← 返回 Skills 市场
Information Security Manager Iso27001
作者
Alireza Rezvani
· GitHub ↗
· v2.1.1
· MIT-0
2164
总下载
3
收藏
13
当前安装
2
版本数
在 OpenClaw 中安装
/install information-security-manager-iso27001
功能描述
ISO 27001 ISMS implementation and cybersecurity governance for HealthTech and MedTech companies. Use for ISMS design, security risk assessment, control imple...
使用说明 (SKILL.md)
Information Security Manager - ISO 27001
Implement and manage Information Security Management Systems (ISMS) aligned with ISO 27001:2022 and healthcare regulatory requirements.
Table of Contents
Trigger Phrases
Use this skill when you hear:
- "implement ISO 27001"
- "ISMS implementation"
- "security risk assessment"
- "information security policy"
- "ISO 27001 certification"
- "security controls implementation"
- "incident response plan"
- "healthcare data security"
- "medical device cybersecurity"
- "security compliance audit"
Quick Start
Run Security Risk Assessment
python scripts/risk_assessment.py --scope "patient-data-system" --output risk_register.json
Check Compliance Status
python scripts/compliance_checker.py --standard iso27001 --controls-file controls.csv
Generate Gap Analysis Report
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output gaps.md
Tools
risk_assessment.py
Automated security risk assessment following ISO 27001 Clause 6.1.2 methodology.
Usage:
# Full risk assessment
python scripts/risk_assessment.py --scope "cloud-infrastructure" --output risks.json
# Healthcare-specific assessment
python scripts/risk_assessment.py --scope "ehr-system" --template healthcare --output risks.json
# Quick asset-based assessment
python scripts/risk_assessment.py --assets assets.csv --output risks.json
Parameters:
| Parameter | Required | Description |
|---|---|---|
--scope |
Yes | System or area to assess |
--template |
No | Assessment template: general, healthcare, cloud |
--assets |
No | CSV file with asset inventory |
--output |
No | Output file (default: stdout) |
--format |
No | Output format: json, csv, markdown |
Output:
- Asset inventory with classification
- Threat and vulnerability mapping
- Risk scores (likelihood × impact)
- Treatment recommendations
- Residual risk calculations
compliance_checker.py
Verify ISO 27001/27002 control implementation status.
Usage:
# Check all ISO 27001 controls
python scripts/compliance_checker.py --standard iso27001
# Gap analysis with recommendations
python scripts/compliance_checker.py --standard iso27001 --gap-analysis
# Check specific control domains
python scripts/compliance_checker.py --standard iso27001 --domains "access-control,cryptography"
# Export compliance report
python scripts/compliance_checker.py --standard iso27001 --output compliance_report.md
Parameters:
| Parameter | Required | Description |
|---|---|---|
--standard |
Yes | Standard to check: iso27001, iso27002, hipaa |
--controls-file |
No | CSV with current control status |
--gap-analysis |
No | Include remediation recommendations |
--domains |
No | Specific control domains to check |
--output |
No | Output file path |
Output:
- Control implementation status
- Compliance percentage by domain
- Gap analysis with priorities
- Remediation recommendations
Workflows
Workflow 1: ISMS Implementation
Step 1: Define Scope and Context
Document organizational context and ISMS boundaries:
- Identify interested parties and requirements
- Define ISMS scope and boundaries
- Document internal/external issues
Validation: Scope statement reviewed and approved by management.
Step 2: Conduct Risk Assessment
python scripts/risk_assessment.py --scope "full-organization" --template general --output initial_risks.json
- Identify information assets
- Assess threats and vulnerabilities
- Calculate risk levels
- Determine risk treatment options
Validation: Risk register contains all critical assets with assigned owners.
Step 3: Select and Implement Controls
Map risks to ISO 27002 controls:
python scripts/compliance_checker.py --standard iso27002 --gap-analysis --output control_gaps.md
Control categories:
- Organizational (policies, roles, responsibilities)
- People (screening, awareness, training)
- Physical (perimeters, equipment, media)
- Technological (access, crypto, network, application)
Validation: Statement of Applicability (SoA) documents all controls with justification.
Step 4: Establish Monitoring
Define security metrics:
- Incident count and severity trends
- Control effectiveness scores
- Training completion rates
- Audit findings closure rate
Validation: Dashboard shows real-time compliance status.
Workflow 2: Security Risk Assessment
Step 1: Asset Identification
Create asset inventory:
| Asset Type | Examples | Classification |
|---|---|---|
| Information | Patient records, source code | Confidential |
| Software | EHR system, APIs | Critical |
| Hardware | Servers, medical devices | High |
| Services | Cloud hosting, backup | High |
| People | Admin accounts, developers | Varies |
Validation: All assets have assigned owners and classifications.
Step 2: Threat Analysis
Identify threats per asset category:
| Asset | Threats | Likelihood |
|---|---|---|
| Patient data | Unauthorized access, breach | High |
| Medical devices | Malware, tampering | Medium |
| Cloud services | Misconfiguration, outage | Medium |
| Credentials | Phishing, brute force | High |
Validation: Threat model covers top-10 industry threats.
Step 3: Vulnerability Assessment
python scripts/risk_assessment.py --scope "network-infrastructure" --output vuln_risks.json
Document vulnerabilities:
- Technical (unpatched systems, weak configs)
- Process (missing procedures, gaps)
- People (lack of training, insider risk)
Validation: Vulnerability scan results mapped to risk register.
Step 4: Risk Evaluation and Treatment
Calculate risk: Risk = Likelihood × Impact
| Risk Level | Score | Treatment |
|---|---|---|
| Critical | 20-25 | Immediate action required |
| High | 15-19 | Treatment plan within 30 days |
| Medium | 10-14 | Treatment plan within 90 days |
| Low | 5-9 | Accept or monitor |
| Minimal | 1-4 | Accept |
Validation: All high/critical risks have approved treatment plans.
Workflow 3: Incident Response
Step 1: Detection and Reporting
Incident categories:
- Security breach (unauthorized access)
- Malware infection
- Data leakage
- System compromise
- Policy violation
Validation: Incident logged within 15 minutes of detection.
Step 2: Triage and Classification
| Severity | Criteria | Response Time |
|---|---|---|
| Critical | Data breach, system down | Immediate |
| High | Active threat, significant risk | 1 hour |
| Medium | Contained threat, limited impact | 4 hours |
| Low | Minor violation, no impact | 24 hours |
Validation: Severity assigned and escalation triggered if needed.
Step 3: Containment and Eradication
Immediate actions:
- Isolate affected systems
- Preserve evidence
- Block threat vectors
- Remove malicious artifacts
Validation: Containment confirmed, no ongoing compromise.
Step 4: Recovery and Lessons Learned
Post-incident activities:
- Restore systems from clean backups
- Verify integrity before reconnection
- Document timeline and actions
- Conduct post-incident review
- Update controls and procedures
Validation: Post-incident report completed within 5 business days.
Reference Guides
When to Use Each Reference
references/iso27001-controls.md
- Control selection for SoA
- Implementation guidance
- Evidence requirements
- Audit preparation
references/risk-assessment-guide.md
- Risk methodology selection
- Asset classification criteria
- Threat modeling approaches
- Risk calculation methods
references/incident-response.md
- Response procedures
- Escalation matrices
- Communication templates
- Recovery checklists
Validation Checkpoints
ISMS Implementation Validation
| Phase | Checkpoint | Evidence Required |
|---|---|---|
| Scope | Scope approved | Signed scope document |
| Risk | Register complete | Risk register with owners |
| Controls | SoA approved | Statement of Applicability |
| Operation | Metrics active | Dashboard screenshots |
| Audit | Internal audit done | Audit report |
Certification Readiness
Before Stage 1 audit:
- ISMS scope documented and approved
- Information security policy published
- Risk assessment completed
- Statement of Applicability finalized
- Internal audit conducted
- Management review completed
- Nonconformities addressed
Before Stage 2 audit:
- Controls implemented and operational
- Evidence of effectiveness available
- Staff trained and aware
- Incidents logged and managed
- Metrics collected for 3+ months
Compliance Verification
Run periodic checks:
# Monthly compliance check
python scripts/compliance_checker.py --standard iso27001 --output monthly_$(date +%Y%m).md
# Quarterly gap analysis
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output quarterly_gaps.md
Worked Example: Healthcare Risk Assessment
Scenario: Assess security risks for a patient data management system.
Step 1: Define Assets
python scripts/risk_assessment.py --scope "patient-data-system" --template healthcare
Asset inventory output:
| Asset ID | Asset | Type | Owner | Classification |
|---|---|---|---|---|
| A001 | Patient database | Information | DBA Team | Confidential |
| A002 | EHR application | Software | App Team | Critical |
| A003 | Database server | Hardware | Infra Team | High |
| A004 | Admin credentials | Access | Security | Critical |
Step 2: Identify Risks
Risk register output:
| Risk ID | Asset | Threat | Vulnerability | L | I | Score |
|---|---|---|---|---|---|---|
| R001 | A001 | Data breach | Weak encryption | 3 | 5 | 15 |
| R002 | A002 | SQL injection | Input validation | 4 | 4 | 16 |
| R003 | A004 | Credential theft | No MFA | 4 | 5 | 20 |
Step 3: Determine Treatment
| Risk | Treatment | Control | Timeline |
|---|---|---|---|
| R001 | Mitigate | Implement AES-256 encryption | 30 days |
| R002 | Mitigate | Add input validation, WAF | 14 days |
| R003 | Mitigate | Enforce MFA for all admins | 7 days |
Step 4: Verify Implementation
python scripts/compliance_checker.py --controls-file implemented_controls.csv
Verification output:
Control Implementation Status
=============================
Cryptography (A.8.24): IMPLEMENTED
- AES-256 at rest: YES
- TLS 1.3 in transit: YES
Access Control (A.8.5): IMPLEMENTED
- MFA enabled: YES
- Admin accounts: 100% coverage
Application Security (A.8.26): PARTIAL
- Input validation: YES
- WAF deployed: PENDING
Overall Compliance: 87%
安全使用建议
This skill appears to do what it says: local ISO27001/healthcare risk & compliance analysis. Before installing or running: (1) review the full Python scripts if you can — they process input CSVs and write output files; (2) avoid feeding real secrets or production credentials in the input CSVs (treat inputs as potentially sensitive); (3) run the tools in a controlled environment (sandbox or dev machine) if you want to be extra cautious; (4) if you need the agent to run these autonomously, be aware that the agent will execute local scripts and could read any files you point it to — restrict file paths and inputs accordingly.
功能分析
Type: OpenClaw Skill
Name: information-security-manager-iso27001
Version: 2.1.1
The skill bundle provides a comprehensive framework for ISO 27001 compliance and risk management, specifically tailored for HealthTech/MedTech environments. The included Python scripts (compliance_checker.py and risk_assessment.py) are purely analytical tools that process local CSV data or generate sample reports without any network activity, shell execution, or sensitive data access. The documentation and SKILL.md instructions are well-structured, align with industry standards, and contain no evidence of prompt injection or malicious intent.
能力评估
Purpose & Capability
Name/description (ISO 27001 & healthcare) match the included files: SKILL.md, guidance docs, and two Python tools for risk assessment and compliance checking. There are no unrelated binaries, cloud credentials, or configuration paths requested.
Instruction Scope
SKILL.md instructs running local Python scripts with CSV/JSON inputs and producing reports. The instructions reference only expected files (assets.csv, controls.csv, outputs) and ISO-related workflows; they do not direct reading of unrelated system files or sending data to external endpoints.
Install Mechanism
No install spec; skill is instruction- and script-only. No network downloads or archive extraction are specified, and provided Python scripts run locally.
Credentials
The skill declares no required environment variables, credentials, or config paths. The scripts take input files (CSV/JSON) and produce reports — this matches the stated purpose and does not ask for secrets or unrelated tokens.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It runs local scripts when invoked; nothing in the manifest suggests modification of other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install information-security-manager-iso27001 - 安装完成后,直接呼叫该 Skill 的名称或使用
/information-security-manager-iso27001触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
Initial release of the information-security-manager-iso27001 skill for HealthTech and MedTech companies.
- Enables ISO 27001 ISMS design, risk assessment, and control implementation workflows.
- Provides tools for automated security risk assessment and compliance checking.
- Supports ISO 27001/27002, healthcare security, and medical device cybersecurity.
- Includes step-by-step workflows for ISMS implementation, risk assessment, and incident response.
- Offers reference guides, validation checkpoints, and automation commands for key ISMS activities.
元数据
常见问题
Information Security Manager Iso27001 是什么?
ISO 27001 ISMS implementation and cybersecurity governance for HealthTech and MedTech companies. Use for ISMS design, security risk assessment, control imple... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2164 次。
如何安装 Information Security Manager Iso27001?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install information-security-manager-iso27001」即可一键安装,无需额外配置。
Information Security Manager Iso27001 是免费的吗?
是的,Information Security Manager Iso27001 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Information Security Manager Iso27001 支持哪些平台?
Information Security Manager Iso27001 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Information Security Manager Iso27001?
由 Alireza Rezvani(@alirezarezvani)开发并维护,当前版本 v2.1.1。
推荐 Skills