// the find
Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
Claude Skills for Governance, Risk, & Compliance (GRC): Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, EU AI Act, ISO 42001, ISO 27701, DORA, CSRD, India's DPDPA, CMMC 2.0, NIST AI Risk, SWIFT, Australia's ISM, EU NIS2, and CCPA/CPRA. Benchmark 97% (with skills) vs 81% (without skills).
A collection of 30 installable Claude Skills (.skill files) covering GRC frameworks — ISO 27001, SOC 2, GDPR, HIPAA, FedRAMP, PCI DSS, and two dozen more. Each skill bundles a SKILL.md instruction file that loads into Claude's context to produce framework-specific, citation-grounded output. Target audience is compliance professionals, security engineers, and defense contractors who need audit-ready documents without paying consultant rates for every question.
The benchmark methodology is transparent — 150 test cases, 5 per framework, graded against 5 assertions each, with all eval inputs and outputs committed to the repo for inspection rather than just claiming a number. Coverage depth is real: the DORA skill distinguishes Chapter II from Chapter III (a common conflation point), the CMMC skill handles SPRS score calculation and the specific 7 critical practices that block conditional certification, and the DPDPA skill correctly separates India's two lawful bases from GDPR's six. The progressive disclosure design — loading reference files on demand rather than dumping everything into context — is a sensible engineering choice that keeps token usage down while making depth available when needed.
The .skill file format is entirely proprietary to Claude's skill system, so this only works if you're paying for Claude Pro or higher and the skill upload feature stays available — there's no fallback for other LLMs or API usage. The benchmark grades Claude-against-Claude (independent agents grading skill responses), which means the 96% vs 81% delta measures in-context instruction following, not accuracy against actual regulatory requirements — a hallucinated but confidently structured GDPR article citation would likely score well. The disclaimer buries the most important limitation: this is not legal advice, and compliance teams who treat AI-generated control narratives as audit-ready without expert review are setting themselves up for a finding.