compliance-os
by alirezarezvanicompliance-os is a multi-framework compliance orchestration skill for Compliance Review. Use it to assess framework applicability, map control overlap, prioritize reusable evidence, and simulate mock internal audits with JSON templates and Python helper scripts.
This skill scores 82/100, which makes it a solid listing candidate for directory users who need multi-framework compliance orchestration. The repository provides enough concrete workflow substance, scripts, templates, and reference material for an agent to do more than a generic prompt, especially around selecting applicable frameworks, reusing evidence, and simulating audits. Users should still expect to validate framework coverage and installation details before relying on it operationally.
- Strong triggerability: the frontmatter clearly states when to use it and frames the skill around four concrete decisions—framework selection, overlap mapping, audit simulation, and evidence consolidation.
- Operational leverage is backed by real artifacts: four Python tools, JSON templates, a mock audit scenario library, and references for audit simulation, evidence reuse, and cross-framework overlap.
- Good install-decision value for multi-framework compliance teams because it explicitly positions itself as an orchestration layer rather than a replacement for per-framework skills.
- No install command is present in SKILL.md, so directory users may need to infer installation from the broader repository conventions.
- Some support material is uneven: the main description claims 12 supported frameworks, while the control library template and cross-framework overlap reference emphasize 9 frameworks, which may create adoption ambiguity.
Overview of compliance-os skill
What compliance-os does
compliance-os is a multi-framework compliance orchestration skill for deciding what applies, where controls overlap, how evidence can be reused, and what a mock internal audit might find. Instead of treating ISO 27001, SOC 2, GDPR, EU AI Act, HIPAA, NIST CSF, NIS2, FDA QSR, and medical-device standards as separate workstreams, the skill helps an AI agent reason across them as one compliance program.
Best fit for multi-framework compliance teams
The compliance-os skill is most useful when a company is moving from “one audit at a time” to a combined compliance operating model. Good fits include SaaS vendors adding SOC 2 on top of ISO 27001, AI companies assessing ISO 42001 and EU AI Act exposure, health or medical-device teams comparing HIPAA, FDA QSR, ISO 13485, ISO 14971, and EU MDR obligations, and compliance leads preparing for certification stage 1.
It is less useful if you need legal advice, a final regulatory determination, or a deep implementation plan for one framework only. The repository itself positions compliance-os as an orchestrator, not a replacement for per-framework skills.
What makes the skill different
The main differentiator is that compliance-os includes structured assets and deterministic helper scripts, not only prompt guidance. Key files include:
assets/company_profile_template.jsonfor applicability screeningassets/control_library_template.jsonfor enabled framework selectionassets/mock_audit_library.jsonwith scenario-based audit findingsscripts/framework_selector.pyscripts/cross_framework_mapper.pyscripts/audit_simulator.pyscripts/evidence_pool_generator.py
This makes the skill stronger for repeatable Compliance Review workflows than a generic prompt asking, “Which frameworks apply to us?”
Main adoption considerations
Before installing, check whether your target frameworks are covered and whether your organization can provide a useful company profile. The quality of the output depends heavily on inputs such as industry, geography, AI usage, medical-device status, personal-data processing, healthcare status, government contracting, and enterprise-sales requirements.
How to Use compliance-os skill
compliance-os install and first files to read
Install the skill in a compatible Claude skills environment with:
npx skills add alirezarezvani/claude-skills --skill compliance-os
Then inspect the source path:
compliance-os/skills/compliance-os
Read these first:
SKILL.mdfor the intended orchestration flowassets/company_profile_template.jsonfor required company factsreferences/compliance_os_pattern.mdfor when to orchestrate versus split frameworksreferences/cross_framework_overlap.mdfor overlap assumptionsreferences/evidence_artifact_reuse_index.mdfor evidence reuse prioritiesreferences/audit_simulation_methodology.mdbefore using mock audit outputs
Inputs the skill needs
For useful compliance-os usage, provide a structured profile instead of a vague company description. Include:
- industry and product category
- countries or regions served
- whether products include AI
- whether AI is high-risk under EU criteria
- whether products are medical devices
- whether the company processes personal data, EU personal data, or PHI
- whether it sells to enterprise B2B, US customers, EU customers, or government buyers
- company stage and approximate headcount
- known frameworks already adopted or required by customers
A weak prompt says: “Tell me what compliance frameworks we need.”
A stronger prompt says: “Use compliance-os to evaluate a Series B B2B SaaS company with 140 employees, EU and US customers, enterprise procurement pressure, AI features used for automated decision support, EU personal data processing, no PHI, no medical-device claims, and current ISO 27001 certification. Identify applicable frameworks, likely overlaps, and first evidence priorities.”
Suggested compliance-os guide workflow
A practical workflow is:
- Configure: use the company profile to identify likely applicable frameworks.
- Constrain: remove frameworks that are irrelevant or only aspirational.
- Map overlap: compare enabled frameworks with
cross_framework_mapper.pyand the overlap reference. - Prioritize evidence: use
evidence_pool_generator.pyand the evidence reuse index to find high-leverage artifacts. - Simulate audit: use
audit_simulator.pyafter the scope is clear, not before. - Translate findings: convert mock findings into owners, due dates, evidence requests, and corrective actions.
Prompt pattern for Compliance Review
For compliance-os for Compliance Review, ask for decisions and outputs separately:
“Use the compliance-os skill. First, classify which supported frameworks are applicable, likely applicable, or not applicable. Second, explain the assumptions behind each classification. Third, map the highest-overlap control families across the applicable frameworks. Fourth, produce a unified evidence checklist ranked by reuse leverage. Do not provide legal advice; flag uncertain items for counsel or a certified auditor.”
This framing reduces overreach and makes the output easier to review.
compliance-os skill FAQ
Is compliance-os a legal or certification tool?
No. compliance-os is a planning and orchestration skill. It can help organize framework applicability, audit preparation, evidence reuse, and internal review, but it does not replace legal counsel, an accredited certification body, a qualified auditor, or framework-specific implementation work.
How is it better than an ordinary prompt?
An ordinary prompt may produce a broad checklist. The compliance-os skill has an explicit meta-framework pattern, reusable JSON templates, reference documents, and scripts for framework selection, overlap mapping, audit simulation, and evidence pooling. That structure helps an agent stay consistent across repeated compliance reviews.
Can beginners use the compliance-os skill?
Yes, but beginners should start with the company profile template and avoid asking for a full compliance program in one request. The best first task is framework applicability: “Given this profile, which supported frameworks should we consider and why?” After that, move into evidence reuse and mock audit planning.
When should I not use compliance-os?
Do not use it when you only need a narrow answer about one regulation, when the company profile is unknown, when you need jurisdiction-specific legal interpretation, or when you want final audit assurance. Also avoid using the mock audit scenarios as proof of compliance; they are preparation aids, not evidence.
How to Improve compliance-os skill
Improve compliance-os inputs before asking for outputs
The fastest way to improve compliance-os results is to replace assumptions with facts. Add customer commitments, contractual security requirements, geographic sales data, product claims, data categories, subprocessor exposure, and existing certifications. If a detail is unknown, mark it as unknown rather than letting the model infer it.
Watch for common failure modes
Common issues include over-selecting frameworks, treating regulations and voluntary standards as equivalent, assuming evidence reuse means full control equivalence, and producing audit findings without a defined scope. Ask the agent to separate “required,” “customer-driven,” “strategic,” and “not currently applicable” frameworks.
Iterate after the first output
After the first run, challenge the result:
- “Which framework recommendations are most assumption-sensitive?”
- “Which evidence items satisfy the most frameworks?”
- “Which controls do not reuse well?”
- “What should be reviewed by counsel?”
- “What would change if we launch in the EU?”
This turns compliance-os from a static checklist generator into a decision-support workflow.
Add organization-specific review criteria
For stronger outputs, provide your own scoring criteria: audit deadline, budget, evidence maturity, tool ownership, executive tolerance for risk, and whether the goal is certification, customer sales enablement, regulatory readiness, or internal governance. The compliance-os skill performs best when it can optimize for a real compliance decision, not an abstract list.
