nickcrew/compliance-audit
skills/compliance-audit/SKILL.md
Regulatory compliance auditing across GDPR, HIPAA, PCI DSS, SOC 2, and ISO frameworks with automated evidence collection and gap analysis. Use when conducting compliance assessments, preparing for certifications, or implementing regulatory controls.
$ install --global
skillsauthnpx skillsauth add nickcrew/claude-cortex compliance-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 8:29 PM6.2s4 files scanned
SKILL.md
- name:
- compliance-audit
- description:
- >-
- version:
- 1.0.0
- tags:
- [compliance, audit, regulatory, security, privacy]
- skills:
- [secure-coding-practices, owasp-top-10]
- tools:
- [Read, Write, Bash, Grep, Glob]
- token_estimate:
- ~3000
Compliance Audit
Systematic regulatory compliance auditing with automated evidence collection, control mapping, gap analysis, and remediation planning across major compliance frameworks.
When to Use This Skill
- Conducting compliance assessments for GDPR, HIPAA, PCI DSS, SOC 2, or ISO 27001
- Preparing for external audits or certifications
- Building or validating compliance control frameworks
- Automating evidence collection and audit trail maintenance
- Performing gap analysis against regulatory requirements
- Creating remediation plans for compliance deficiencies
- Evaluating third-party vendor compliance posture
Quick Reference
| Resource | Purpose | Load when |
|----------|---------|-----------|
| references/frameworks.md | Key requirements, control mappings, and certification paths for GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001 | Scoping which regulations apply |
| references/evidence-collection.md | Automated evidence gathering, artifact organization, retention policies, audit trail patterns | Setting up or running evidence collection |
| references/gap-analysis.md | Control mapping methodology, gap identification, risk scoring, remediation planning | Analyzing compliance gaps |
Workflow Overview
Phase 1: Scope → Identify applicable regulations, data types, and geographical scope
Phase 2: Assess → Map controls, review policies, analyze data flows, test implementations
Phase 3: Evidence → Collect and organize audit artifacts automatically
Phase 4: Gap Analyze → Identify control gaps, score risks, prioritize findings
Phase 5: Remediate → Create remediation plans, assign owners, set timelines
Phase 6: Report → Generate audit-ready documentation and compliance dashboards
Phase 7: Monitor → Establish continuous compliance monitoring and drift detection
Phase 1: Scope the Audit
Determine the regulatory landscape before testing anything.
Key questions:
- What data types does the system process (PII, PHI, cardholder data)?
- What jurisdictions apply (EU, US states, industry-specific)?
- What existing controls and certifications are in place?
- What is the audit history and any prior findings?
Applicability matrix:
| Framework | Applies when | |-----------|-------------| | GDPR | Processing personal data of EU residents | | HIPAA | Handling protected health information (PHI) | | PCI DSS | Storing, processing, or transmitting cardholder data | | SOC 2 | Providing services where trust principles matter | | ISO 27001 | Organization wants certified ISMS | | CCPA/CPRA | Collecting California consumer personal information | | NIST CSF | Federal systems or voluntary cybersecurity framework adoption |
Phase 2: Assess Current State
Control Inventory
Map existing controls against the applicable framework requirements:
- Enumerate all technical controls (encryption, access control, logging)
- Enumerate all administrative controls (policies, training, procedures)
- Enumerate all physical controls (facility access, media handling)
- Map each control to specific framework requirements
- Test control effectiveness through sampling and verification
Data Flow Analysis
- Map data ingress, processing, storage, and egress points
- Identify data classification for each flow
- Document lawful basis for processing (GDPR)
- Verify data minimization and purpose limitation
- Review cross-border transfer mechanisms
Policy Review
- Assess policy coverage against framework requirements
- Verify policy distribution and acknowledgment
- Check policy version control and update cadence
- Validate exception management processes
Phase 3: Evidence Collection
Load references/evidence-collection.md for detailed patterns.
Automation priorities:
- Configuration exports from cloud providers and infrastructure
- Access control lists and permission matrices
- Log retention and monitoring dashboards
- Vulnerability scan results and patch status
- Training completion records
- Incident response test results
Artifact organization:
evidence/
{framework}/
{control-id}/
artifact-{date}.{ext}
metadata.yaml # source, collection method, timestamp
Phase 4: Gap Analysis
Load references/gap-analysis.md for the full methodology.
For each framework requirement:
- Map to existing controls (full, partial, or none)
- Assess implementation effectiveness
- Score the gap by risk impact and likelihood
- Categorize as documentation, process, technology, or training gap
- Prioritize based on risk score and remediation effort
Phase 5: Remediation Planning
For each identified gap:
| Field | Content | |-------|---------| | Gap ID | Unique identifier | | Framework Requirement | Specific clause or control | | Current State | What exists today | | Target State | What compliance requires | | Remediation Action | Specific steps to close the gap | | Owner | Responsible person/team | | Priority | P0-P4 based on risk score | | Timeline | Target completion date | | Dependencies | Other gaps or actions this depends on |
Phase 6: Reporting
Generate audit-ready documentation:
- Executive summary: Compliance posture, key risks, readiness score
- Technical findings: Detailed control assessment results
- Risk matrix: Heat map of gaps by severity and likelihood
- Remediation roadmap: Prioritized timeline with owners
- Evidence package: Organized artifacts indexed to controls
- Compliance attestation: Framework-specific certification readiness
Phase 7: Continuous Monitoring
Establish ongoing compliance posture management:
- Configure automated scanning for drift detection
- Set alert thresholds for control degradation
- Schedule periodic re-assessment cadence
- Track remediation progress against timelines
- Maintain metric dashboards (control coverage, evidence freshness, audit readiness)
Core Principles
- Evidence over assertion — every compliance claim must be backed by verifiable artifacts
- Automate first — manual evidence collection does not scale and introduces errors
- Risk-based prioritization — address the highest-risk gaps first
- Continuous posture — compliance is a state, not a one-time event
- Defense in depth — layer controls so single-point failures do not cause non-compliance
Anti-Patterns
- Treating compliance as a checkbox exercise without testing control effectiveness
- Collecting evidence manually when automation is available
- Ignoring gaps because "we've always done it this way"
- Waiting until audit season to gather evidence
- Conflating compliance with security (compliance is a subset)
- Skipping third-party/vendor compliance assessments
Related Skills
nickcrew/product-strategy
development
VerifiedTrustedCommunity
Product vision, roadmap development, and go-to-market execution with structured prioritization frameworks. Use when evaluating features, planning product direction, or assessing market fit.
15SKILL.mdUpdated Apr 7, 2026
nickcrew/agent-loops
development
VerifiedTrustedCommunity
Complete operational workflow for implementer agents (Codex, Gemini, etc.) making code changes and writing tests. Drives all work through atomic commits — each loop operates on the smallest complete, reviewable change. Defines the Code Change Loop, Test Writing Loop, Lint Gate, and Issue Filing process with circuit breakers, severity levels, and escalation rules. Requires `cortex git commit` for all commits. Includes bundled provider-aware review scripts that keep same-model shell-outs as the last resort, plus a fresh-context Codex fallback for code review and test audit. Use this skill when starting any implementation task.
15SKILL.mdUpdated Apr 7, 2026
nickcrew/product-manager
development
VerifiedTrustedCommunity
Use this skill when writing product requirements documents, prioritizing features, creating user stories, defining acceptance criteria, or setting product metrics. Trigger phrases: 'write a PRD for', 'prioritize this feature backlog', 'write user stories for', 'help me define acceptance criteria', 'what metrics should we track for'. Not for writing code, designing UI mockups, or conducting user research interviews.
13SKILL.mdUpdated Apr 7, 2026
nickcrew/playwright-cli
tools
VerifiedTrustedCommunity
Automates browser interactions for web testing, form filling, screenshots, and data extraction. Use when the user needs to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.
13SKILL.mdUpdated Apr 7, 2026