Skill

map-frameworks

Maps security controls across frameworks like ISO 27001, SOC 2, NIST CSF, CIS Controls, NIST 800-53, COBIT. Generates matrices, gap analyses, unified sets, evidence maps, and implementation roadmaps for compliance.

security

npx claudepluginhub melodic-software/claude-code-plugins --plugin compliance-planning

Tool Access

This skill is limited to using the following tools:

TaskSkill

Preview

Create a cross-framework control mapping for unified compliance.

SKILL.md

Similar Skills

security-frameworks

Maps controls and provides guidance for aligning development with ISO 27001, SOC 2, NIST CSF 2.0, and CIS Controls. Use for audit prep, SSDLC, and framework comparisons.

6 tools

compliance-planning

grc-knowledge

124

Provides senior GRC analyst expertise across 15 frameworks including NIST 800-53, FedRAMP, FISMA, CMMC, SOC 2, ISO 27001. Supports control lookups, cross-mapping, document review, audit prep, compliance workflows.

20 files

grc

security-compliance

681

Guides implementing defense-in-depth security architectures, compliance with SOC2/ISO27001/GDPR/HIPAA, threat modeling, risk assessments, incident response, and SDLC security embedding.

12 files

claude-forge

Stats

Parent Repo Stars40

Parent Repo Forks6

Last CommitFeb 15, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Security Framework Mapping

Create a cross-framework control mapping for unified compliance.

Workflow

Step 1: Load Required Skills

Load the skill:

security-frameworks - Framework requirements and mappings

Step 2: Parse Frameworks

Parse the requested frameworks from: $ARGUMENTS

Supported frameworks:

ISO 27001:2022
SOC 2 (Trust Services Criteria)
NIST CSF 2.0
CIS Controls v8
NIST 800-53
COBIT

Step 3: Spawn Security Auditor Agent

Spawn the security-auditor agent with the following prompt:

Create a comprehensive control mapping across these frameworks: $ARGUMENTS

For each control area, provide:

1. Control Mapping Matrix
   - Map equivalent controls across frameworks
   - Identify gaps where frameworks differ
   - Note framework-specific requirements

2. Unified Control Set
   - Create consolidated control list
   - One control satisfying multiple frameworks
   - Highlight additional requirements per framework

3. Evidence Mapping
   - Common evidence types
   - Framework-specific evidence needs
   - Evidence collection strategy

4. Implementation Guidance
   - Priority order for implementation
   - Effort estimation per control
   - Dependencies between controls

5. Gap Analysis
   - Controls in one framework but not others
   - Varying requirements across frameworks
   - Reconciliation approach

Provide mappings for these control domains:
- Access Control
- Asset Management
- Cryptography/Data Protection
- Operations Security
- Logging and Monitoring
- Incident Response
- Business Continuity
- Vendor Management
- Security Awareness
- Change Management

Step 4: Generate Mapping Report

Ensure the report includes:

Executive summary of framework coverage
Detailed control mapping matrix
Unified control set with evidence requirements
Implementation roadmap

Example Usage

# Map ISO 27001 to SOC 2
/compliance-planning:map-frameworks "ISO 27001, SOC 2"

# Map multiple frameworks
/compliance-planning:map-frameworks "ISO 27001, SOC 2, NIST CSF, CIS Controls"

# Focus on specific area
/compliance-planning:map-frameworks "ISO 27001, SOC 2" --scope "Access Control"

Output Format

# Security Framework Mapping

## Frameworks Included
- [Framework 1]
- [Framework 2]
- [Framework 3]

---

## Executive Summary

| Framework | Total Controls | Mapped | Unique | Coverage |
|-----------|----------------|--------|--------|----------|
| [Framework] | [N] | [N] | [N] | [%] |

### Key Insights
- [Insight 1]
- [Insight 2]

---

## Control Mapping Matrix

### Access Control

| Control | ISO 27001 | SOC 2 | NIST CSF | CIS v8 |
|---------|-----------|-------|----------|--------|
| User Access Management | A.5.15 | CC6.1 | PR.AA-01 | 5.1 |
| Privileged Access | A.8.2 | CC6.1 | PR.AA-05 | 5.4 |
| Multi-Factor Auth | A.8.5 | CC6.1 | PR.AA-03 | 6.3 |

### Data Protection

| Control | ISO 27001 | SOC 2 | NIST CSF | CIS v8 |
|---------|-----------|-------|----------|--------|
| Encryption at Rest | A.8.24 | CC6.1 | PR.DS-01 | 3.6 |
| Encryption in Transit | A.8.24 | CC6.7 | PR.DS-02 | 3.10 |

[Continue for all domains]

---

## Unified Control Set

### UC-001: User Access Management

**Satisfies:**
- ISO 27001: A.5.15, A.5.16
- SOC 2: CC6.1, CC6.2
- NIST CSF: PR.AA-01, PR.AA-02
- CIS v8: 5.1, 5.2

**Requirements:**
| Framework | Specific Requirement |
|-----------|---------------------|
| ISO 27001 | [Requirement] |
| SOC 2 | [Requirement] |
| NIST CSF | [Requirement] |
| CIS v8 | [Requirement] |

**Evidence Required:**
- Access management policy
- Access request/approval records
- Periodic access reviews
- Termination procedures

[Continue for all unified controls]

---

## Gap Analysis

### Framework-Specific Requirements

| Control Area | Framework | Unique Requirement |
|--------------|-----------|-------------------|
| [Area] | [Framework] | [Requirement] |

### Reconciliation

| Gap | Impact | Recommendation |
|-----|--------|----------------|

---

## Implementation Roadmap

### Phase 1: Foundation (Common Controls)
| Control | Frameworks Covered | Effort | Priority |
|---------|-------------------|--------|----------|

### Phase 2: Framework-Specific
| Control | Framework | Effort | Priority |
|---------|-----------|--------|----------|

---

## Evidence Collection Strategy

| Evidence Type | Controls Covered | Collection Method | Frequency |
|---------------|------------------|-------------------|-----------|
| Access logs | UC-001, UC-005 | SIEM export | Continuous |
| Policy docs | UC-001, UC-010 | Document repository | Annual review |

---

## Audit Efficiency Gains

### Shared Evidence
- [Evidence type] satisfies [N] frameworks
- Estimated time savings: [X]%

### Consolidated Testing
- [Testing approach] covers [frameworks]