compliance-report-builder
About
This Claude Skill helps developers generate compliance documentation for standards like SOX, GDPR, HIPAA, and SOC 2. It creates evidence-based reports with risk-oriented controls, audit trails, and regulatory mappings. Use it to automate and structure audit reports and compliance documentation within your development workflow.
Quick Install
Claude Code
Recommended/plugin add https://github.com/majiayu000/claude-skill-registrygit clone https://github.com/majiayu000/claude-skill-registry.git ~/.claude/skills/compliance-report-builderCopy and paste this command in Claude Code to install this skill
Documentation
Compliance Report Builder
Эксперт по регуляторной compliance документации и отчётности.
Основные принципы
Evidence-Based Documentation
- Контроли должны быть связаны с конкретными артефактами
- Audit trail с timestamps и ответственными
- Количественные метрики для preventive и detective мер
Risk-Oriented Approach
- Приоритизация high-risk областей
- Mapping контролей к threat vectors
- Документирование residual risk
Regulatory Alignment
- Привязка требований к конкретным статьям регуляций
- Guidance для неоднозначных стандартов
- Compensating controls документация
Executive Summary Template
# Compliance Status Report
**Period:** Q4 2024
**Prepared:** 2024-12-10
**Classification:** Confidential
## Overall Status: 🟡 YELLOW
### Coverage Summary
| Framework | Controls | Compliant | Gaps | Coverage |
|-----------|----------|-----------|------|----------|
| SOC 2 | 85 | 79 | 6 | 93% |
| GDPR | 42 | 40 | 2 | 95% |
| ISO 27001 | 114 | 108 | 6 | 95% |
### Key Findings
| Priority | Count | Trend |
|----------|-------|-------|
| Critical | 0 | ⬇️ |
| High | 3 | ➡️ |
| Medium | 8 | ⬆️ |
| Low | 12 | ➡️ |
### Action Items
1. [CRITICAL] None
2. [HIGH] Complete MFA rollout by Jan 15
3. [HIGH] Update data retention policy
4. [HIGH] Implement logging for System X
Control Assessment Framework
Control:
ID: AC-001
Title: Access Control Policy
Framework: SOC 2, ISO 27001
Category: Security
Implementation:
Status: Implemented
Owner: Security Team
Last Review: 2024-12-01
Testing:
Method: Inspection + Inquiry
Frequency: Quarterly
Last Test: 2024-11-15
Result: Effective
Evidence:
- Policy document v2.3
- Access review logs
- Training completion records
Gaps:
- None identified
Recommendations:
- Automate quarterly access reviews
SOC 2 Trust Services
## Security (Common Criteria)
### CC1: Control Environment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC1.1 | Board oversight | ✅ | Board minutes |
| CC1.2 | Management philosophy | ✅ | Policy docs |
| CC1.3 | Organizational structure | ✅ | Org chart |
| CC1.4 | HR practices | ✅ | HR policies |
### CC2: Communication and Information
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC2.1 | Information quality | ✅ | Data governance |
| CC2.2 | Internal communication | ✅ | Slack, email logs |
| CC2.3 | External communication | ✅ | Customer portal |
### CC3: Risk Assessment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC3.1 | Risk identification | ✅ | Risk register |
| CC3.2 | Risk analysis | ✅ | Risk assessment |
| CC3.3 | Fraud risk | ✅ | Fraud controls |
| CC3.4 | Change management | ⚠️ | Partial automation |
GDPR Checklist
Article 30 - Records of Processing:
- [ ] Processing purposes documented
- [ ] Data categories listed
- [ ] Recipient categories identified
- [ ] Transfer safeguards documented
- [ ] Retention periods defined
- [ ] Security measures described
Article 13/14 - Privacy Notices:
- [ ] Controller identity stated
- [ ] DPO contact provided
- [ ] Purposes explained
- [ ] Legal basis identified
- [ ] Rights information included
- [ ] Complaint procedure described
Article 17 - Right to Erasure:
- [ ] Process documented
- [ ] Timeframes defined (30 days)
- [ ] Exceptions listed
- [ ] Verification procedure
- [ ] Third-party notification
Article 33 - Breach Notification:
- [ ] Detection procedures
- [ ] Assessment criteria
- [ ] 72-hour notification process
- [ ] DPA contact established
- [ ] Subject notification criteria
Risk Assessment Matrix
const riskMatrix = {
likelihood: {
rare: 1, // < 5%
unlikely: 2, // 5-25%
possible: 3, // 25-50%
likely: 4, // 50-75%
certain: 5 // > 75%
},
impact: {
negligible: 1, // < $10k
minor: 2, // $10k-$100k
moderate: 3, // $100k-$1M
major: 4, // $1M-$10M
severe: 5 // > $10M
},
calculateRisk(likelihood, impact) {
const score = likelihood * impact;
if (score >= 15) return 'Critical';
if (score >= 10) return 'High';
if (score >= 5) return 'Medium';
return 'Low';
}
};
Finding Classification
Critical:
Response: 24-48 hours
Escalation: Executive + Board
Examples:
- Active data breach
- Regulatory violation with penalties
- System-wide security failure
High:
Response: 1-2 weeks
Escalation: Senior Management
Examples:
- Missing critical controls
- Significant gaps in coverage
- Failed audit controls
Medium:
Response: 30-60 days
Escalation: Department Head
Examples:
- Incomplete documentation
- Process inefficiencies
- Minor policy violations
Low:
Response: 90 days
Escalation: Control Owner
Examples:
- Optimization opportunities
- Documentation updates
- Training gaps
Gap Analysis Template
## Gap Analysis: [Control Area]
### Current State
[Description of current implementation]
### Required State
[Regulatory requirement or best practice]
### Gap Description
[Specific gaps identified]
### Risk Assessment
- Likelihood: [1-5]
- Impact: [1-5]
- Risk Score: [calculated]
- Risk Level: [Critical/High/Medium/Low]
### Remediation Plan
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Action 1 | Name | Date | In Progress |
| Action 2 | Name | Date | Pending |
### Success Metrics
- [ ] Metric 1
- [ ] Metric 2
Audit Sampling
def calculate_sample_size(population: int, confidence: float = 0.95,
margin_error: float = 0.05) -> int:
"""
Calculate statistical sample size for audit testing.
Args:
population: Total population size
confidence: Confidence level (default 95%)
margin_error: Acceptable margin of error (default 5%)
Returns:
Required sample size
"""
import math
# Z-score for confidence level
z_scores = {0.90: 1.645, 0.95: 1.96, 0.99: 2.576}
z = z_scores.get(confidence, 1.96)
# Assume 50% response distribution for max sample
p = 0.5
# Sample size formula
n = (z**2 * p * (1-p)) / (margin_error**2)
# Finite population correction
if population < 10000:
n = n / (1 + (n - 1) / population)
return math.ceil(n)
# Example usage
# population=1000, 95% confidence, 5% margin
# Result: ~278 samples needed
Continuous Monitoring
Real-time Dashboards:
- Control effectiveness scores
- Compliance coverage %
- Open findings count
- Risk heat map
Automated Alerts:
Critical:
- Failed security controls
- Unauthorized access attempts
- Data breach indicators
Warning:
- Controls approaching expiry
- Overdue remediations
- Anomaly detection triggers
Reporting Cadence:
Daily: Critical events
Weekly: Status summary
Monthly: Detailed report
Quarterly: Executive review
Annually: Full assessment
Report Templates
Finding Report
# Finding Report
**ID:** FND-2024-042
**Date:** 2024-12-10
**Severity:** High
## Summary
[One-sentence description]
## Background
[Context and relevant history]
## Finding Details
[Technical details of the issue]
## Impact Assessment
- Business Impact: [description]
- Regulatory Impact: [description]
- Reputational Impact: [description]
## Root Cause
[Why this happened]
## Recommendation
[Specific remediation steps]
## Management Response
[Owner's response and commitment]
## Timeline
| Milestone | Date | Status |
|-----------|------|--------|
| Finding identified | 2024-12-10 | Complete |
| Remediation plan | 2024-12-15 | Pending |
| Implementation | 2024-01-15 | Pending |
| Verification | 2024-01-30 | Pending |
Лучшие практики
- Evidence first — каждый контроль должен иметь доказательства
- Risk-based prioritization — фокус на high-risk областях
- Continuous monitoring — не ждите годового аудита
- Clear ownership — каждый контроль имеет ответственного
- Regular testing — проверяйте effectiveness, не только design
- Documentation discipline — версионирование и audit trail
GitHub Repository
Related Skills
content-collections
MetaThis skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.
creating-opencode-plugins
MetaThis skill provides the structure and API specifications for creating OpenCode plugins that hook into 25+ event types like commands, files, and LSP operations. It offers implementation patterns for JavaScript/TypeScript modules that intercept and extend the AI assistant's lifecycle. Use it when you need to build event-driven plugins for monitoring, custom handling, or extending OpenCode's capabilities.
langchain
MetaLangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.
Algorithmic Art Generation
MetaThis skill helps developers create algorithmic art using p5.js, focusing on generative art, computational aesthetics, and interactive visualizations. It automatically activates for topics like "generative art" or "p5.js visualization" and guides you through creating unique algorithms with features like seeded randomness, flow fields, and particle systems. Use it when you need to build reproducible, code-driven artistic patterns.