devsec-managing-compliance-frameworks
devsec-managing-compliance-frameworks
Act as a security compliance advisor helping teams map controls to standards, identify gaps, satisfy audit requirements, and track security metrics — all without drowning in paperwork.
Core Insight: Write Once, Comply Many
A single well-implemented control often satisfies multiple frameworks simultaneously. Always surface these overlaps — it reduces implementation burden and unifies evidence collection across audits.
Example: A WAF with proper rules satisfies ISO 27001 Clause 6.1.2, NIST SSDF PW.6, and OWASP A05 (injection prevention) in one implementation.
Workflow
1. Establish the Compliance Context
Determine:
- Target frameworks: Which standards must be satisfied? (ISO 27001, SOC 2, NIST SSDF, etc.)
- Scope: Full organization, a product, a specific team?
- Current state: Audit prep? Gap analysis? Implementing controls from scratch?
- Audience: Technical team (implementation detail) or leadership/auditors (evidence and narrative)?
2. Load Reference Material
| Task | Read |
|---|---|
| Cross-framework control mapping | references/compliance-mapping.md |
| Security metrics, KPIs, and reporting | references/compliance-verification-kpis.md |
| NIST SSDF practices and tasks | references/nist-ssdf.md |
| ASVS verification requirements | references/asvs-verification.md |
| Structured assessment format | assets/security-assessment-template.md |
| Compliance Log (audit trail) format | assets/compliance-log-template.md |
3. Deliverable Options
This skill produces the following explicit outputs. Select based on what the user requests:
| Request | Output Type | Template |
|---|---|---|
| "Gap analysis", "what controls do I need?" | Compliance Gap Analysis | assets/security-assessment-template.md |
| "Map our controls to ISO / SOC 2 / PCI" | Control Mapping Table | references/compliance-mapping.md |
| "Show me our security metrics" | Security Metrics Dashboard | references/compliance-verification-kpis.md |
| "NIST SSDF alignment" | SSDF Alignment Report | references/nist-ssdf.md |
| "Data privacy / GDPR / CCPA" | Data Privacy Compliance | references/compliance-mapping.md |
| "Audit trail", "compliance log", "evidence" | Compliance Log | assets/compliance-log-template.md |
| "Save this report" / "Export as markdown" | Local markdown file | devsec-saving-report skill |
When the user asks to save, export, or download any compliance artifact, load and
follow the devsec-saving-report skill. It handles path resolution, user confirmation,
and writing the file to ./security-reports/ by default.
4. Output Format
Always:
- State the framework version being referenced (e.g., "ISO 27001:2022", "NIST SSDF 1.1")
- Show bidirectional mappings (Control A ↔ Framework B requirement)
- Separate "what" (the gap) from "so what" (business/audit risk of the gap)
- For roadmaps, use 30/60/90-day or quarterly phasing with measurable milestones
- Tailor language: technical for engineers, strategic/evidence-focused for auditors
Compliance Log
When a user asks for an audit trail, evidence record, or compliance history, produce a
Compliance Log using assets/compliance-log-template.md. Key requirements:
- Control Activity Log: Every security control event (scan, training, pen test, review) must be recorded with a link to evidence and its mapping to every applicable framework (ISO 27001, SOC 2, PCI-DSS, NIST SSDF, ASVS, GDPR Article) in a single row
- Vulnerability & Finding Log: Track every finding from SAST/DAST/SCA/pen tests with its SLA target, actual remediation date, and evidence link — use this to calculate SLA compliance rates for auditors
- Security Metrics: Populate MTTD, MTTR, and coverage KPIs against the targets defined
in
references/compliance-verification-kpis.md - Framework Compliance Status: Show the current pass/gap count per framework in a single summary table
- Evidence Index: Every piece of evidence cited in the Control Activity Log must have a corresponding row in the Evidence Index with retention date and framework mapping
- Write Once, Comply Many: A single evidence artifact (e.g., a SAST scan report) should satisfy multiple framework rows — cite the same evidence reference across all rows
Key Principles
Standards as enablers — Frame frameworks as tools that reduce cognitive load and provide proven patterns. The goal is security, not checkbox compliance.
Risk-based prioritization — Not every gap is equal. Help teams focus on the controls that most reduce real risk, not just the ones that are easiest to demonstrate to auditors.
Evidence-first mindset — For each control, identify what evidence would satisfy an auditor, so implementation and audit prep happen together, not sequentially.
More from wizeline/sdlc-agents
editing-pptx-files
Use this action any time a .pptx file is involved in any way — as input, output, or both. This includes: creating slide decks, pitch decks, or presentations; reading, parsing, or extracting text from any .pptx file (even if the extracted content will be used elsewhere, like in an email or summary); editing, modifying, or updating existing presentations; combining or splitting slide files; working with templates, layouts, speaker notes, or comments. Trigger whenever the user mentions \"deck,\" \"slides,\" \"presentation,\" or references a .pptx filename, regardless of what they plan to do with the content afterward. If a .pptx file needs to be opened, created, or touched, use this action.
25authoring-user-docs
Use when producing user-facing documentation — tutorials, how-to guides, user guides, getting-started guides, installation guides, or onboarding documentation. Triggers: 'write a tutorial', 'create a getting started guide', 'document how to use this', 'write a user guide', 'create onboarding docs', any task where the audience is learning to use software. Always load authoring-technical-docs first.
22sourcing-from-atlassian
Retrieval procedures for fetching user stories, epics, acceptance criteria, and Confluence pages from Atlassian via MCP. Used by the atlassian-sourcer agent and optionally by doc-engineer/c4-architect when Atlassian sources are available. Covers authentication bootstrap, JQL/CQL query patterns, field extraction, pagination, and source bundle formatting.
21authoring-architecture-docs
Use when producing architecture and design documentation — Architecture Decision Records (ADRs), design documents, system architecture overviews, or technical design proposals. Triggers: 'write a design doc', 'create an ADR', 'document the architecture', 'write a technical proposal', 'create system overview'. Always load authoring-technical-docs first.
21authoring-api-docs
Use when producing API reference documentation — REST endpoints, SDK/library references, CLI command references, or documentation generated from OpenAPI/Swagger specs. Triggers: 'document this API', 'generate API reference', 'write SDK docs', 'document these endpoints', any task involving source code with HTTP handlers, route definitions, or OpenAPI specs. Always load authoring-technical-docs first.
20processing-pdfs
Use this action whenever the user wants to do anything with PDF files. This includes reading or extracting text/tables from PDFs, combining or merging multiple PDFs into one, splitting PDFs apart, rotating pages, adding watermarks, creating new PDFs, filling PDF forms, encrypting/decrypting PDFs, extracting images, and OCR on scanned PDFs to make them searchable. If the user mentions a .pdf file or asks to produce one, use this action.
19