arkaos 2.0.0 → 2.0.2

package/departments/finance/skills/ciso-advisor/references/compliance-roadmap.md

@@ -0,0 +1,172 @@
+# Compliance Framework Comparison — Deep Reference
+
+> Companion to `ciso-advisor/SKILL.md`. Framework details, timelines, costs, control overlap, and audit preparation.
+
+## Framework Overview
+
+| Framework | Scope | Mandatory? | Target Market | Certifiable? |
+|-----------|-------|-----------|---------------|-------------|
+| SOC 2 Type I | Security controls at a point in time | No (market-driven) | US B2B SaaS | Yes (audit report) |
+| SOC 2 Type II | Controls operating over 3-12 months | No (market-driven) | US B2B SaaS, Enterprise | Yes (audit report) |
+| ISO 27001 | Information security management system | No (market-driven) | Global, enterprise | Yes (certification) |
+| GDPR | Personal data protection (EU residents) | Yes (law) | Any company handling EU data | No (compliance, not cert) |
+| HIPAA | Protected health information (PHI) | Yes (law, US healthcare) | Healthcare, health tech | No (compliance, not cert) |
+| PCI-DSS v4.0 | Cardholder data environment | Yes (contractual) | Any company processing cards | Yes (assessment) |
+
+## Timeline and Cost Estimates
+
+| Framework | Prep Time | Audit/Assessment | Total Timeline | Cost Range (startup) | Cost Range (mid-market) |
+|-----------|-----------|-----------------|---------------|---------------------|------------------------|
+| SOC 2 Type I | 2-4 months | 1-2 months | 3-6 months | $30K-$80K | $50K-$150K |
+| SOC 2 Type II | 6-9 months (incl. observation) | 3-6 month observation | 9-15 months | $50K-$120K | $80K-$250K |
+| ISO 27001 | 6-12 months | 2-3 months (Stage 1+2) | 8-15 months | $40K-$100K | $80K-$200K |
+| GDPR | 3-6 months (initial) | Ongoing | Continuous | $20K-$60K | $50K-$200K |
+| HIPAA | 6-12 months | Ongoing (annual review) | Continuous | $40K-$100K | $100K-$300K |
+| PCI-DSS | 3-12 months | Quarterly scans + annual SAQ/ROC | Continuous | $20K-$80K (SAQ) | $100K-$500K (ROC) |
+
+**Cost includes:** GRC platform, auditor fees, consultant fees, remediation. **Does not include:** FTE time, infrastructure changes.
+
+## Recommended Sequencing
+
+```
+Phase 0: Security Hygiene (Month 1-2)
+  - MFA on all accounts
+  - Endpoint protection
+  - Automated patching
+  - Encrypted backups
+  - Access reviews
+
+Phase 1: SOC 2 Type I (Month 3-6)
+  - Unlocks: Enterprise sales conversations
+  - Effort: Medium
+  - ROI: Fastest path to "we're audited"
+
+Phase 2: SOC 2 Type II (Month 6-12)
+  - Unlocks: Enterprise deal closures, security questionnaire answers
+  - Effort: Medium (observation period)
+  - ROI: Most requested by US enterprise buyers
+
+Phase 3: ISO 27001 (Month 12-18)
+  - Unlocks: Global enterprise, government contracts
+  - Effort: High (ISMS establishment)
+  - ROI: International recognition, 3-year certification
+
+Phase 4: Domain-Specific (Month 18+)
+  - HIPAA if healthcare
+  - PCI-DSS if processing cards directly
+  - GDPR (should start in Phase 0 if handling EU data)
+```
+
+## Control Overlap Matrix
+
+Implementing one framework gives you progress toward others. Overlap percentage of controls:
+
+| Control Domain | SOC 2 | ISO 27001 | GDPR | HIPAA | PCI-DSS |
+|---------------|:-----:|:---------:|:----:|:-----:|:-------:|
+| Access control | X | X | X | X | X |
+| Encryption (at rest) | X | X | X | X | X |
+| Encryption (in transit) | X | X | X | X | X |
+| Logging and monitoring | X | X | | X | X |
+| Incident response | X | X | X | X | X |
+| Vendor management | X | X | X | X | X |
+| Change management | X | X | | | X |
+| Business continuity | X | X | | X | |
+| Data classification | | X | X | X | X |
+| Data retention/deletion | | X | X | X | |
+| Privacy impact assessment | | | X | X | |
+| Breach notification | | | X | X | X |
+| Physical security | X | X | | X | X |
+| HR security (background checks) | X | X | | X | X |
+| Risk assessment | X | X | X | X | X |
+| Security awareness training | X | X | X | X | X |
+
+**Key insight:** SOC 2 Type II gives ~60% overlap with ISO 27001 controls. Start with SOC 2, then extend to ISO.
+
+## SOC 2 Trust Service Criteria
+
+| Criteria | Required? | Key Controls |
+|----------|-----------|-------------|
+| Security (Common Criteria) | Always required | Access control, firewalls, encryption, monitoring |
+| Availability | If uptime SLA matters | Redundancy, DR plan, capacity planning |
+| Processing Integrity | If data accuracy matters | Input validation, error handling, reconciliation |
+| Confidentiality | If handling confidential data | Classification, DLP, encryption, access restrictions |
+| Privacy | If handling PII | Consent, data minimization, retention, subject rights |
+
+**Typical first audit:** Security + Availability (most buyer requests).
+
+## Audit Preparation Checklist
+
+### 90 Days Before Audit
+
+- [ ] GRC platform populated with all controls and evidence
+- [ ] All policies reviewed and approved within last 12 months
+- [ ] Access reviews completed for all critical systems
+- [ ] Vulnerability scans current (no critical/high unresolved > 30 days)
+- [ ] Penetration test completed within last 12 months
+- [ ] Incident response plan tested (tabletop exercise documented)
+- [ ] Vendor risk assessments current for Tier 1 vendors
+- [ ] Security awareness training completed by all employees
+- [ ] Business continuity/DR plan tested within last 12 months
+- [ ] Change management logs complete and consistent
+
+### 30 Days Before Audit
+
+- [ ] Evidence collection automated where possible (API pulls from tools)
+- [ ] Gap analysis completed -- no open critical gaps
+- [ ] Point of contact assigned for each control domain
+- [ ] Auditor provided with system description and scope
+- [ ] Walkthrough scheduled with auditor for complex controls
+- [ ] Exception log documented (any deviations with compensating controls)
+
+### During Audit
+
+- [ ] Respond to auditor requests within 24 hours
+- [ ] Provide evidence in organized, labeled format
+- [ ] Escalate blockers to compliance lead immediately
+- [ ] Track all auditor questions and status in shared document
+
+## Policy Document Inventory
+
+| Policy | SOC 2 | ISO 27001 | GDPR | HIPAA | PCI-DSS |
+|--------|:-----:|:---------:|:----:|:-----:|:-------:|
+| Information Security Policy | R | R | R | R | R |
+| Acceptable Use Policy | R | R | | R | R |
+| Access Control Policy | R | R | R | R | R |
+| Data Classification Policy | | R | R | R | R |
+| Data Retention Policy | | R | R | R | R |
+| Incident Response Plan | R | R | R | R | R |
+| Business Continuity Plan | R | R | | R | |
+| Vendor Management Policy | R | R | R | R | R |
+| Change Management Policy | R | R | | | R |
+| Encryption Policy | R | R | R | R | R |
+| Privacy Policy (external) | | | R | R | |
+| Password Policy | R | R | | R | R |
+| Physical Security Policy | R | R | | R | R |
+| Risk Management Policy | R | R | R | R | R |
+| SDLC/Secure Development Policy | R | R | | | R |
+
+**R = Required.** Writing once with framework-agnostic language covers multiple audits.
+
+## GRC Platform Selection
+
+| Platform | Best For | Price Range | Key Feature |
+|----------|----------|-------------|------------|
+| Vanta | Startups, fast SOC 2 | $10K-$50K/yr | Automated evidence collection |
+| Drata | Mid-market, multi-framework | $10K-$50K/yr | Custom controls, integrations |
+| Secureframe | Startups, simple setup | $8K-$40K/yr | Fast onboarding |
+| Tugboat Logic (OneTrust) | Mid-market | $15K-$60K/yr | Risk management focus |
+| OneTrust | Enterprise, privacy-heavy | $50K-$200K/yr | GDPR/privacy specialization |
+| Manual (spreadsheets) | <10 employees, one framework | $0 | Pain |
+
+**Decision rule:** If pursuing SOC 2 and have > 15 employees, a GRC platform pays for itself in audit prep time saved.
+
+## Common Compliance Mistakes
+
+| Mistake | Consequence | Fix |
+|---------|------------|-----|
+| Starting with ISO 27001 before SOC 2 | Longer time to first audit report | SOC 2 Type I first (3-6 months) |
+| Policies written but not followed | Audit findings, qualified report | Automate enforcement where possible |
+| Annual access reviews only | Stale access, audit gaps | Quarterly for privileged, semi-annual for standard |
+| No evidence of control operation | Auditor cannot verify | Automated evidence collection via GRC platform |
+| Treating compliance as one-time project | Controls degrade, next audit fails | Continuous monitoring, monthly reviews |
+| Scope too broad on first audit | Higher cost, more findings | Start narrow, expand in subsequent years |

package/departments/marketing/skills/programmatic-seo/SKILL.md

@@ -121,3 +121,7 @@ Surface these issues WITHOUT being asked:
 ### Monitoring Plan
 | Metric | Tool | Threshold | Review Cadence |
 ```
+
+## References
+
+- [template-playbooks.md](references/template-playbooks.md) — 12 programmatic SEO playbooks with URL structures, schema markup, internal linking strategies, and indexation rules per page type

package/departments/marketing/skills/programmatic-seo/references/template-playbooks.md

@@ -0,0 +1,289 @@
+# Programmatic SEO Template Playbooks — Deep Reference
+
+> Companion to `programmatic-seo/SKILL.md`. 12 playbooks with URL structures, schema markup, and internal linking strategies.
+
+## Playbook Index
+
+| # | Playbook | Keyword Pattern | Pages Potential | Difficulty |
+|---|----------|----------------|:---------------:|:----------:|
+| 1 | Location Pages | `[service] in [city]` | 100-10K | Low |
+| 2 | Comparison Pages | `[X] vs [Y]` | 50-500 | Medium |
+| 3 | Alternative Pages | `[product] alternatives` | 20-200 | Medium |
+| 4 | Tool/Calculator Pages | `[type] calculator` | 10-100 | Low |
+| 5 | Glossary Pages | `what is [term]` | 100-1K | Low |
+| 6 | Statistics Pages | `[industry] statistics` | 20-200 | Medium |
+| 7 | Template Pages | `[type] template` | 50-500 | Low |
+| 8 | Directory Pages | `best [category] tools` | 20-200 | High |
+| 9 | Integration Pages | `[A] + [B] integration` | 50-500 | Low |
+| 10 | Persona Pages | `[product] for [audience]` | 20-200 | Medium |
+| 11 | Examples/Gallery Pages | `[type] examples` | 50-500 | Low |
+| 12 | Profile Pages | `[entity] [attribute]` | 100-10K | Medium |
+
+---
+
+## 1. Location Pages
+
+**Pattern:** `[service] in [city/state/country]`
+**Example:** "dentists in austin", "coworking spaces in lisbon"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/[service]/[city-slug]/` |
+| Title | `Best [Service] in [City] - [Year] Guide \| [Brand]` |
+| H1 | `[Service] in [City]` |
+| Unique content | Local data, pricing, reviews, neighborhood info |
+| Schema | `LocalBusiness`, `Service`, `AggregateRating` |
+| Internal links | Parent city hub, nearby cities, related services |
+
+**Data sources:** Google Business API, Yelp, government records, own data.
+**Thin content risk:** High. Must add unique local insights per page, not just city name swaps.
+
+## 2. Comparison Pages
+
+**Pattern:** `[X] vs [Y]`
+**Example:** "webflow vs wordpress", "notion vs confluence"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/compare/[x]-vs-[y]/` |
+| Title | `[X] vs [Y]: Honest Comparison ([Year]) \| [Brand]` |
+| H1 | `[X] vs [Y]` |
+| Unique content | Feature matrix, pricing table, use case recommendations |
+| Schema | `FAQPage`, `Table` |
+| Internal links | Individual product pages, related comparisons, category hub |
+
+**Content structure:**
+1. Quick verdict (above fold)
+2. Side-by-side feature comparison table
+3. Pricing comparison
+4. Best for [use case A] vs best for [use case B]
+5. FAQ section
+
+**Linking strategy:** Create a comparison hub (`/compare/`) linking all pairs. Link bidirectionally: X-vs-Y and Y-vs-X redirect to canonical.
+
+## 3. Alternative Pages
+
+**Pattern:** `[product] alternatives`
+**Example:** "mailchimp alternatives", "figma alternatives"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/alternatives/[product-slug]/` |
+| Title | `Top [N] [Product] Alternatives ([Year]) \| [Brand]` |
+| H1 | `Best [Product] Alternatives` |
+| Unique content | Why switch, ranked alternatives with pros/cons, migration tips |
+| Schema | `ItemList`, `FAQPage` |
+| Internal links | Comparison pages for each alternative pair, product reviews |
+
+**Ranking criteria to include:** Price, feature overlap, migration difficulty, best for [use case].
+
+## 4. Tool/Calculator Pages
+
+**Pattern:** `[type] calculator`, `[unit] converter`
+**Example:** "mortgage calculator", "px to rem converter"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/tools/[tool-slug]/` |
+| Title | `Free [Type] Calculator \| [Brand]` |
+| H1 | `[Type] Calculator` |
+| Unique content | Interactive tool, formula explanation, related examples |
+| Schema | `WebApplication`, `FAQPage` |
+| Internal links | Related tools, glossary terms, guides using this calculation |
+
+**Key success factors:** Tool must work without JavaScript for basic Googlebot rendering. Include text content below the tool for crawlability.
+
+## 5. Glossary Pages
+
+**Pattern:** `what is [term]`, `[term] definition`
+**Example:** "what is pSEO", "what is ARR"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/glossary/[term-slug]/` |
+| Title | `What is [Term]? Definition & Examples \| [Brand]` |
+| H1 | `What is [Term]?` |
+| Unique content | Clear definition, examples, related terms, visual aids |
+| Schema | `DefinedTerm`, `FAQPage` |
+| Internal links | Related glossary terms, in-depth guides, parent topic hub |
+
+**Content template:**
+1. One-sentence definition (target featured snippet)
+2. Expanded explanation (2-3 paragraphs)
+3. Real-world examples
+4. Common misconceptions
+5. Related terms (linked)
+
+## 6. Statistics Pages
+
+**Pattern:** `[industry/topic] statistics [year]`
+**Example:** "saas churn statistics 2025", "remote work statistics"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/statistics/[topic-slug]/` |
+| Title | `[N]+ [Topic] Statistics ([Year]) \| [Brand]` |
+| H1 | `[Topic] Statistics for [Year]` |
+| Unique content | Curated statistics with sources, charts, trend analysis |
+| Schema | `Article`, `Dataset` |
+| Internal links | Related statistics pages, guides citing these stats, glossary |
+
+**Defensibility:** High if you aggregate and visualize. Update annually for evergreen traffic. Always cite primary sources.
+
+## 7. Template Pages
+
+**Pattern:** `[type] template`, `[type] example`
+**Example:** "business plan template", "invoice template"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/templates/[type-slug]/` |
+| Title | `Free [Type] Template ([Year]) - Download Now \| [Brand]` |
+| H1 | `[Type] Template` |
+| Unique content | Preview, download, customization guide, use cases |
+| Schema | `CreativeWork`, `HowTo` |
+| Internal links | Related templates, guides on the topic, tool pages |
+
+**Conversion strategy:** Free preview, email gate for download, premium templates for paid users.
+
+## 8. Directory/Listicle Pages
+
+**Pattern:** `best [category] tools`, `top [N] [category]`
+**Example:** "best project management tools", "top 10 CRM software"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/best/[category-slug]/` |
+| Title | `[N] Best [Category] Tools ([Year]) \| [Brand]` |
+| H1 | `Best [Category] Tools` |
+| Unique content | Ranked list with scoring criteria, screenshots, pricing |
+| Schema | `ItemList`, `Review`, `FAQPage` |
+| Internal links | Individual reviews, comparison pages, alternative pages |
+
+**Scoring framework:** Define clear criteria (features, pricing, ease of use, support). Show scores transparently.
+
+## 9. Integration Pages
+
+**Pattern:** `[A] + [B] integration`, `connect [A] to [B]`
+**Example:** "slack asana integration", "zapier hubspot"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/integrations/[a-slug]-[b-slug]/` |
+| Title | `[A] + [B] Integration: How to Connect \| [Brand]` |
+| H1 | `Connect [A] to [B]` |
+| Unique content | Setup steps, use cases, limitations, alternatives |
+| Schema | `HowTo`, `SoftwareApplication` |
+| Internal links | Both product pages, related integrations, comparison pages |
+
+**Scale strategy:** If you have N integrations, you can generate N*(N-1)/2 combination pages. Only create pages with verified search volume.
+
+## 10. Persona Pages
+
+**Pattern:** `[product] for [audience]`
+**Example:** "crm for real estate", "accounting software for freelancers"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/for/[audience-slug]/` |
+| Title | `[Product] for [Audience]: Features & Pricing \| [Brand]` |
+| H1 | `[Product] for [Audience]` |
+| Unique content | Audience-specific features, testimonials, use cases, pricing |
+| Schema | `Product`, `FAQPage` |
+| Internal links | Main product page, related persona pages, case studies |
+
+**Content differentiation:** Each persona page must highlight different features, different testimonials, and different use cases. Not just audience name swaps.
+
+## 11. Examples/Gallery Pages
+
+**Pattern:** `[type] examples`, `[type] inspiration`
+**Example:** "landing page examples", "portfolio website examples"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/examples/[type-slug]/` |
+| Title | `[N] [Type] Examples for Inspiration ([Year]) \| [Brand]` |
+| H1 | `[Type] Examples` |
+| Unique content | Curated examples with screenshots, analysis, what works and why |
+| Schema | `ItemList`, `ImageObject` |
+| Internal links | Template pages, related examples, how-to guides |
+
+**Image optimization:** Compress screenshots, use descriptive alt text, implement lazy loading. Images are the content here.
+
+## 12. Profile/Entity Pages
+
+**Pattern:** `[entity name] [attribute]`
+**Example:** "stripe ceo", "shopify revenue", "notion pricing"
+
+| Element | Specification |
+|---------|--------------|
+| URL | `/companies/[entity-slug]/` or `/people/[entity-slug]/` |
+| Title | `[Entity]: [Key Attribute] & Overview \| [Brand]` |
+| H1 | `[Entity]` |
+| Unique content | Structured data about the entity, timeline, key facts |
+| Schema | `Organization`, `Person`, `Article` |
+| Internal links | Related entities, industry pages, comparison pages |
+
+**Data defensibility:** Strongest when using proprietary data. Public data pages compete with Wikipedia and Crunchbase.
+
+---
+
+## Universal Internal Linking Strategy
+
+### Hub-and-Spoke Model
+
+```
+                    [Category Hub]
+                   /    |    |    \
+            [Page A] [Page B] [Page C] [Page D]
+              |         |         |         |
+           [Sub A1]  [Sub B1]  [Sub C1]  [Sub D1]
+```
+
+### Cross-Linking Rules
+
+| Rule | Implementation |
+|------|---------------|
+| Every page links to its parent hub | Breadcrumb + in-content link |
+| Hub links to all children | Paginated list or directory |
+| Siblings link to each other | "Related" section (3-5 links) |
+| Cross-type linking | Glossary term links to comparison, comparison links to alternatives |
+| No orphan pages | Every page reachable within 3 clicks from homepage |
+
+## Universal Schema Markup Checklist
+
+- [ ] `BreadcrumbList` on every page (navigation path)
+- [ ] Primary schema type matching page intent (see per-playbook above)
+- [ ] `FAQPage` where genuine questions are answered
+- [ ] `Organization` on the homepage
+- [ ] `SiteNavigationElement` in header/footer
+- [ ] Test with Google Rich Results Test before launch
+- [ ] Monitor Search Console for schema errors weekly
+
+## Indexation Strategy for Scale
+
+| Page Count | Strategy |
+|------------|---------|
+| < 100 pages | Index all, single sitemap |
+| 100-1K pages | Index all with quality threshold, segmented sitemaps |
+| 1K-10K pages | noindex thin pages (<300 words), priority in sitemap |
+| 10K+ pages | Aggressive quality gating, separate sitemap per type, crawl budget management |
+
+### Sitemap Segmentation
+
+```xml
+sitemap-index.xml
+  sitemap-locations.xml      (location pages)
+  sitemap-comparisons.xml    (comparison pages)
+  sitemap-glossary.xml       (glossary pages)
+  sitemap-tools.xml          (tool/calculator pages)
+```
+
+### Quality Gate Before Indexing
+
+| Check | Threshold | Action if Below |
+|-------|-----------|----------------|
+| Word count | > 300 words | noindex or add content |
+| Unique content ratio | > 60% unique vs template | noindex or rewrite |
+| Search volume for target keyword | > 10/month | noindex or consolidate |
+| Internal links pointing to page | >= 2 | Add links or orphan alert |

package/departments/ops/skills/gdpr-compliance/SKILL.md

@@ -0,0 +1,104 @@
+---
+name: ops/gdpr-compliance
+description: >
+  GDPR compliance assessment with data mapping, DPIA generation, breach response planning, and data subject rights management.
+allowed-tools: [Read, Write, Edit, Bash, Grep, Glob, Agent, WebFetch, WebSearch]
+---
+
+# GDPR Compliance — `/ops gdpr-compliance`
+
+> **Agent:** Daniel (Ops Lead) | **Framework:** GDPR (EU 2016/679), Privacy by Design (Cavoukian)
+
+## GDPR Compliance Checklist
+
+| Area | Requirement | GDPR Article | Status |
+|------|------------|-------------|--------|
+| Legal Basis | Documented lawful basis for each processing activity | Art. 6 | [ ] |
+| Consent | Freely given, specific, informed, unambiguous | Art. 7 | [ ] |
+| Data Mapping | Records of processing activities maintained | Art. 30 | [ ] |
+| DPIA | Impact assessment for high-risk processing | Art. 35 | [ ] |
+| DPO | Data Protection Officer appointed (if required) | Art. 37 | [ ] |
+| Subject Rights | Process for access, rectification, erasure, portability | Art. 15-20 | [ ] |
+| Breach Response | 72-hour notification procedure documented | Art. 33 | [ ] |
+| Transfers | Adequate safeguards for international data transfers | Art. 46 | [ ] |
+| Privacy by Design | Data protection integrated into system design | Art. 25 | [ ] |
+| Retention | Data retention and deletion policies defined | Art. 5(1)(e) | [ ] |
+
+## Data Mapping Template
+
+| Processing Activity | Data Categories | Data Subjects | Legal Basis | Retention | Recipients | Transfers |
+|---------------------|----------------|---------------|-------------|-----------|------------|-----------|
+| User registration | Name, email | Customers | Contract | Account lifetime + 1yr | Internal | None |
+| Newsletter | Email, preferences | Subscribers | Consent | Until withdrawal | Mailchimp | US (SCCs) |
+| Analytics | IP, behavior | Visitors | Legitimate interest | 26 months | Google | US (SCCs) |
+
+## DPIA Decision Criteria
+
+A DPIA is **required** when processing involves:
+
+| Criterion | Example | WP29 Reference |
+|-----------|---------|----------------|
+| Systematic monitoring | Employee tracking, CCTV | Art. 35(3)(c) |
+| Large-scale special data | Health records platform | Art. 35(3)(b) |
+| Automated decisions with legal effects | Credit scoring, hiring AI | Art. 35(3)(a) |
+| Combining datasets | CRM + analytics merge | WP248 criterion 4 |
+| Vulnerable data subjects | Children, employees | WP248 criterion 7 |
+| New technology | Biometrics, AI profiling | WP248 criterion 8 |
+
+## Data Subject Rights — Response Workflow
+
+| Right | Article | Deadline | Extensions |
+|-------|---------|----------|------------|
+| Access | Art. 15 | 30 days | +60 days (complex) |
+| Rectification | Art. 16 | 30 days | +60 days (complex) |
+| Erasure ("Right to be Forgotten") | Art. 17 | 30 days | +60 days (complex) |
+| Restriction | Art. 18 | 30 days | +60 days (complex) |
+| Portability | Art. 20 | 30 days | +60 days (complex) |
+| Objection | Art. 21 | 30 days | N/A |
+
+## Breach Response Procedure
+
+1. **Detect and contain** — Isolate affected systems, preserve evidence
+2. **Assess severity** — Personal data types, number of subjects, likely harm
+3. **Notify authority** — Within 72 hours if risk to rights/freedoms (Art. 33)
+4. **Notify data subjects** — Without undue delay if high risk (Art. 34)
+5. **Document** — Record breach details, effects, remedial actions taken
+6. **Review** — Update risk assessment and preventive controls
+
+## Proactive Triggers
+
+Surface these issues WITHOUT being asked:
+
+- Personal data processing without DPIA documented -> flag as GDPR Art. 35 violation risk
+- No DPO appointed when processing triggers mandatory designation -> flag as Art. 37 compliance gap
+- Data retention policy missing or undefined for processing activities -> flag as Art. 5(1)(e) breach risk
+
+## Output
+
+```markdown
+## GDPR Compliance Assessment: <organization/project>
+
+### Compliance Score: X/10
+
+### Critical Gaps
+- [CG1] Description — Art. X reference — Remediation steps
+
+### Data Mapping Summary
+- Processing activities documented: X
+- Legal bases verified: X/X
+- International transfers: X (safeguards: Y/N)
+
+### DPIA Status
+- Required: Y/N — Reason: [criteria]
+- Completed: Y/N
+
+### Recommendations
+1. [Priority] Action — Timeline — Owner
+
+### Next Review: <date>
+```
+
+## References
+
+- [gdpr-compliance-guide.md](references/gdpr-compliance-guide.md) — Legal bases, special category data, accountability requirements, breach notification procedures
+- [dpia-methodology.md](references/dpia-methodology.md) — DPIA threshold assessment, risk methodology, mitigation categories, consultation process

package/departments/ops/skills/iso27001/SKILL.md

@@ -0,0 +1,113 @@
+---
+name: ops/iso27001
+description: >
+  ISO 27001 ISMS implementation, control mapping, risk treatment planning, and certification audit preparation.
+allowed-tools: [Read, Write, Edit, Bash, Grep, Glob, Agent, WebFetch, WebSearch]
+---
+
+# ISO 27001 ISMS — `/ops iso27001`
+
+> **Agent:** Daniel (Ops Lead) | **Framework:** ISO 27001:2022, ISO 27002:2022, ISMS
+
+## ISMS Implementation Phases
+
+| Phase | Key Activities | Deliverables | Timeline |
+|-------|---------------|-------------|----------|
+| 1. Context | Define scope, interested parties, internal/external issues | Scope statement, context document | 2-4 weeks |
+| 2. Leadership | Security policy, roles, management commitment | IS policy, RACI chart | 1-2 weeks |
+| 3. Planning | Risk assessment, risk treatment, objectives | Risk register, treatment plan, SoA | 4-6 weeks |
+| 4. Support | Resources, competence, awareness, communication | Training plan, comm matrix | 2-4 weeks |
+| 5. Operation | Implement controls, operate processes | Control evidence, procedures | 8-12 weeks |
+| 6. Evaluation | Internal audit, management review, monitoring | Audit report, review minutes | 2-4 weeks |
+| 7. Improvement | Nonconformity management, continual improvement | CAPA records, improvement log | Ongoing |
+
+## Risk Assessment Methodology
+
+| Step | Activity | Output |
+|------|----------|--------|
+| 1 | Identify information assets and owners | Asset inventory |
+| 2 | Identify threats per asset | Threat catalog |
+| 3 | Identify vulnerabilities exploitable by threats | Vulnerability list |
+| 4 | Assess likelihood (1-5) and impact (1-5) | Risk scores |
+| 5 | Calculate risk level (L x I) | Risk matrix |
+| 6 | Determine treatment (mitigate, accept, transfer, avoid) | Risk treatment plan |
+
+### Risk Matrix
+
+| Likelihood / Impact | Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Critical (5) |
+|---------------------|---------------|-----------|-------------|-----------|-------------|
+| Almost Certain (5) | 5 | 10 | 15 | 20 | 25 |
+| Likely (4) | 4 | 8 | 12 | 16 | 20 |
+| Possible (3) | 3 | 6 | 9 | 12 | 15 |
+| Unlikely (2) | 2 | 4 | 6 | 8 | 10 |
+| Rare (1) | 1 | 2 | 3 | 4 | 5 |
+
+**Treatment thresholds:** 1-4 Accept | 5-9 Monitor | 10-15 Mitigate (90 days) | 16-20 Mitigate (30 days) | 21-25 Immediate action
+
+## Annex A Control Categories (ISO 27002:2022)
+
+| Category | Controls | Examples |
+|----------|---------|---------|
+| Organizational (5-8) | 37 | Policies, roles, asset management, access control |
+| People (6) | 8 | Screening, awareness, disciplinary, termination |
+| Physical (7) | 14 | Perimeters, entry controls, equipment security |
+| Technological (8) | 34 | Endpoint, privileged access, encryption, logging |
+
+## Certification Readiness Checklist
+
+### Stage 1 (Documentation Review)
+- [ ] ISMS scope documented and approved
+- [ ] Information security policy signed by management
+- [ ] Risk assessment methodology defined and executed
+- [ ] Statement of Applicability (SoA) completed
+- [ ] Risk treatment plan with control mapping
+- [ ] Internal audit conducted within past 12 months
+- [ ] Management review completed with documented outputs
+
+### Stage 2 (Implementation Audit)
+- [ ] All Stage 1 findings resolved
+- [ ] ISMS operational for minimum 3 months
+- [ ] Controls implemented with evidence of effectiveness
+- [ ] Security awareness training completed organization-wide
+- [ ] Incident response plan tested
+- [ ] Access reviews documented at required frequency
+- [ ] Metrics collected and monitored
+
+## Proactive Triggers
+
+Surface these issues WITHOUT being asked:
+
+- ISMS scope undefined or not formally approved -> flag as Clause 4.3 gap blocking certification
+- No risk treatment plan linking risks to Annex A controls -> flag as Clause 6.1.3 nonconformity
+- Annex A controls not mapped in Statement of Applicability -> flag as Clause 6.1.3(d) requirement
+
+## Output
+
+```markdown
+## ISO 27001 Assessment: <organization>
+
+### ISMS Maturity: <Initial | Managed | Defined | Measured | Optimizing>
+
+### Gap Analysis Summary
+- Clauses assessed: X/10
+- Controls mapped: X/93 (Annex A)
+- Gaps identified: X critical, X high, X medium
+
+### Risk Register Summary
+- Total risks: X
+- Critical/High: X (treatment plans required)
+- Accepted: X (with documented rationale)
+
+### Certification Readiness: X% (Stage 1) / X% (Stage 2)
+
+### Remediation Roadmap
+| Priority | Gap | Action | Owner | Target |
+|----------|-----|--------|-------|--------|
+
+### Next Review: <date>
+```
+
+## References
+
+- [iso27001-controls.md](references/iso27001-controls.md) — Full Annex A control list with implementation guidance and evidence requirements
+- [risk-assessment-guide.md](references/risk-assessment-guide.md) — Risk methodology, asset classification, threat modeling, risk calculation methods