A

compliance-os

by alirezarezvani

compliance-os is a multi-framework compliance orchestration skill for Compliance Review. Use it to assess framework applicability, map control overlap, prioritize reusable evidence, and simulate mock internal audits with JSON templates and Python helper scripts.

Stars22.1k
Favorites0
Comments0
AddedJul 11, 2026
CategoryCompliance Review
Install Command
npx skills add alirezarezvani/claude-skills --skill compliance-os
Curation Score

This skill scores 82/100, which makes it a solid listing candidate for directory users who need multi-framework compliance orchestration. The repository provides enough concrete workflow substance, scripts, templates, and reference material for an agent to do more than a generic prompt, especially around selecting applicable frameworks, reusing evidence, and simulating audits. Users should still expect to validate framework coverage and installation details before relying on it operationally.

82/100
Strengths
  • Strong triggerability: the frontmatter clearly states when to use it and frames the skill around four concrete decisions—framework selection, overlap mapping, audit simulation, and evidence consolidation.
  • Operational leverage is backed by real artifacts: four Python tools, JSON templates, a mock audit scenario library, and references for audit simulation, evidence reuse, and cross-framework overlap.
  • Good install-decision value for multi-framework compliance teams because it explicitly positions itself as an orchestration layer rather than a replacement for per-framework skills.
Cautions
  • No install command is present in SKILL.md, so directory users may need to infer installation from the broader repository conventions.
  • Some support material is uneven: the main description claims 12 supported frameworks, while the control library template and cross-framework overlap reference emphasize 9 frameworks, which may create adoption ambiguity.
Overview

Overview of compliance-os skill

What compliance-os does

compliance-os is a multi-framework compliance orchestration skill for deciding what applies, where controls overlap, how evidence can be reused, and what a mock internal audit might find. Instead of treating ISO 27001, SOC 2, GDPR, EU AI Act, HIPAA, NIST CSF, NIS2, FDA QSR, and medical-device standards as separate workstreams, the skill helps an AI agent reason across them as one compliance program.

Best fit for multi-framework compliance teams

The compliance-os skill is most useful when a company is moving from “one audit at a time” to a combined compliance operating model. Good fits include SaaS vendors adding SOC 2 on top of ISO 27001, AI companies assessing ISO 42001 and EU AI Act exposure, health or medical-device teams comparing HIPAA, FDA QSR, ISO 13485, ISO 14971, and EU MDR obligations, and compliance leads preparing for certification stage 1.

It is less useful if you need legal advice, a final regulatory determination, or a deep implementation plan for one framework only. The repository itself positions compliance-os as an orchestrator, not a replacement for per-framework skills.

What makes the skill different

The main differentiator is that compliance-os includes structured assets and deterministic helper scripts, not only prompt guidance. Key files include:

  • assets/company_profile_template.json for applicability screening
  • assets/control_library_template.json for enabled framework selection
  • assets/mock_audit_library.json with scenario-based audit findings
  • scripts/framework_selector.py
  • scripts/cross_framework_mapper.py
  • scripts/audit_simulator.py
  • scripts/evidence_pool_generator.py

This makes the skill stronger for repeatable Compliance Review workflows than a generic prompt asking, “Which frameworks apply to us?”

Main adoption considerations

Before installing, check whether your target frameworks are covered and whether your organization can provide a useful company profile. The quality of the output depends heavily on inputs such as industry, geography, AI usage, medical-device status, personal-data processing, healthcare status, government contracting, and enterprise-sales requirements.

How to Use compliance-os skill

compliance-os install and first files to read

Install the skill in a compatible Claude skills environment with:

npx skills add alirezarezvani/claude-skills --skill compliance-os

Then inspect the source path:

compliance-os/skills/compliance-os

Read these first:

  1. SKILL.md for the intended orchestration flow
  2. assets/company_profile_template.json for required company facts
  3. references/compliance_os_pattern.md for when to orchestrate versus split frameworks
  4. references/cross_framework_overlap.md for overlap assumptions
  5. references/evidence_artifact_reuse_index.md for evidence reuse priorities
  6. references/audit_simulation_methodology.md before using mock audit outputs

Inputs the skill needs

For useful compliance-os usage, provide a structured profile instead of a vague company description. Include:

  • industry and product category
  • countries or regions served
  • whether products include AI
  • whether AI is high-risk under EU criteria
  • whether products are medical devices
  • whether the company processes personal data, EU personal data, or PHI
  • whether it sells to enterprise B2B, US customers, EU customers, or government buyers
  • company stage and approximate headcount
  • known frameworks already adopted or required by customers

A weak prompt says: “Tell me what compliance frameworks we need.”

A stronger prompt says: “Use compliance-os to evaluate a Series B B2B SaaS company with 140 employees, EU and US customers, enterprise procurement pressure, AI features used for automated decision support, EU personal data processing, no PHI, no medical-device claims, and current ISO 27001 certification. Identify applicable frameworks, likely overlaps, and first evidence priorities.”

Suggested compliance-os guide workflow

A practical workflow is:

  1. Configure: use the company profile to identify likely applicable frameworks.
  2. Constrain: remove frameworks that are irrelevant or only aspirational.
  3. Map overlap: compare enabled frameworks with cross_framework_mapper.py and the overlap reference.
  4. Prioritize evidence: use evidence_pool_generator.py and the evidence reuse index to find high-leverage artifacts.
  5. Simulate audit: use audit_simulator.py after the scope is clear, not before.
  6. Translate findings: convert mock findings into owners, due dates, evidence requests, and corrective actions.

Prompt pattern for Compliance Review

For compliance-os for Compliance Review, ask for decisions and outputs separately:

“Use the compliance-os skill. First, classify which supported frameworks are applicable, likely applicable, or not applicable. Second, explain the assumptions behind each classification. Third, map the highest-overlap control families across the applicable frameworks. Fourth, produce a unified evidence checklist ranked by reuse leverage. Do not provide legal advice; flag uncertain items for counsel or a certified auditor.”

This framing reduces overreach and makes the output easier to review.

compliance-os skill FAQ

No. compliance-os is a planning and orchestration skill. It can help organize framework applicability, audit preparation, evidence reuse, and internal review, but it does not replace legal counsel, an accredited certification body, a qualified auditor, or framework-specific implementation work.

How is it better than an ordinary prompt?

An ordinary prompt may produce a broad checklist. The compliance-os skill has an explicit meta-framework pattern, reusable JSON templates, reference documents, and scripts for framework selection, overlap mapping, audit simulation, and evidence pooling. That structure helps an agent stay consistent across repeated compliance reviews.

Can beginners use the compliance-os skill?

Yes, but beginners should start with the company profile template and avoid asking for a full compliance program in one request. The best first task is framework applicability: “Given this profile, which supported frameworks should we consider and why?” After that, move into evidence reuse and mock audit planning.

When should I not use compliance-os?

Do not use it when you only need a narrow answer about one regulation, when the company profile is unknown, when you need jurisdiction-specific legal interpretation, or when you want final audit assurance. Also avoid using the mock audit scenarios as proof of compliance; they are preparation aids, not evidence.

How to Improve compliance-os skill

Improve compliance-os inputs before asking for outputs

The fastest way to improve compliance-os results is to replace assumptions with facts. Add customer commitments, contractual security requirements, geographic sales data, product claims, data categories, subprocessor exposure, and existing certifications. If a detail is unknown, mark it as unknown rather than letting the model infer it.

Watch for common failure modes

Common issues include over-selecting frameworks, treating regulations and voluntary standards as equivalent, assuming evidence reuse means full control equivalence, and producing audit findings without a defined scope. Ask the agent to separate “required,” “customer-driven,” “strategic,” and “not currently applicable” frameworks.

Iterate after the first output

After the first run, challenge the result:

  • “Which framework recommendations are most assumption-sensitive?”
  • “Which evidence items satisfy the most frameworks?”
  • “Which controls do not reuse well?”
  • “What should be reviewed by counsel?”
  • “What would change if we launch in the EU?”

This turns compliance-os from a static checklist generator into a decision-support workflow.

Add organization-specific review criteria

For stronger outputs, provide your own scoring criteria: audit deadline, budget, evidence maturity, tool ownership, executive tolerance for risk, and whether the goal is certification, customer sales enablement, regulatory readiness, or internal governance. The compliance-os skill performs best when it can optimize for a real compliance decision, not an abstract list.

Ratings & Reviews

No ratings yet
Share your review
Sign in to leave a rating and comment for this skill.
G
0/10000
Latest reviews
Saving...