By dexcopeland
ISO 27001 Plugin - Annex A controls, ISMS implementation guidance, and certification support
Deep dive analysis of ISO 27001 Annex A control domains with implementation guidance
Assess compliance with ISO 27001 requirements
Generate ISO 27001 certification roadmap from readiness through surveillance audits
Perform ISO 27001 gap analysis
Generate complete ISO 27001 ISMS documentation pack including mandatory and supporting documents
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
The official open-source GRC toolkit from the GRC Engineering Club — turning checkbox compliance into engineered systems. It ships as a Claude Code plugin marketplace: persona plugins for engineers, auditors, internal GRC teams, and TPRM; 20+ framework reference plugins from SOC 2 to FedRAMP to APRA; and thin cloud/SaaS connectors that emit a common Finding contract. Assessors, platform engineers, and GRC teams everywhere end up re-inventing the same pipeline — pull evidence, crosswalk to a framework, generate a gap report, wrestle OSCAL. The Club maintains one toolkit that does the whole pipeline end-to-end without locking anyone into a vendor platform.
/grc-engineer:gap-assessment SOC2,FedRAMP-High --sources=aws,github
A prioritized, effort-estimated, remediation-linked gap report backed by 1,468 Secure Controls Framework controls crosswalked to 249 frameworks.
Not affiliated with Anthropic. Community open-source project. Claude, Anthropic, and any related marks are property of their respective owners.
A few opinionated choices worth naming up front, since they're most of what makes this different from a Vanta or Drata clone.
SCF is the right crosswalk source. Most GRC tools roll their own control-mapping tables. They're usually incomplete, and nobody maintains them past the quarter they were built in. SCF has 1,468 controls mapped bidirectionally to 249 frameworks, publishes quarterly, and ships as a static JSON API. The toolkit uses it as the backbone. No hand-maintained CSVs.
Connectors should be thin. Platform vendors bundle giant agents that do everything. That's a lock-in pattern, not an engineering pattern. Every connector here is a few hundred lines that shells out to tools teams already have (aws, gcloud, gh, direct Okta API). Any connector can be ripped out and replaced without touching the rest of the toolkit.
Framework plugins don't reproduce standard text. ISO 27001, PCI DSS, and HITRUST CSF text is copyrighted. Plenty of GRC tools publish that text inside their product and hope nobody notices. This toolkit references control IDs and ships implementation guidance in paraphrased form. Each team's licensed copy of the standard is the source of truth.
Vanta, Drata, OneTrust, and Archer are good at what they do. They're also expensive, slow to extend, and assume a dedicated compliance team. This toolkit is for teams that want the engineering layer without the platform lock-in, and for 3PAOs and assessors who want to cross-check what a platform is reporting.
# In Claude Code
/plugin marketplace add GRCEngClub/claude-grc-engineering
/plugin install grc-engineer@grc-engineering-suite
For a first run with no cloud credentials, use a GitHub account as the data source:
/plugin install github-inspector@grc-engineering-suite
/plugin install soc2@grc-engineering-suite
/github-inspector:setup
/github-inspector:collect --scope=@me
/grc-engineer:gap-assessment SOC2 --sources=github-inspector
Full walkthrough: docs/QUICKSTART.md.
| Workflow | Command |
|---|---|
| Gap-assess an environment against one or many frameworks at once | /grc-engineer:gap-assessment |
| Scan Terraform, CloudFormation, or Kubernetes for compliance violations, optionally auto-fix | /grc-engineer:scan-iac |
| Validate a control end-to-end: config, functionality, compliance | /grc-engineer:test-control |
| Generate remediation (Terraform modules, Python evidence scripts, Rego/Cedar policies) | /grc-engineer:generate-implementation, generate-policy |
| See one control across every framework it maps to | /grc-engineer:map-controls-unified |
| Find conflicting requirements across frameworks, with "most-restrictive wins" resolution | /grc-engineer:find-conflicts |
| Optimize multi-framework implementation (satisfy many with one) | /grc-engineer:optimize-multi-framework |
| Continuous monitoring with Slack, PagerDuty, or email alerts | /grc-engineer:monitor-continuous |
| Check pipeline health: which connectors are configured, last-run, cache freshness | /grc-engineer:pipeline-status |
| Review a PR for compliance regressions before merge | /grc-engineer:review-pr |
| Build audit workpapers and evidence packages | /grc-auditor:generate-workpaper, /grc-engineer:collect-evidence |
| Generate OSCAL SSP, SAP, SAR, or POA&M from findings and framework configs | /oscal:* (see OSCAL plugin) |
| Analyze a vendor security questionnaire (SIG, CAIQ, Yardstick) | /grc-tprm:analyze-questionnaire |
| Discover which of the 249 SCF-mapped frameworks have dedicated plugins | /grc-engineer:frameworks |
| Scaffold a new framework plugin from the SCF crosswalk | /grc-engineer:scaffold-framework |
GRC Internal Plugin - Policy management, risk registers, and compliance tracking for internal GRC teams
PCI DSS v4.0.1 Plugin - Payment Card Industry compliance with ROC guidance, SAQ selection, and March 2025 mandatory requirements
HITRUST CSF Plugin - Healthcare Information Trust Alliance Common Security Framework with i1/r2 assessments and 156 controls
NIST 800-53 Plugin - Control families, baseline selection (Low/Moderate/High), and FedRAMP alignment
Ralph-loop mechanism specialized for GRC iteration patterns: gap-remediation burndown and quarterly evidence sweeps. Each loop drives /grc-engineer:* commands until a completion criterion fires.
npx claudepluginhub dexcopeland/claude-grc-engineering --plugin iso27001Ultra-compressed communication mode. Cuts 65% of output tokens (measured) while keeping full technical accuracy by speaking like a caveman.
Comprehensive UI/UX design plugin for mobile (iOS, Android, React Native) and web applications with design systems, accessibility, and modern patterns
Standalone image generation plugin using Nano Banana MCP server. Generates and edits images, icons, diagrams, patterns, and visual assets via Gemini image models. No Gemini CLI dependency required.
Multi-model consensus engine integrating OpenAI Codex CLI, Gemini CLI, and Claude CLI for collaborative code review and problem-solving.
Unified capability management center for Skills, Agents, and Commands.
Write feature specs, plan roadmaps, and synthesize user research faster. Keep stakeholders updated and stay ahead of the competitive landscape.