Ciso Advisor

Name: Ciso Advisor
Author: alirezarezvani

alirezarezvani/claude-skills

Choose which compliance framework to pursue first and sequence SOC 2, HIPAA, GDPR, or ISO 27001 for a B2B SaaS roadmap.

Overview

CISO-advisor is an agent skill most often used in Ship security (also Validate scope, Operate iterate) that recommends which compliance frameworks to prioritize and how to sequence SOC 2, HIPAA, GDPR, and ISO 27001.

Install

npx skills add https://github.com/alirezarezvani/claude-skills --skill ciso-advisor

What is this skill?

Customer-driven decision tree: enterprise US → SOC 2, healthcare → HIPAA, EU data → GDPR
Explains SOC 2 Type I snapshot vs Type II operating-effectiveness attestation
Maps optional Trust Service Criteria (Availability, Confidentiality, Processing Integrity)
Sequences Type I as faster proof of intent before the 12-month Type II credibility path
Frames multi-framework efficiency for Series B+ blended customer bases
SOC 2 Type I commonly cited as 3–6 months to demonstrate suitably designed controls
SOC 2 Type II requires controls operating effectively over a period (minimum 6 months cited)
Type II positioned as the ~12-month enterprise credibility signal in the roadmap

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 536 installs on skills.sh; 17.5k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are selling to regulated or enterprise buyers but lack a clear order of operations for SOC 2, GDPR, HIPAA, and related attestations.

Who is it for?

Indie B2B SaaS founders negotiating security questionnaires who need a CISO-style sequencing memo before hiring consultants.

Skip if: Replacing legal counsel, penetration tests, or hands-on control implementation when you have no security owner.

When should I use this skill?

Planning compliance order, SOC 2/HIPAA/GDPR/ISO scope, or answering which framework first for your customer segment.

What do I get? / Deliverables

You get a framework-first roadmap and Trust Service Criteria guidance you can turn into a control backlog and audit timeline.

Framework prioritization and sequencing recommendation
SOC 2 Trust Service Criteria selection notes
Audit-timeline talking points for sales and engineering backlog

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Enterprise-ready security attestation is the canonical ship-phase gate before serious B2B launch. The skill is a compliance decision reference—not implementation code—so it shelves under security planning during ship.

Also useful

ValidateScope & plan

Also useful

OperateIteration & experiments

Where it fits

Example use

ValidateScope & plan

Decide whether pursuing SOC 2 Type I is required to close a pilot with a US enterprise buyer.

Example use

ShipSecurity

Pick optional SOC 2 criteria (Availability, Confidentiality) before the first audit window.

Example use

LaunchDistribution & launch channels

Align public trust center language with attestation level you can honestly claim.

Example use

OperateIteration & experiments

Re-sequence frameworks when EU revenue triggers GDPR alongside existing SOC 2 work.

How it compares

Strategic compliance roadmap reference—not a vulnerability scanner or secrets-audit skill.

Common Questions / FAQ

Who is ciso-advisor for?

Solo builders and small teams shipping SaaS or APIs to enterprise, healthcare, or EU customers who must prioritize attestations without a full-time CISO.

When should I use ciso-advisor?

In validate when scoping enterprise pilots, in ship when planning SOC 2 or GDPR work, and in operate when revisiting framework coverage after customer mix changes.

Is ciso-advisor safe to install?

It is advisory reference content; review the Security Audits panel on this Prism page and treat outputs as planning input validated with auditors and counsel.

SKILL.md

READMESKILL.md - Ciso Advisor

# Compliance Roadmap Reference

## Decision Framework: Which Framework First?

**Start here — who are your customers?**

```
Enterprise SaaS (B2B, US market)  →  SOC 2 Type II first
Healthcare / health data           →  HIPAA + SOC 2 together
EU customers or EU-resident data   →  GDPR (non-optional if applicable)
EU enterprise sales                →  ISO 27001 + GDPR
Government / defense               →  FedRAMP / CMMC (separate scope)
All of the above (Series B+)       →  Multi-framework efficiency approach
```

**The sequencing principle:** SOC 2 Type I is the fastest proof of intent (3–6 months). Type II is the credibility signal (12 months). Everything else builds on your control library.

---

## 1. SOC 2

### What It Is
SOC 2 is an attestation (not a certification) that your controls meet the AICPA Trust Service Criteria. An independent CPA firm audits your controls and issues a report.

- **Type I:** Controls are suitably designed at a point in time (snapshot). Lower credibility but faster.
- **Type II:** Controls operated effectively over a period of time (minimum 6 months). This is what enterprise buyers want.

### Trust Service Criteria (TSC)
You must include **Security** (CC). Others are optional:
| Criteria | When to add |
|---|---|
| Security (CC) | Always required |
| Availability | If uptime SLAs are contractual |
| Confidentiality | If you process confidential third-party data |
| Processing Integrity | If accuracy of processing is critical (fintech, data processing) |
| Privacy | If you make privacy commitments beyond GDPR/CCPA scope |

Most startups: **Security + Availability** is sufficient.

### Timeline: SOC 2 Type I

| Phase | Duration | Activities |
|---|---|---|
| Readiness assessment | 2–4 weeks | Gap analysis against CC criteria, identify control owners |
| Policy documentation | 4–6 weeks | Write ~15–20 policies (acceptable use, access control, change management, etc.) |
| Control implementation | 4–8 weeks | Deploy technical controls, fix gaps identified in readiness |
| Evidence collection | 2–4 weeks | Screenshots, logs, configs — auditor will sample these |
| Audit fieldwork | 2–4 weeks | CPA firm reviews evidence, interviews control owners |
| Report issuance | 2–4 weeks | Report issued, reviewed, shared with customers |
| **Total** | **3–6 months** | — |

### Timeline: SOC 2 Type II (after Type I)

| Phase | Duration | Notes |
|---|---|---|
| Observation period | 6–12 months | Controls must operate consistently — no exceptions |
| Audit fieldwork | 4–6 weeks | Auditor samples evidence across full period |
| Report issuance | 2–4 weeks | — |
| **Total from Type I** | **9–18 months** | Faster if Type I was clean |

### Cost Estimates

| Item | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
| Audit firm fees | $15,000–$35,000 | $25,000–$60,000 |
| Compliance platform (Vanta, Drata, Secureframe) | $12,000–$30,000/yr | Same platform |
| External counsel / vCISO | $10,000–$30,000 | $5,000–$15,000 maintenance |
| Internal time (eng + ops) | 200–400 hours | 100–200 hours/yr |
| **Total first year** | **$40,000–$100,000** | **+$30,000–$75,000** |

**Cost optimization tips:**
- Use a compliance platform (Vanta, Drata, Secureframe) — automated evidence collection halves audit cost
- Choose a mid-tier audit firm; Big 4 is overkill for startups
- Type I and Type II with same auditor = continuity discount

### Common Failure Modes
1. Controls documented but not operating (access reviews on paper only)
2. Exceptions during observation period (one admin account without MFA = finding)
3. No formal security awareness training (required for CC criteria)
4. Change management not followed (no ticket for that production change)
5. Vendor risk management missing (you must assess your critical vendors)

---

## 2. ISO 27001

### What It Is
ISO 27001 is an internationally recognized certification for an Information Security Management System (ISMS). Unlike SOC 2, it's a certification (pass/fail), not an attestation repor

What is this skill?

Customer-driven decision tree: enterprise US → SOC 2, healthcare → HIPAA, EU data → GDPR

Explains SOC 2 Type I snapshot vs Type II operating-effectiveness attestation

Maps optional Trust Service Criteria (Availability, Confidentiality, Processing Integrity)

Sequences Type I as faster proof of intent before the 12-month Type II credibility path

Frames multi-framework efficiency for Series B+ blended customer bases

SOC 2 Type I commonly cited as 3–6 months to demonstrate suitably designed controls

SOC 2 Type II requires controls operating effectively over a period (minimum 6 months cited)

Type II positioned as the ~12-month enterprise credibility signal in the roadmap

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 536 installs on skills.sh; 17.5k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

Also useful

OperateIteration & experiments

Where it fits

Example use

ValidateScope & plan

Decide whether pursuing SOC 2 Type I is required to close a pilot with a US enterprise buyer.

Example use

ShipSecurity

Pick optional SOC 2 criteria (Availability, Confidentiality) before the first audit window.

Example use

LaunchDistribution & launch channels

Align public trust center language with attestation level you can honestly claim.

Example use

OperateIteration & experiments

Re-sequence frameworks when EU revenue triggers GDPR alongside existing SOC 2 work.

SKILL.md

READMESKILL.md - Ciso Advisor

# Compliance Roadmap Reference

## Decision Framework: Which Framework First?

**Start here — who are your customers?**

```
Enterprise SaaS (B2B, US market)  →  SOC 2 Type II first
Healthcare / health data           →  HIPAA + SOC 2 together
EU customers or EU-resident data   →  GDPR (non-optional if applicable)
EU enterprise sales                →  ISO 27001 + GDPR
Government / defense               →  FedRAMP / CMMC (separate scope)
All of the above (Series B+)       →  Multi-framework efficiency approach
```

**The sequencing principle:** SOC 2 Type I is the fastest proof of intent (3–6 months). Type II is the credibility signal (12 months). Everything else builds on your control library.

---

## 1. SOC 2

### What It Is
SOC 2 is an attestation (not a certification) that your controls meet the AICPA Trust Service Criteria. An independent CPA firm audits your controls and issues a report.

- **Type I:** Controls are suitably designed at a point in time (snapshot). Lower credibility but faster.
- **Type II:** Controls operated effectively over a period of time (minimum 6 months). This is what enterprise buyers want.

### Trust Service Criteria (TSC)
You must include **Security** (CC). Others are optional:
| Criteria | When to add |
|---|---|
| Security (CC) | Always required |
| Availability | If uptime SLAs are contractual |
| Confidentiality | If you process confidential third-party data |
| Processing Integrity | If accuracy of processing is critical (fintech, data processing) |
| Privacy | If you make privacy commitments beyond GDPR/CCPA scope |

Most startups: **Security + Availability** is sufficient.

### Timeline: SOC 2 Type I

| Phase | Duration | Activities |
|---|---|---|
| Readiness assessment | 2–4 weeks | Gap analysis against CC criteria, identify control owners |
| Policy documentation | 4–6 weeks | Write ~15–20 policies (acceptable use, access control, change management, etc.) |
| Control implementation | 4–8 weeks | Deploy technical controls, fix gaps identified in readiness |
| Evidence collection | 2–4 weeks | Screenshots, logs, configs — auditor will sample these |
| Audit fieldwork | 2–4 weeks | CPA firm reviews evidence, interviews control owners |
| Report issuance | 2–4 weeks | Report issued, reviewed, shared with customers |
| **Total** | **3–6 months** | — |

### Timeline: SOC 2 Type II (after Type I)

| Phase | Duration | Notes |
|---|---|---|
| Observation period | 6–12 months | Controls must operate consistently — no exceptions |
| Audit fieldwork | 4–6 weeks | Auditor samples evidence across full period |
| Report issuance | 2–4 weeks | — |
| **Total from Type I** | **9–18 months** | Faster if Type I was clean |

### Cost Estimates

| Item | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
| Audit firm fees | $15,000–$35,000 | $25,000–$60,000 |
| Compliance platform (Vanta, Drata, Secureframe) | $12,000–$30,000/yr | Same platform |
| External counsel / vCISO | $10,000–$30,000 | $5,000–$15,000 maintenance |
| Internal time (eng + ops) | 200–400 hours | 100–200 hours/yr |
| **Total first year** | **$40,000–$100,000** | **+$30,000–$75,000** |

**Cost optimization tips:**
- Use a compliance platform (Vanta, Drata, Secureframe) — automated evidence collection halves audit cost
- Choose a mid-tier audit firm; Big 4 is overkill for startups
- Type I and Type II with same auditor = continuity discount

### Common Failure Modes
1. Controls documented but not operating (access reviews on paper only)
2. Exceptions during observation period (one admin account without MFA = finding)
3. No formal security awareness training (required for CC criteria)
4. Change management not followed (no ticket for that production change)
5. Vendor risk management missing (you must assess your critical vendors)

---

## 2. ISO 27001

### What It Is
ISO 27001 is an internationally recognized certification for an Information Security Management System (ISMS). Unlike SOC 2, it's a certification (pass/fail), not an attestation repor

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is ciso-advisor for?

When should I use ciso-advisor?

Is ciso-advisor safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is ciso-advisor for?

When should I use ciso-advisor?

Is ciso-advisor safe to install?

SKILL.md