@hdwebsoft/hdcode-ai-darwin-x64 0.0.7 → 0.0.8

package/resources/skills/hd-iso/reference/iso-27001-requirements.md

@@ -0,0 +1,166 @@
+# ISO 27001:2022 Requirements
+
+Used by `hd-iso gap` to check document coverage against mandatory clauses and Annex A controls.
+
+> **Source & Disclaimer**
+> Clause IDs, titles, and structure are based on BSI Group training materials ([bsigroup.com](https://www.bsigroup.com)) and publicly available ISO guidance. Descriptions are summaries — not verbatim from the official ISO document. For formal audit submissions, reference the purchased official standard from ISO or BSI.
+> Last reviewed: 2026-03-05 | Standard version: ISO/IEC 27001:2022
+
+## Column Guide
+
+| Column | Source | Notes |
+|--------|--------|-------|
+| `Clause` | Official standard | Normative clause ID |
+| `Title` | Official standard | Normative clause title |
+| `Type` | Official standard | `mandatory` (clauses 4–10) or `control` (Annex A) |
+| `Description` | BSI training summary | Brief summary — not official text |
+| `Shall` | **Official PDF** | Key normative "shall" statements. **Populate from purchased ISO/IEC 27001:2022 PDF** using `/hd-docs-parse`. Leave empty until official text is available. |
+
+When `Shall` is populated, `hd-iso-verify` uses it as the authoritative source for clause-specific checks.
+
+---
+
+## Mandatory Clauses (Clauses 4–10)
+
+| Clause | Title | Type | Description |
+|--------|-------|------|-------------|
+| 4.1 | Understanding the organization and its context | mandatory | Internal/external issues affecting ISMS |
+| 4.2 | Understanding needs of interested parties | mandatory | Requirements of stakeholders |
+| 4.3 | Determining scope of ISMS | mandatory | Boundaries and applicability |
+| 4.4 | ISMS | mandatory | Establish, implement, maintain, improve ISMS |
+| 5.1 | Leadership and commitment | mandatory | Top management demonstration |
+| 5.2 | Policy | mandatory | Information security policy |
+| 5.3 | Roles, responsibilities, authorities | mandatory | Assigned and communicated |
+| 6.1 | Actions to address risks and opportunities | mandatory | Risk treatment including 6.1.2 risk assessment, 6.1.3 risk treatment |
+| 6.2 | Information security objectives | mandatory | Measurable security objectives |
+| 6.3 | Planning of changes | mandatory | Changes to ISMS performed in controlled manner |
+| 7.1 | Resources | mandatory | Provide necessary resources |
+| 7.2 | Competence | mandatory | Competence of relevant persons |
+| 7.3 | Awareness | mandatory | Awareness of security policy and roles |
+| 7.4 | Communication | mandatory | Internal and external communication |
+| 7.5 | Documented information | mandatory | Create, update, control documented information |
+| 8.1 | Operational planning and control | mandatory | Plan, implement, control processes |
+| 8.2 | Information security risk assessment | mandatory | Perform at planned intervals or on change |
+| 8.3 | Information security risk treatment | mandatory | Implement risk treatment plan |
+| 9.1 | Monitoring, measurement, analysis, evaluation | mandatory | Evaluate performance and effectiveness |
+| 9.2 | Internal audit | mandatory | Conduct at planned intervals |
+| 9.3 | Management review | mandatory | Top management review at planned intervals |
+| 10.1 | Continual improvement | mandatory | Continuously improve ISMS |
+| 10.2 | Nonconformity and corrective action | mandatory | React, take action, review effectiveness |
+
+---
+
+## Annex A Controls (ISO 27001:2022)
+
+### A.5 — Organizational Controls (37 controls)
+
+| Clause | Title | Type | Description |
+|--------|-------|------|-------------|
+| A.5.1 | Policies for information security | control | Define, approve, publish, review policies |
+| A.5.2 | Information security roles and responsibilities | control | Allocate responsibilities |
+| A.5.3 | Segregation of duties | control | Separate conflicting duties |
+| A.5.4 | Management responsibilities | control | Require adherence to policy |
+| A.5.5 | Contact with authorities | control | Maintain contacts with authorities |
+| A.5.6 | Contact with special interest groups | control | Maintain contacts with special interest groups |
+| A.5.7 | Threat intelligence | control | Collect and analyze threats |
+| A.5.8 | Information security in project management | control | Address security in project management |
+| A.5.9 | Inventory of information and other associated assets | control | Maintain asset inventory |
+| A.5.10 | Acceptable use of information and assets | control | Rules for acceptable use |
+| A.5.11 | Return of assets | control | Return assets upon termination/change |
+| A.5.12 | Classification of information | control | Classify information by requirements |
+| A.5.13 | Labelling of information | control | Label information per classification |
+| A.5.14 | Information transfer | control | Rules for transferring information |
+| A.5.15 | Access control | control | Establish and implement access policy |
+| A.5.16 | Identity management | control | Manage full identity lifecycle |
+| A.5.17 | Authentication information | control | Manage allocation/use of authentication info |
+| A.5.18 | Access rights | control | Provision, review, remove access rights |
+| A.5.19 | Information security in supplier relationships | control | Manage supplier security risks |
+| A.5.20 | Addressing security within supplier agreements | control | Establish security requirements with suppliers |
+| A.5.21 | Managing ICT supply chain security | control | Manage ICT supply chain risks |
+| A.5.22 | Monitoring, review and change management of supplier services | control | Monitor and review supplier services |
+| A.5.23 | Information security for use of cloud services | control | Manage cloud service security |
+| A.5.24 | Information security incident management planning | control | Plan and prepare for incident management |
+| A.5.25 | Assessment and decision on IS events | control | Assess events and decide if incidents |
+| A.5.26 | Response to information security incidents | control | Respond to incidents |
+| A.5.27 | Learning from IS incidents | control | Use knowledge gained from incidents |
+| A.5.28 | Collection of evidence | control | Establish procedures for evidence |
+| A.5.29 | IS during disruption | control | Plan security during disruption |
+| A.5.30 | ICT readiness for business continuity | control | Plan ICT continuity |
+| A.5.31 | Legal, statutory, regulatory and contractual requirements | control | Identify and comply with requirements |
+| A.5.32 | Intellectual property rights | control | Protect intellectual property |
+| A.5.33 | Protection of records | control | Protect records from loss, destruction, falsification |
+| A.5.34 | Privacy and protection of PII | control | Protect PII per applicable requirements |
+| A.5.35 | Independent review of IS | control | Independent review at planned intervals |
+| A.5.36 | Compliance with policies and standards | control | Regular review of compliance |
+| A.5.37 | Documented operating procedures | control | Maintain operating procedures |
+
+### A.6 — People Controls (8 controls)
+
+| Clause | Title | Type | Description |
+|--------|-------|------|-------------|
+| A.6.1 | Screening | control | Background verification of candidates |
+| A.6.2 | Terms and conditions of employment | control | Security responsibilities in contracts |
+| A.6.3 | Information security awareness, education and training | control | Security training program |
+| A.6.4 | Disciplinary process | control | Formal process for security violations |
+| A.6.5 | Responsibilities after termination/change | control | Security responsibilities post-employment |
+| A.6.6 | Confidentiality or non-disclosure agreements | control | NDAs for security |
+| A.6.7 | Remote working | control | Security for remote workers |
+| A.6.8 | IS event reporting | control | Report security events |
+
+### A.7 — Physical Controls (14 controls)
+
+| Clause | Title | Type | Description |
+|--------|-------|------|-------------|
+| A.7.1 | Physical security perimeters | control | Define and use security perimeters |
+| A.7.2 | Physical entry | control | Protect secure areas by entry controls |
+| A.7.3 | Securing offices, rooms and facilities | control | Physical security for offices/rooms |
+| A.7.4 | Physical security monitoring | control | Monitor premises for unauthorized access |
+| A.7.5 | Protecting against physical and environmental threats | control | Protect against disasters |
+| A.7.6 | Working in secure areas | control | Secure area procedures |
+| A.7.7 | Clear desk and clear screen | control | Policies for clear desk/screen |
+| A.7.8 | Equipment siting and protection | control | Site and protect equipment |
+| A.7.9 | Security of assets off-premises | control | Protect off-site assets |
+| A.7.10 | Storage media | control | Manage storage media lifecycle |
+| A.7.11 | Supporting utilities | control | Protect from utility failures |
+| A.7.12 | Cabling security | control | Protect power and telecom cabling |
+| A.7.13 | Equipment maintenance | control | Maintain equipment correctly |
+| A.7.14 | Secure disposal or re-use of equipment | control | Verify data deletion before disposal |
+
+### A.8 — Technological Controls (34 controls)
+
+| Clause | Title | Type | Description |
+|--------|-------|------|-------------|
+| A.8.1 | User endpoint devices | control | Protect user endpoint devices |
+| A.8.2 | Privileged access rights | control | Restrict and manage privileged access |
+| A.8.3 | Information access restriction | control | Restrict access per policy |
+| A.8.4 | Access to source code | control | Restrict source code access |
+| A.8.5 | Secure authentication | control | Implement secure authentication |
+| A.8.6 | Capacity management | control | Monitor and manage capacity |
+| A.8.7 | Protection against malware | control | Malware protection |
+| A.8.8 | Management of technical vulnerabilities | control | Vulnerability management |
+| A.8.9 | Configuration management | control | Manage configurations securely |
+| A.8.10 | Information deletion | control | Delete information when no longer needed |
+| A.8.11 | Data masking | control | Mask data per policy |
+| A.8.12 | Data leakage prevention | control | Prevent data leakage |
+| A.8.13 | Information backup | control | Backup and test recovery |
+| A.8.14 | Redundancy of information processing facilities | control | Sufficient redundancy |
+| A.8.15 | Logging | control | Produce, store, protect logs |
+| A.8.16 | Monitoring activities | control | Monitor networks, systems, applications |
+| A.8.17 | Clock synchronisation | control | Synchronize clocks |
+| A.8.18 | Use of privileged utility programs | control | Control privileged utilities |
+| A.8.19 | Installation of software on operational systems | control | Control software installation |
+| A.8.20 | Networks security | control | Manage and control networks |
+| A.8.21 | Security of network services | control | Identify and address network service security |
+| A.8.22 | Segregation of networks | control | Segregate networks |
+| A.8.23 | Web filtering | control | Manage access to external websites |
+| A.8.24 | Use of cryptography | control | Implement cryptography policy |
+| A.8.25 | Secure development life cycle | control | Establish secure development rules |
+| A.8.26 | Application security requirements | control | Specify application security requirements |
+| A.8.27 | Secure system architecture and engineering principles | control | Apply secure engineering principles |
+| A.8.28 | Secure coding | control | Apply secure coding practices |
+| A.8.29 | Security testing in development and acceptance | control | Security testing in SDLC |
+| A.8.30 | Outsourced development | control | Supervise outsourced development |
+| A.8.31 | Separation of development, test and production | control | Separate environments |
+| A.8.32 | Change management | control | Control changes to systems |
+| A.8.33 | Test information | control | Protect test information |
+| A.8.34 | Protection of IS during audit testing | control | Protect systems during audit |

package/resources/skills/hd-iso/reference/iso-9001-requirements.md

@@ -0,0 +1,91 @@
+# ISO 9001:2015 Requirements
+
+Used by `hd-iso gap` to check document coverage against mandatory clauses.
+
+> **Source & Disclaimer**
+> Clause IDs, titles, and structure are based on BSI Group training materials ([bsigroup.com](https://www.bsigroup.com)) and publicly available ISO guidance. Descriptions are summaries — not verbatim from the official ISO document. For formal audit submissions, reference the purchased official standard from ISO or BSI.
+> Last reviewed: 2026-03-05 | Standard version: ISO 9001:2015
+
+## Column Guide
+
+| Column | Source | Notes |
+|--------|--------|-------|
+| `Clause` | Official standard | Normative clause ID |
+| `Title` | Official standard | Normative clause title |
+| `Type` | Official standard | `mandatory` |
+| `Description` | BSI training summary | Brief summary — not official text |
+| `Shall` | **Official PDF** | Key normative "shall" statements. **Populate from purchased ISO 9001:2015 PDF** using `/hd-docs-parse`. Leave empty until official text is available. |
+
+When `Shall` is populated, `hd-iso-verify` uses it as the authoritative source for clause-specific checks.
+
+---
+
+## Mandatory Clauses
+
+| Clause | Title | Type | Description |
+|--------|-------|------|-------------|
+| 4.1 | Understanding the organization and its context | mandatory | Internal/external issues affecting QMS |
+| 4.2 | Understanding needs of interested parties | mandatory | Requirements of relevant stakeholders |
+| 4.3 | Determining scope of QMS | mandatory | Boundaries, applicability, justification for exclusions |
+| 4.4 | QMS and its processes | mandatory | Establish, implement, maintain, improve QMS processes |
+| 5.1 | Leadership and commitment | mandatory | Top management accountability for QMS |
+| 5.2 | Policy | mandatory | Quality policy established, communicated, maintained |
+| 5.3 | Roles, responsibilities and authorities | mandatory | Assigned, communicated, understood |
+| 6.1 | Actions to address risks and opportunities | mandatory | Determine risks/opportunities, plan actions |
+| 6.2 | Quality objectives and planning | mandatory | Measurable quality objectives and plans to achieve |
+| 6.3 | Planning of changes | mandatory | Changes made in controlled manner |
+| 7.1 | Resources | mandatory | Provide resources: people, infrastructure, environment, monitoring/measuring, knowledge |
+| 7.2 | Competence | mandatory | Ensure competence of people affecting quality |
+| 7.3 | Awareness | mandatory | Aware of policy, objectives, contribution, nonconformity implications |
+| 7.4 | Communication | mandatory | Determine internal/external communication on QMS |
+| 7.5 | Documented information | mandatory | Create, update, control documented information |
+| 8.1 | Operational planning and control | mandatory | Plan, implement, control processes for products/services |
+| 8.2 | Requirements for products and services | mandatory | Customer communication, review of requirements, changes |
+| 8.3 | Design and development | mandatory | Design/development process (if applicable) |
+| 8.4 | Control of externally provided processes, products and services | mandatory | Supplier/subcontractor control |
+| 8.5 | Production and service provision | mandatory | Controlled conditions, identification, preservation, post-delivery |
+| 8.6 | Release of products and services | mandatory | Verify requirements met before release |
+| 8.7 | Control of nonconforming outputs | mandatory | Identify and control nonconforming outputs |
+| 9.1 | Monitoring, measurement, analysis and evaluation | mandatory | What, how, when to monitor and analyze |
+| 9.2 | Internal audit | mandatory | Conduct at planned intervals, audit program |
+| 9.3 | Management review | mandatory | Top management review: inputs, outputs, decisions |
+| 10.1 | Continual improvement | mandatory | Determine opportunities, take actions |
+| 10.2 | Nonconformity and corrective action | mandatory | React, root cause, review effectiveness, update risks |
+| 10.3 | Continual improvement (general) | mandatory | Improve QMS suitability, adequacy, effectiveness |
+
+## Common Document Types by Clause
+
+| Clause | Typical Doc Type | Example Title |
+|--------|-----------------|---------------|
+| 4.1–4.4 | policy + procedure | QMS Scope Document, Context Analysis |
+| 5.1–5.3 | policy | Quality Policy, Roles & Responsibilities Matrix |
+| 6.1–6.3 | procedure + record | Risk Register, Objectives Tracker |
+| 7.1–7.5 | procedure + record | Training Records, Document Control Procedure |
+| 8.1–8.7 | procedure + record | Production Procedure, NCR Log, Supplier Evaluation |
+| 9.1–9.3 | procedure + record | Internal Audit Schedule, Management Review Minutes |
+| 10.1–10.3 | procedure + record | Corrective Action Procedure, Improvement Log |
+
+## Mandatory Documented Information (ISO 9001:2015)
+
+Documents that MUST exist as formal records:
+
+| Item | Clause | Description |
+|------|--------|-------------|
+| Scope of QMS | 4.3 | Documented scope with justification for exclusions |
+| Quality policy | 5.2 | Approved policy document |
+| Quality objectives | 6.2 | Measurable objectives with plans |
+| Operational planning and control | 8.1 | Evidence of processes controlled |
+| Design and development inputs | 8.3.3 | If applicable |
+| Design and development outputs | 8.3.5 | If applicable |
+| Design and development changes | 8.3.6 | If applicable |
+| External provider control criteria | 8.4.1 | Supplier evaluation criteria |
+| Characteristics of products/services | 8.5.1 | Work instructions / specifications |
+| Traceability records | 8.5.2 | Where required |
+| Customer/external property records | 8.5.3 | If applicable |
+| Change control records | 8.5.6 | Changes to production/service |
+| Release authorization records | 8.6 | Evidence products/services meet requirements |
+| Nonconforming outputs | 8.7.2 | NCR records |
+| Monitoring/measurement results | 9.1.1 | Evidence of performance evaluation |
+| Internal audit program and results | 9.2.2 | Audit schedule, reports, findings |
+| Management review results | 9.3.3 | Meeting minutes with decisions |
+| Nonconformities and corrective actions | 10.2.2 | CAR records |

package/resources/skills/hd-iso/reference/role-profiles.md

@@ -0,0 +1,115 @@
+# Role Profiles for ISO Onboarding
+
+Used by `hd-iso onboard` to filter relevant documents per role.
+Maps each role to the ISO clauses and doc_types most relevant to them.
+
+## Role Definitions
+
+### `developer`
+Software engineers, DevOps engineers, tech leads.
+
+**Relevant ISO 27001 clauses:**
+- A.8.1–A.8.5 (endpoint devices, privileged access, access restriction, source code, authentication)
+- A.8.8 (vulnerability management)
+- A.8.9 (configuration management)
+- A.8.13 (backup)
+- A.8.15–A.8.16 (logging, monitoring)
+- A.8.19 (software installation)
+- A.8.20–A.8.22 (network security, segregation)
+- A.8.24 (cryptography)
+- A.8.25–A.8.34 (secure SDLC — all development controls)
+- A.5.15, A.5.18 (access control, access rights)
+- A.6.7 (remote working)
+- A.6.8 (event reporting)
+
+**Relevant ISO 9001 clauses:**
+- 8.1 (operational planning)
+- 8.3 (design and development)
+- 8.5 (production/service provision)
+- 10.2 (nonconformity and corrective action)
+
+---
+
+### `qa`
+Quality assurance engineers, testers, QA managers.
+
+**Relevant ISO 27001 clauses:**
+- A.8.29 (security testing in development and acceptance)
+- A.8.33 (test information)
+- A.5.12, A.5.13 (classification and labelling)
+- A.5.36 (compliance with policies)
+
+**Relevant ISO 9001 clauses:**
+- 8.5 (production and service provision)
+- 8.6 (release of products and services)
+- 8.7 (control of nonconforming outputs)
+- 9.1 (monitoring, measurement, analysis and evaluation)
+- 10.2 (nonconformity and corrective action)
+- 7.2 (competence)
+
+---
+
+### `manager`
+Team leads, department heads, project managers, product owners.
+
+**Relevant ISO 27001 clauses:**
+- 4.1–4.4 (context, scope, ISMS)
+- 5.1–5.3 (leadership, policy, roles)
+- 6.1–6.3 (risk, objectives, change planning)
+- 7.1–7.5 (resources, competence, awareness, communication, documented information)
+- 9.1–9.3 (monitoring, internal audit, management review)
+- 10.1–10.2 (continual improvement, corrective action)
+- A.5.1–A.5.4 (policies, roles, segregation, management responsibilities)
+- A.5.19–A.5.22 (supplier/cloud management)
+
+**Relevant ISO 9001 clauses:**
+- 5.1–5.3 (leadership)
+- 6.1–6.3 (planning)
+- 9.3 (management review)
+- 10.1–10.3 (improvement)
+
+---
+
+### `security`
+CISO, security engineers, information security officers.
+
+**Relevant ISO 27001 clauses:**
+- All A.5–A.8 controls (full Annex A)
+- All mandatory clauses 4–10
+- Special focus: 6.1 (risk assessment), 8.2–8.3 (risk treatment)
+
+**Relevant ISO 9001 clauses:**
+- 6.1 (risks and opportunities)
+- 9.1 (monitoring and measurement)
+- 10.2 (corrective action)
+
+---
+
+### `new-hire`
+All new employees regardless of role. Company-wide awareness only.
+
+**Filter**: docs where `roles` contains `all` AND `doc_type` is `policy`
+
+**Relevant clauses (awareness level):**
+- A.5.1 (security policy)
+- A.5.10 (acceptable use)
+- A.6.3 (security awareness training)
+- A.6.6 (NDAs and confidentiality)
+- A.6.8 (incident reporting)
+- 5.2 (quality policy)
+- 7.3 (awareness)
+
+---
+
+## Role Hierarchy
+
+For onboarding output, apply roles additively:
+- A `manager` who is also a developer → run both profiles, deduplicate docs
+- A `security` person → gets all controls (superset of all other roles)
+
+## Adding Custom Roles
+
+To add a company-specific role (e.g. `hr`, `finance`, `ops`):
+1. Add a new section here following the same format
+2. Map to relevant ISO clauses
+3. `hd-iso onboard --role hr` will pick it up automatically

package/resources/skills/hd-iso-ready/SKILL.md

@@ -0,0 +1,146 @@
+---
+name: hd-iso-ready
+description: "ISO certification readiness assessment. Aggregates gap coverage, document quality, mandatory records, and open NCRs into a weighted readiness score. Use when: checking audit readiness, getting a compliance health summary, pre-audit review, 'are we ISO ready?', 'hd-iso-ready', 'certification readiness check'."
+license: proprietary
+metadata:
+  version: "1.0.0"
+  copyright: "© HDWEBSOFT. All rights reserved."
+---
+
+# ISO Certification Readiness Report
+
+> **[IMPORTANT]** Advisory only — compliance decisions and auditor submissions are owned by humans. Run `hd-iso-sync` first to ensure local docs are current.
+
+## Invocation
+
+```
+/hd-iso-ready [--standard 9001|27001]    Full readiness assessment (default: both)
+/hd-iso-ready --standard 27001 --brief   Executive summary only
+```
+
+---
+
+## Pipeline
+
+| Step | Action | Weight |
+|------|--------|--------|
+| 1. Gap | Clause coverage: covered / total mandatory | 30% |
+| 2. Quality | Doc quality audit: compliant vs partial vs non-compliant | 35% |
+| 3. Records | Mandatory records existence check | 25% |
+| 4. NCRs | Open NCRs: major -10%/ea (max -30%), minor -3%/ea (max -9%) | penalty |
+| 5. Report | Weighted score → grade → save report | — |
+
+Prerequisite: `docs/iso/` populated. Reference files at `skills/hd-iso/reference/`. Missing `docs/iso/ncr/` → assume 0 NCRs.
+
+---
+
+## Step 1 — Gap Check (Clause Coverage)
+
+Check if mandatory clauses have a doc tagged in `docs/iso/` frontmatter. Annex A controls excluded from scoring.
+
+```
+📋 Clause Coverage
+  ✅ Covered: 18/21 mandatory clauses
+  ❌ Missing:  3 clauses — 8.2, 9.2, 10.2
+  Score: 86%
+```
+
+---
+
+## Step 2 — Document Quality
+
+For all docs tagged with the standard: apply the hd-iso-verify universal checklist (U1 scope, U2 owner, U3 process, U4 evidence, U5 review). Grade each: ✅ (≥80%) / 🟡 (50–79%) / 🔴 (<50%). Score: (✅×1 + 🟡×0.6) / total.
+
+```
+📄 Document Quality
+  🟢 Compliant:      6 docs
+  🟡 Review needed:  8 docs
+  🔴 Non-compliant:  3 docs
+  Score: 61%
+```
+
+---
+
+## Step 3 — Mandatory Records
+
+Search `docs/iso/` for each mandatory record (from reference "Mandatory Documented Information" list). Grade: ✅ present | ⚠️ wrong doc_type | ❌ missing. Wrong-type counts as 0.5 in score.
+
+```
+📁 Mandatory Records
+  ✅ Present:    10/13
+  ⚠️ Wrong type:  1
+  ❌ Missing:     2
+  Score: 81%
+```
+
+---
+
+## Step 4 — Open NCRs
+
+Scan `docs/iso/ncr/*.md` for status: open or in-progress. Count by severity and apply penalty.
+
+```
+⚠️ Open NCRs
+  3 open (1 major, 2 minor)
+  Penalty: -13%
+```
+
+---
+
+## Step 5 — Compile Report
+
+```
+weighted_score = (gap × 0.30) + (quality × 0.35) + (records × 0.25) - ncr_penalty
+```
+
+### Readiness Grade
+
+| Score | Grade |
+|-------|-------|
+| ≥85%, no major NCRs, no ❌ mandatory records | 🟢 READY |
+| 65–84% OR 1+ major NCR | 🟡 PARTIALLY READY |
+| <65% OR missing mandatory records OR 2+ major NCRs | 🔴 NOT READY |
+
+**Critical blockers** (shown regardless of score): any ❌ mandatory clause, any open major NCR, any ❌ mandatory record.
+
+---
+
+## Output Format
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ISO 27001:2022 Certification Readiness Report
+Generated: 2026-03-05  |  Docs synced: 2026-03-04
+
+OVERALL: 🟡 PARTIALLY READY (72%)
+
+📋 Clause Coverage:     18/21  Score: 86%
+📄 Document Quality:    6✅ 8🟡 3🔴  Score: 61%
+📁 Mandatory Records:   10/13  Score: 81%
+⚠️ Open NCRs:          3 open (1 major, 2 minor)  Penalty: -13%
+
+Readiness Breakdown:
+  Gap (30%):      86% → 25.8
+  Quality (35%):  61% → 21.4
+  Records (25%):  81% → 20.3
+  NCR penalty:   -13%
+  ────────────────────
+  Score: 72% → 🟡 PARTIALLY READY
+
+Critical blockers:
+  1. ❌ Clause 9.2 — no internal audit procedure found
+  2. ❌ NCR-002 (major): Incident response procedure non-compliant
+  3. ❌ Management review records missing (tagged clause 9.3.3)
+
+Next steps:
+  /hd-iso gap --standard 27001          → detail on missing clauses
+  /hd-iso-verify --standard 27001       → detail on non-compliant docs
+  /hd-iso records --standard 27001      → detail on missing records
+  /hd-iso ncr list --status open        → address open NCRs
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Report saved: reports/readiness-27001-20260305.md
+```
+
+**Brief mode**: OVERALL grade + 4-section scores + critical blockers + next steps only.
+
+Report filename: `reports/readiness-<standard>-<YYYYMMDD>.md` (both standards: `readiness-both-<YYYYMMDD>.md`). Create `reports/` if missing.