← Back to Skills Marketplace
alirezarezvani

Information Security Manager Iso27001

by Alireza Rezvani · GitHub ↗ · v2.1.1 · MIT-0
cross-platform ✓ Security Clean
2164
Downloads
3
Stars
13
Active Installs
2
Versions
Install in OpenClaw
/install information-security-manager-iso27001
Description
ISO 27001 ISMS implementation and cybersecurity governance for HealthTech and MedTech companies. Use for ISMS design, security risk assessment, control imple...
README (SKILL.md)

Information Security Manager - ISO 27001

Implement and manage Information Security Management Systems (ISMS) aligned with ISO 27001:2022 and healthcare regulatory requirements.

Table of Contents

Trigger Phrases

Use this skill when you hear:

  • "implement ISO 27001"
  • "ISMS implementation"
  • "security risk assessment"
  • "information security policy"
  • "ISO 27001 certification"
  • "security controls implementation"
  • "incident response plan"
  • "healthcare data security"
  • "medical device cybersecurity"
  • "security compliance audit"

Quick Start

Run Security Risk Assessment

python scripts/risk_assessment.py --scope "patient-data-system" --output risk_register.json

Check Compliance Status

python scripts/compliance_checker.py --standard iso27001 --controls-file controls.csv

Generate Gap Analysis Report

python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output gaps.md

Tools

risk_assessment.py

Automated security risk assessment following ISO 27001 Clause 6.1.2 methodology.

Usage:

# Full risk assessment
python scripts/risk_assessment.py --scope "cloud-infrastructure" --output risks.json

# Healthcare-specific assessment
python scripts/risk_assessment.py --scope "ehr-system" --template healthcare --output risks.json

# Quick asset-based assessment
python scripts/risk_assessment.py --assets assets.csv --output risks.json

Parameters:

Parameter Required Description
--scope Yes System or area to assess
--template No Assessment template: general, healthcare, cloud
--assets No CSV file with asset inventory
--output No Output file (default: stdout)
--format No Output format: json, csv, markdown

Output:

  • Asset inventory with classification
  • Threat and vulnerability mapping
  • Risk scores (likelihood × impact)
  • Treatment recommendations
  • Residual risk calculations

compliance_checker.py

Verify ISO 27001/27002 control implementation status.

Usage:

# Check all ISO 27001 controls
python scripts/compliance_checker.py --standard iso27001

# Gap analysis with recommendations
python scripts/compliance_checker.py --standard iso27001 --gap-analysis

# Check specific control domains
python scripts/compliance_checker.py --standard iso27001 --domains "access-control,cryptography"

# Export compliance report
python scripts/compliance_checker.py --standard iso27001 --output compliance_report.md

Parameters:

Parameter Required Description
--standard Yes Standard to check: iso27001, iso27002, hipaa
--controls-file No CSV with current control status
--gap-analysis No Include remediation recommendations
--domains No Specific control domains to check
--output No Output file path

Output:

  • Control implementation status
  • Compliance percentage by domain
  • Gap analysis with priorities
  • Remediation recommendations

Workflows

Workflow 1: ISMS Implementation

Step 1: Define Scope and Context

Document organizational context and ISMS boundaries:

  • Identify interested parties and requirements
  • Define ISMS scope and boundaries
  • Document internal/external issues

Validation: Scope statement reviewed and approved by management.

Step 2: Conduct Risk Assessment

python scripts/risk_assessment.py --scope "full-organization" --template general --output initial_risks.json
  • Identify information assets
  • Assess threats and vulnerabilities
  • Calculate risk levels
  • Determine risk treatment options

Validation: Risk register contains all critical assets with assigned owners.

Step 3: Select and Implement Controls

Map risks to ISO 27002 controls:

python scripts/compliance_checker.py --standard iso27002 --gap-analysis --output control_gaps.md

Control categories:

  • Organizational (policies, roles, responsibilities)
  • People (screening, awareness, training)
  • Physical (perimeters, equipment, media)
  • Technological (access, crypto, network, application)

Validation: Statement of Applicability (SoA) documents all controls with justification.

Step 4: Establish Monitoring

Define security metrics:

  • Incident count and severity trends
  • Control effectiveness scores
  • Training completion rates
  • Audit findings closure rate

Validation: Dashboard shows real-time compliance status.

Workflow 2: Security Risk Assessment

Step 1: Asset Identification

Create asset inventory:

Asset Type Examples Classification
Information Patient records, source code Confidential
Software EHR system, APIs Critical
Hardware Servers, medical devices High
Services Cloud hosting, backup High
People Admin accounts, developers Varies

Validation: All assets have assigned owners and classifications.

Step 2: Threat Analysis

Identify threats per asset category:

Asset Threats Likelihood
Patient data Unauthorized access, breach High
Medical devices Malware, tampering Medium
Cloud services Misconfiguration, outage Medium
Credentials Phishing, brute force High

Validation: Threat model covers top-10 industry threats.

Step 3: Vulnerability Assessment

python scripts/risk_assessment.py --scope "network-infrastructure" --output vuln_risks.json

Document vulnerabilities:

  • Technical (unpatched systems, weak configs)
  • Process (missing procedures, gaps)
  • People (lack of training, insider risk)

Validation: Vulnerability scan results mapped to risk register.

Step 4: Risk Evaluation and Treatment

Calculate risk: Risk = Likelihood × Impact

Risk Level Score Treatment
Critical 20-25 Immediate action required
High 15-19 Treatment plan within 30 days
Medium 10-14 Treatment plan within 90 days
Low 5-9 Accept or monitor
Minimal 1-4 Accept

Validation: All high/critical risks have approved treatment plans.

Workflow 3: Incident Response

Step 1: Detection and Reporting

Incident categories:

  • Security breach (unauthorized access)
  • Malware infection
  • Data leakage
  • System compromise
  • Policy violation

Validation: Incident logged within 15 minutes of detection.

Step 2: Triage and Classification

Severity Criteria Response Time
Critical Data breach, system down Immediate
High Active threat, significant risk 1 hour
Medium Contained threat, limited impact 4 hours
Low Minor violation, no impact 24 hours

Validation: Severity assigned and escalation triggered if needed.

Step 3: Containment and Eradication

Immediate actions:

  1. Isolate affected systems
  2. Preserve evidence
  3. Block threat vectors
  4. Remove malicious artifacts

Validation: Containment confirmed, no ongoing compromise.

Step 4: Recovery and Lessons Learned

Post-incident activities:

  1. Restore systems from clean backups
  2. Verify integrity before reconnection
  3. Document timeline and actions
  4. Conduct post-incident review
  5. Update controls and procedures

Validation: Post-incident report completed within 5 business days.

Reference Guides

When to Use Each Reference

references/iso27001-controls.md

  • Control selection for SoA
  • Implementation guidance
  • Evidence requirements
  • Audit preparation

references/risk-assessment-guide.md

  • Risk methodology selection
  • Asset classification criteria
  • Threat modeling approaches
  • Risk calculation methods

references/incident-response.md

  • Response procedures
  • Escalation matrices
  • Communication templates
  • Recovery checklists

Validation Checkpoints

ISMS Implementation Validation

Phase Checkpoint Evidence Required
Scope Scope approved Signed scope document
Risk Register complete Risk register with owners
Controls SoA approved Statement of Applicability
Operation Metrics active Dashboard screenshots
Audit Internal audit done Audit report

Certification Readiness

Before Stage 1 audit:

  • ISMS scope documented and approved
  • Information security policy published
  • Risk assessment completed
  • Statement of Applicability finalized
  • Internal audit conducted
  • Management review completed
  • Nonconformities addressed

Before Stage 2 audit:

  • Controls implemented and operational
  • Evidence of effectiveness available
  • Staff trained and aware
  • Incidents logged and managed
  • Metrics collected for 3+ months

Compliance Verification

Run periodic checks:

# Monthly compliance check
python scripts/compliance_checker.py --standard iso27001 --output monthly_$(date +%Y%m).md

# Quarterly gap analysis
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output quarterly_gaps.md

Worked Example: Healthcare Risk Assessment

Scenario: Assess security risks for a patient data management system.

Step 1: Define Assets

python scripts/risk_assessment.py --scope "patient-data-system" --template healthcare

Asset inventory output:

Asset ID Asset Type Owner Classification
A001 Patient database Information DBA Team Confidential
A002 EHR application Software App Team Critical
A003 Database server Hardware Infra Team High
A004 Admin credentials Access Security Critical

Step 2: Identify Risks

Risk register output:

Risk ID Asset Threat Vulnerability L I Score
R001 A001 Data breach Weak encryption 3 5 15
R002 A002 SQL injection Input validation 4 4 16
R003 A004 Credential theft No MFA 4 5 20

Step 3: Determine Treatment

Risk Treatment Control Timeline
R001 Mitigate Implement AES-256 encryption 30 days
R002 Mitigate Add input validation, WAF 14 days
R003 Mitigate Enforce MFA for all admins 7 days

Step 4: Verify Implementation

python scripts/compliance_checker.py --controls-file implemented_controls.csv

Verification output:

Control Implementation Status
=============================
Cryptography (A.8.24): IMPLEMENTED
  - AES-256 at rest: YES
  - TLS 1.3 in transit: YES

Access Control (A.8.5): IMPLEMENTED
  - MFA enabled: YES
  - Admin accounts: 100% coverage

Application Security (A.8.26): PARTIAL
  - Input validation: YES
  - WAF deployed: PENDING

Overall Compliance: 87%
Usage Guidance
This skill appears to do what it says: local ISO27001/healthcare risk & compliance analysis. Before installing or running: (1) review the full Python scripts if you can — they process input CSVs and write output files; (2) avoid feeding real secrets or production credentials in the input CSVs (treat inputs as potentially sensitive); (3) run the tools in a controlled environment (sandbox or dev machine) if you want to be extra cautious; (4) if you need the agent to run these autonomously, be aware that the agent will execute local scripts and could read any files you point it to — restrict file paths and inputs accordingly.
Capability Analysis
Type: OpenClaw Skill Name: information-security-manager-iso27001 Version: 2.1.1 The skill bundle provides a comprehensive framework for ISO 27001 compliance and risk management, specifically tailored for HealthTech/MedTech environments. The included Python scripts (compliance_checker.py and risk_assessment.py) are purely analytical tools that process local CSV data or generate sample reports without any network activity, shell execution, or sensitive data access. The documentation and SKILL.md instructions are well-structured, align with industry standards, and contain no evidence of prompt injection or malicious intent.
Capability Assessment
Purpose & Capability
Name/description (ISO 27001 & healthcare) match the included files: SKILL.md, guidance docs, and two Python tools for risk assessment and compliance checking. There are no unrelated binaries, cloud credentials, or configuration paths requested.
Instruction Scope
SKILL.md instructs running local Python scripts with CSV/JSON inputs and producing reports. The instructions reference only expected files (assets.csv, controls.csv, outputs) and ISO-related workflows; they do not direct reading of unrelated system files or sending data to external endpoints.
Install Mechanism
No install spec; skill is instruction- and script-only. No network downloads or archive extraction are specified, and provided Python scripts run locally.
Credentials
The skill declares no required environment variables, credentials, or config paths. The scripts take input files (CSV/JSON) and produce reports — this matches the stated purpose and does not ask for secrets or unrelated tokens.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It runs local scripts when invoked; nothing in the manifest suggests modification of other skills or global agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install information-security-manager-iso27001
  3. After installation, invoke the skill by name or use /information-security-manager-iso27001
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
Initial release of the information-security-manager-iso27001 skill for HealthTech and MedTech companies. - Enables ISO 27001 ISMS design, risk assessment, and control implementation workflows. - Provides tools for automated security risk assessment and compliance checking. - Supports ISO 27001/27002, healthcare security, and medical device cybersecurity. - Includes step-by-step workflows for ISMS implementation, risk assessment, and incident response. - Offers reference guides, validation checkpoints, and automation commands for key ISMS activities.
Metadata
Slug information-security-manager-iso27001
Version 2.1.1
License MIT-0
All-time Installs 13
Active Installs 13
Total Versions 2
Frequently Asked Questions

What is Information Security Manager Iso27001?

ISO 27001 ISMS implementation and cybersecurity governance for HealthTech and MedTech companies. Use for ISMS design, security risk assessment, control imple... It is an AI Agent Skill for Claude Code / OpenClaw, with 2164 downloads so far.

How do I install Information Security Manager Iso27001?

Run "/install information-security-manager-iso27001" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Information Security Manager Iso27001 free?

Yes, Information Security Manager Iso27001 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Information Security Manager Iso27001 support?

Information Security Manager Iso27001 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Information Security Manager Iso27001?

It is built and maintained by Alireza Rezvani (@alirezarezvani); the current version is v2.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments