Skip to main content
Status: Stable Version: 1.0.0 Author: Rifteo Tags: compliance, security, access
Installation 
rifteo-skills add control-lookup

Summary

Provide any control ID, name, or plain-language description and get back a complete control card with implementation guidance, cross-framework equivalents, related controls, and evidence-based testing hints.
  • Accepts control IDs from ISO 27001 (2013/2022), NIST CSF (1.1/2.0), PCI-DSS v4, OWASP Top 10, and OWASP ASVS as well as keywords and plain-language objectives
  • Returns a full control card: objective, description, control type, and implementation guidance
  • Maps the control to all four other frameworks with a confidence level: Direct, Partial, or Related
  • Provides 3–5 evidence-based testing hints including common failure modes and subtle edge cases

SKILL.md file

Control Lookup

Look up any control ID, name, or description and receive the full control details plus cross-framework mappings and testing guidance.

When to Use This Skill

Use this skill when the user:
  • Provides a control ID and asks what it means (e.g. “what is ISO 27001 A.9.1.1?” or “explain NIST CSF PR.AC-1”)
  • Asks how controls map across frameworks (e.g. “what’s the NIST CSF equivalent of PCI-DSS Req 8?”)
  • Searches for a control by keyword or description (e.g. “what control covers MFA?” or “find the control for patch management”)
  • Needs testing hints or evidence criteria before writing a finding or test procedure
  • Wants to understand related or prerequisite controls within a framework

What Does It Check?

The skill identifies a control based on ID, name, or plain-language intent, then produces a self-contained card. Cross-framework mappings are assigned a confidence level (Direct / Partial / Related) a Direct mapping means satisfying one control largely satisfies the other. All five rows of the mapping table are always populated; if no mapping exists, it says so explicitly rather than forcing a weak mapping.In scope:
  • ISO 27001:2013 and ISO 27001:2022 Annex A
  • NIST CSF 1.1 and 2.0
  • PCI-DSS v3.2.1 and v4.0
  • OWASP Top 10 (A01:2021–A10:2021)
  • OWASP ASVS 4.0 and 5.0
Out of scope:
  • Producing compliance gap reports use compliance-gap-analyzer for that
  • Writing findings from vulnerabilities use finding-writer for that

How It Works

Step 1: Parse the InputAccept the control ID, name, or plain-language description. Normalize to canonical notation and note the framework version. If the input is ambiguous (e.g. “Control 5” could match multiple frameworks), list all candidates and ask the user to confirm.Step 2: Control CardProduce the full control details: canonical ID, framework and version, domain/category, official name, objective, full description, control type (Preventive/Detective/Corrective/Compensating), and 2–4 implementation guidance points.Step 3: Cross-Framework MappingMap to equivalents in all other frameworks. Each mapping includes the control ID, name, confidence level, and a brief note on what aligns and what differs. Multi-mappings (one control mapping to several in another framework) are listed with all matches ranked by confidence.Step 4: Related ControlsList 2–4 controls in the same framework that are prerequisites, dependents, or commonly tested together.Step 5: Testing HintsProvide 3–5 specific, evidence-based indicators an auditor would look for not generic guidance, but concrete requests such as “access control policy, approved by management and reviewed within the last 12 months.” Also covers common failure modes and edge cases where a control is technically in place but its spirit is not met.

Output

StatusCondition
Full control cardControl identified and all sections populated
Clarification requestInput matches multiple candidates user must confirm
No mapping noteFramework row is populated with “No direct or partial mapping” if none exists
Example output structure:
Control: [ID] [Name]
Framework: [name + version]
Domain: [category]
Type: [Preventive / Detective / ...]

Objective: ...
Description: ...
Implementation guidance: ...

Cross-Framework Mappings table (5 rows, always complete)
Related Controls table
Testing Hints (3–5 evidence items)
Common failure modes
Edge cases

Known Limitations

  • Mappings are based on the skill’s training knowledge always verify against the latest published framework documents for high-stakes decisions
  • If a keyword matches controls across multiple frameworks, a card is produced for each; review all before acting

Benchmark Results

Tested on claude-sonnet-4-6 via Claude Code CLI. Same prompt, same model, same target. The only variable is whether the skill is loaded.
MetricWithout SkillWith Skill
Turns to complete31
Response tokens~3,297~2,068
Total time63s51s
User effortHighLow

compliance-gap-analyzer

Aggregate findings into a gap report across ISO 27001, NIST CSF, PCI-DSS, and OWASP

finding-writer

Convert raw pentest notes into structured audit findings ready for reporting

risk-assessor

Score a vulnerability using likelihood × impact with SLA-bound remediation urgency