Formal policies, consistent
4 Adaptive Continuous improvement, predictive

CIS Controls v8

Control Categories

Implementation Groups (IG):
IG1 - Essential Cyber Hygiene (56 safeguards)
IG2 - IG1 + Enhanced (130 safeguards)
IG3 - IG1 + IG2 + Advanced (153 safeguards)

18 Control Areas

# Control IG1 Key Safeguards
1 Inventory of Enterprise Assets Asset discovery, inventory
2 Inventory of Software Assets Software inventory
3 Data Protection Classification, encryption
4 Secure Configuration Hardening, baselines
5 Account Management Centralized auth, MFA
6 Access Control Management Least privilege, RBAC
7 Continuous Vulnerability Management Scanning, patching
8 Audit Log Management Centralized logging
9 Email and Web Browser Protections Filtering, sandboxing
10 Malware Defenses Anti-malware, EDR
11 Data Recovery Backups, testing
12 Network Infrastructure Management Segmentation, hardening
13 Network Monitoring and Defense IDS/IPS, NDR
14 Security Awareness and Skills Training Training program
15 Service Provider Management Vendor assessment
16 Application Software Security SSDLC, testing
17 Incident Response Management IR plan, testing
18 Penetration Testing Annual pen test

Priority Implementation

## CIS IG1 Priority Controls

### Start Here (Quick Wins)
1. **Control 1.1**: Maintain accurate asset inventory
2. **Control 4.1**: Establish secure configuration process
3. **Control 5.1**: Establish centralized account management
4. **Control 6.1**: Establish access granting process

### Next Priority
5. **Control 7.1**: Establish vulnerability management process
6. **Control 8.1**: Establish audit logging
7. **Control 11.1**: Establish data recovery practices
8. **Control 14.1**: Establish security awareness program

### Then
9. **Control 3.1**: Establish data management process
10. **Control 10.1**: Deploy anti-malware

Cross-Framework Mapping

Control Mapping Matrix

Capability ISO 27001 SOC 2 TSC NIST CSF 2.0 CIS v8
Access Control A.5.15, A.8.2-8.5 CC6.1-6.3 PR.AA 5, 6
Asset Management A.5.9-5.11 CC6.1 ID.AM 1, 2
Encryption A.8.24 CC6.1, CC6.7 PR.DS 3.6, 3.9
Logging A.8.15 CC7.2 DE.AE 8
Vulnerability Mgmt A.8.8 CC7.1 ID.RA 7
Incident Response A.5.24-5.28 CC7.4, CC7.5 RS 17
Change Management A.8.32 CC8.1 PR.IP 4.2
Secure Development A.8.25-8.31 CC8.1 PR.IP 16

.NET Control Implementation Examples

// Access Control implementation (multiple frameworks)
// ISO 27001 A.5.15 / SOC 2 CC6.1 / NIST PR.AA / CIS 5,6

public class AccessControlService
{
    private readonly IAuthorizationService _authService;
    private readonly IAuditLogger _auditLogger;

    public async Task<AuthorizationResult> Authorize(
        ClaimsPrincipal user,
        string resource,
        string action,
        CancellationToken ct)
    {
        // Log access attempt (CIS 8 / NIST DE.AE)
        var accessAttempt = new AccessAttempt
        {
            UserId = user.GetUserId(),
            Resource = resource,
            Action = action,
            Timestamp = DateTimeOffset.UtcNow
        };

        var result = await _authService.AuthorizeAsync(user, resource, action);

        accessAttempt.Success = result.Succeeded;
        accessAttempt.Reason = result.Failure?.FailureReasons
            .FirstOrDefault()?.Message;

        await _auditLogger.Log(accessAttempt, ct);

        return result;
    }
}

// Secure configuration (ISO A.8.9 / NIST PR.IP / CIS 4)
public class SecureConfigurationValidator
{
    public ValidationResult ValidateConfiguration(IConfiguration config)
    {
        var issues = new List<ConfigurationIssue>();

        // Check for secure defaults
        if (config["AllowHttp"] == "true")
        {
            issues.Add(new ConfigurationIssue
            {
                Setting = "AllowHttp",
                Issue = "HTTP should be disabled in production",
                Severity = Severity.High,
                Remediation = "Set AllowHttp=false"
            });
        }

        // Check TLS configuration
        var tlsVersion = config["MinTlsVersion"];
        if (tlsVersion != "1.2" && tlsVersion != "1.3")
        {
            issues.Add(new ConfigurationIssue
            {
                Setting = "MinTlsVersion",
                Issue = "TLS 1.2 or higher required",
                Severity = Severity.Critical,
                Remediation = "Set MinTlsVersion=1.2"
            });
        }

        return new ValidationResult { Issues = issues };
    }
}

Framework Selection Guide

Decision Tree

What is your primary driver?

├─ Customer requirement for audit report?
│   ├─ US customers → SOC 2
│   └─ International customers → ISO 27001
├─ Regulatory requirement?
│   ├─ US Federal → NIST CSF + FedRAMP
│   └─ Healthcare → HIPAA (use NIST CSF)
├─ Starting security program?
│   └─ CIS Controls IG1 (practical starting point)
└─ Enterprise-wide ISMS?
    └─ ISO 27001 (comprehensive management system)

Security Framework Checklist

Pre-Assessment

  • Identify applicable frameworks
  • Determine scope boundaries
  • Inventory systems in scope
  • Document current controls
  • Conduct gap analysis

Control Implementation

  • Prioritize gaps by risk
  • Create remediation roadmap
  • Implement missing controls
  • Document evidence
  • Test control effectiveness

Audit Preparation

  • Collect evidence artifacts
  • Prepare control narratives
  • Test samples (Type II)
  • Address known gaps
  • Brief stakeholders

Cross-References

  • Data Privacy: gdpr-compliance, hipaa-compliance for data protection
  • PCI: pci-dss-compliance for payment security
  • AI: ai-governance for AI-specific controls

Resources

Related skills

More from melodic-software/claude-code-plugins

Installs
16
Repository
melodic-softwar…-plugins
GitHub Stars
63
First Seen
Jan 24, 2026