Skip to main content
Status: Stable Version: 1.0.0 Author: Rifteo Tags: compliance, security, reporting
Installation 
rifteo-skills add compliance-gap-analyzer

Summary

Turns a raw list of audit findings into a fully structured compliance gap report, covering status classification, gap prioritization, blind spot analysis, and optional delta comparison against a prior audit.
  • Groups findings by framework and control, then applies a weakest-link rule to classify each control as Compliant, Partially Compliant, Non-Compliant, or Not Tested
  • Assigns a Gap Priority Score (Critical → Low) based on finding severity and control criticality within the framework
  • Surfaces blind spots controls that were in scope but never tested as unknown-risk items requiring explicit acknowledgment
  • Optionally compares against a previous audit to flag regressions, closed gaps, and persistent issues

SKILL.md file

Compliance Gap Analyzer

Aggregate audit findings into a structured gap report across ISO 27001, NIST CSF, PCI-DSS, and OWASP frameworks.

When to Use This Skill

Use this skill when the user:
  • Provides a list of audit findings tagged to framework controls and asks for a gap report
  • Asks “what controls are failing?” or “what are our biggest compliance gaps?”
  • Needs to identify blind spots or untested controls in an audit scope
  • Wants to compare current compliance posture against a previous audit (delta analysis)
  • Shares pentest or audit results and wants them mapped to a compliance framework

What Does It Check?

This skill processes findings mapped to ISO 27001, NIST CSF, PCI-DSS v4, OWASP Top 10, and OWASP ASVS controls. It classifies each control using a weakest-link rule a single non-compliant finding marks the whole control as Non-Compliant. Partially Compliant controls are treated as gaps, not as passing. Blind spots (controls with no findings) are flagged separately because their risk is unknown.In scope:
  • ISO 27001 (2013 and 2022 Annex A), NIST CSF 1.1 and 2.0, PCI-DSS v3.2.1 and v4.0, OWASP Top 10 (A01–A10), OWASP ASVS (VX.Y.Z)
  • Single findings that map to multiple frameworks simultaneously
  • Delta analysis when a previous gap report is provided
Out of scope:
  • Producing findings from raw scans or tool output use finding-writer first
  • Providing control definitions or cross-framework mappings use control-lookup for that

How It Works

Step 1: Gather InputsConfirm the framework(s) in scope, the list of findings (each with a control reference, compliance status, and severity), and optionally a previous audit report for delta analysis.Step 2: Normalize and GroupGroup findings by framework and control, normalizing control IDs to canonical notation. Cross-framework findings appear in every relevant framework they are not deduplicated.Step 3: Classify Each ControlApply the weakest-link rule to produce one of four statuses per control: Compliant, Partially Compliant, Non-Compliant, or Not Tested (blind spot).Step 4: Prioritize GapsScore each gap using finding severity (0–4) plus control criticality within the framework (0–2). Score 5–6 = Critical (48h); 3–4 = High (7 days); 2 = Medium (30 days); 0–1 = Low.Step 5: Delta Analysis (optional)Compare against a previous audit to identify new gaps, closed gaps, persistent gaps, regressions (controls that passed before and now fail), and blind spot changes.

Output

StatusCondition
Complete reportFindings are provided with control mappings
ErrorNo findings or control mappings provided skill stops and asks for input
Example output structure:
Coverage Summary table
Prioritized Gap List (ordered by Gap Priority Score)
Blind Spots (Not Tested controls)
Compliant Controls (summary only)
Delta Analysis (if prior audit provided)
Key Observations
Recommended Next Steps

Known Limitations

  • Requires findings to already have control references the skill does not auto-map raw vulnerabilities to controls
  • Compliance rate is calculated over tested controls only, not total controls in scope; coverage rate is reported separately

Benchmark Results

Tested on claude-sonnet-4-6 via Claude Code CLI. Same prompt, same model, same target. The only variable is whether the skill is loaded.
MetricWithout SkillWith Skill
Turns to complete11
Response tokens~4,317~2,661
Total time88s57s
Output qualityPartialComplete

finding-writer

Convert raw pentest notes into structured audit findings ready for reporting

control-lookup

Look up any control ID and map it across ISO 27001, NIST CSF, PCI-DSS, and OWASP

risk-assessor

Score a vulnerability using likelihood × impact with SLA-bound remediation urgency