pf-compliance-checklists

v1.1 — Generate SOC 2, GDPR, HIPAA, ISO 27001, NIST CSF 2.0, and PCI DSS 4.0 compliance checklists, policy templates, evidence trackers, and audit preparation reports with source-level regulation citations — locally, included with your subscription.

Important: All documents generated by this plugin are drafts intended as starting points. Compliance documentation should be reviewed by your compliance officer or qualified professional to ensure it meets your organization's specific regulatory requirements.

Overview

pf-compliance-checklists is a compliance documentation plugin for Claude Desktop and Cowork that reduces time spent on expensive compliance platforms like Vanta ($7,500-$80,000/yr) and Sprinto ($4,000-$25,000/yr).

Instead of paying thousands per year for continuous monitoring (which you may not need yet), this plugin helps you:

1. Assess compliance gaps against major frameworks
2. Generate detailed checklists for systematic implementation
3. Create professional policies customized to your company
4. Track evidence collection for audit preparation
5. Prepare comprehensive audit reports with risk analysis

All of this runs locally on your machine. Your sensitive data is processed within the Cowork environment.

Features

Compliance Frameworks Supported

• SOC 2 — AICPA TSP §100 (Trust Services Criteria 2017), reported under SSAE 18
• GDPR — Regulation (EU) 2016/679, 99 articles across 11 chapters
• HIPAA — 45 CFR Parts 160, 162, 164 (Security, Privacy, Breach Notification Rules)
• ISO 27001:2022 — ISO/IEC 27001:2022, 93 Annex A controls in 4 themes
• NIST CSF 2.0 — 6 functions, 22 categories (cross-mapping reference)
• PCI DSS v4.0 — 12 requirements across 6 goals (awareness level)

Key Features

✓ Gap Analysis — Assess your current state vs. framework requirements ✓ Comprehensive Checklists — 24-93 controls per framework with plain-English guidance ✓ Policy Templates — 4-6 professional, customized policy documents per framework ✓ Evidence Tracking — Map what evidence is needed, who's responsible, and collection status ✓ audit preparation Reports — Synthesized analysis with prioritized remediation timeline ✓ Full Pipeline — Run all stages sequentially from gap analysis to audit prep ✓ Local-Only — local processing prioritized; data is processed within the Cowork environment ✓ Customizable — Edit generated documents to match your organization ✓ No Subscriptions — One-time cost embedded in Claude subscription

Installation

1. Install Python dependencies:

   pip install python-docx --break-system-packages
   

2. Load the plugin in Claude Desktop or Cowork

3. Run setup:

   /compliance-checklists:setup
   

Quick Start

5-Minute Start: Generate a Checklist

# 1. Setup workspace (one time)
/compliance-checklists:setup

# 2. Generate checklist for SOC 2
/compliance-checklists:generate SOC 2

30-Minute Start: Full Compliance Package

# Run complete pipeline for SOC 2
/compliance-checklists:pipeline SOC 2

This generates:

• Gap analysis DOCX + JSON
• Detailed checklist DOCX + JSON
• 4-6 policy documents
• Evidence collection tracker DOCX + JSON
• audit preparation report DOCX

Multi-Framework: Cover All Bases

# Run for each framework sequentially
/compliance-checklists:pipeline SOC 2
/compliance-checklists:pipeline GDPR
/compliance-checklists:pipeline HIPAA
/compliance-checklists:pipeline ISO 27001

Commands Reference

Command	Purpose	Runtime
/compliance-checklists:setup	Initialize workspace, check dependencies, create config	< 1 min
/compliance-checklists:gap-analysis [framework]	Assess gaps vs. framework requirements	5-10 min
/compliance-checklists:generate [framework]	Create detailed control checklist	3-5 min
/compliance-checklists:policies [framework] [all|policy-name]	Generate policy documents	5-10 min
/compliance-checklists:evidence [framework]	Create evidence collection tracker	3-5 min
/compliance-checklists:audit-prep [framework]	Generate audit preparation report with score	3-5 min
/compliance-checklists:compliance-checklists-dashboard	Interactive visual dashboard — "show me"	< 1 min
/compliance-checklists:pipeline [framework]	Run all stages sequentially	20-40 min
/compliance-checklists:kb [framework]	Query knowledge base for controls, evidence, mappings	< 1 sec
/compliance-checklists:status	View pipeline progress and generated documents	1-2 sec

Output Files

After running the plugin, you'll have:

your-workspace/
├── outbound/                              # Final deliverables
│   ├── gap-analysis-SOC-2.docx           # Gap analysis report
│   ├── checklist-SOC-2.docx              # Detailed checklist
│   ├── audit-readiness-SOC-2.docx        # Audit prep report
│   └── policies/                          # Generated policies
│       ├── information-security-policy.docx
│       ├── access-control-policy.docx
│       ├── incident-response-policy.docx
│       └── [more...]
├── processing/                            # Pipeline intermediates
│   ├── compliance-checklists-gap.json
│   ├── compliance-checklists-checklist.json
│   └── compliance-checklists-evidence.json
└── .compliance-checklists/                # Config & metadata
    ├── config.json
    └── logs/

How It Works

The Compliance Pipeline

Gap Analysis
  ↓ (Asks: current practices, existing policies, previous audits)
  ↓ (Outputs: DOCX report + JSON data)

Checklist Generation
  ↓ (Reads: gap analysis data)
  ↓ (Outputs: detailed checklist DOCX + JSON)

Policy Generation
  ↓ (Reads: company profile, framework)
  ↓ (Outputs: 4-6 policy documents)

Evidence Tracker
  ↓ (Reads: checklist data)
  ↓ (Outputs: evidence tracking DOCX + JSON)

audit preparation Report
  ↓ (Reads: gap, checklist, evidence data)
  ↓ (Outputs: audit preparation DOCX with score + recommendations)

Document Generation

All documents are generated using python-docx (NOT npm docx) to ensure:

• Professional formatting
• Consistent styling
• Full control over document structure
• Accessibility compliance
• No internet required

Use Cases

Use Case 1: Startup Preparing First Audit (SOC 2 Type II)

# Month 1: Assess and plan
/compliance-checklists:pipeline SOC 2

# Month 2-3: Implement and collect evidence
# (Use checklist and evidence tracker as guide)

# Month 4: Final prep
/compliance-checklists:status
/compliance-checklists:audit-prep SOC 2  # Updated report

Use Case 2: Expanding to New Jurisdiction (GDPR for EU Customers)

# Generate GDPR documentation
/compliance-checklists:pipeline GDPR

# Generate policies for EU compliance
/compliance-checklists:policies GDPR all

# Assess what's already in place
/compliance-checklists:gap-analysis GDPR

Use Case 3: Multi-Framework Compliance

# Support multiple customers with different requirements
/compliance-checklists:pipeline SOC 2
/compliance-checklists:pipeline GDPR
/compliance-checklists:pipeline HIPAA

# Consolidated status
/compliance-checklists:status

AI-Powered Features

• Centralized Knowledge Base: Authoritative compliance framework reference with source-level regulation citations (TSP §100, EU 2016/679, 45 CFR §164, ISO 27002:2022) — all other skills reference this single source of truth
• Cross-Framework Control Mapping: Automatically identifies overlapping requirements across SOC 2, GDPR, HIPAA, ISO 27001, and NIST CSF 2.0 — reducing duplicate effort for multi-certification organizations
• Source-Level Regulation Citations: Every checklist item, gap finding, and policy statement cites the specific regulation article/section (e.g., "GDPR Art. 17(1)(a)" not just "right to erasure")
• 4-Level Evidence Classification: Maps required evidence to audit expectation levels — Policy (intent), Procedure (process), Implementation (deployment), Effectiveness (proof it works)
• Framework Mapping: Maps audit areas to specific criteria and controls per AICPA TSP §100, ISO 27001:2022 Annex A, HIPAA 45 CFR §164
• Risk Ranking with Enforcement Context: Ranks gaps by risk level with rationale citing enforcement trends and penalty severity
• Gap Analysis with Cross-Framework Impact: Shows how a single gap affects multiple certifications simultaneously using control mapping table
• Policy Generation with Control Citations: Creates policies that cite the exact regulation articles they satisfy (e.g., "Security Foundation (CC1.1–CC1.5)")
• Evidence Tracking with Audit Period Awareness: Identifies evidence needs per control and specifies audit observation periods (SOC 2 Type II: 6+ months, HIPAA: 6-year retention per §164.316(b)(2))
• Audit Process Context: Explains audit types per framework (SOC 2 Type I vs II, ISO Stage 1 vs 2, HIPAA OCR protocol) with evidence expectations
• Audit Timeline: Generates prioritized remediation timeline based on control criticality, enforcement risk, and multi-framework overlap

Estimated Cost per Use

Disclaimer: Token estimates are approximate and based on typical usage patterns measured from skill prompt sizes. Actual costs vary with input data size, conversation length, and complexity. Estimates use Claude Sonnet 4.6 pricing ($3/1M input, $15/1M output). Cowork and Claude Desktop subscription users (Pro/Max/Team) are not charged per-token — these estimates apply only to direct Anthropic API usage. Running stages individually in fresh sessions uses fewer input tokens than running the full pipeline sequentially, because pipeline mode accumulates conversation history across stages.

Per skill (run individually in a fresh session):

Stage	Skill Prompt	User Input	Total Input	Output	Est. Cost
compliance-checklists-kb	~5.6K	~800	~9.7K	~4.0K	~$0.09
compliance-checklists-evidence	~6.0K	~800	~11.7K	~4.0K	~$0.10
compliance-dashboard	~4.8K	~500	~8.5K	~8.0K	~$0.15
compliance-checklists-policies	~7.7K	~800	~13.0K	~4.0K	~$0.10
compliance-checklists-gap-analysis	~4.3K	~800	~9.0K	~6.0K	~$0.12
compliance-checklists-audit-prep	~6.7K	~800	~12.7K	~4.0K	~$0.10
compliance-checklists-generate	~6.1K	~800	~11.1K	~6.0K	~$0.12
Standalone total			~75.7K	~36.0K	~$0.77

Full pipeline (all stages in one session — context accumulates):

Stage	Base Input	+ History	Total Input	Output	Est. Cost
compliance-checklists-kb	~11.9K	0	~11.9K	~4.0K	~$0.10
compliance-checklists-evidence	~12.3K	~4.8K	~17.1K	~4.0K	~$0.11
compliance-dashboard	~10.8K	~9.6K	~20.4K	~8.0K	~$0.18
compliance-checklists-policies	~14.0K	~18.1K	~32.1K	~4.0K	~$0.16
compliance-checklists-gap-analysis	~10.6K	~22.9K	~33.5K	~6.0K	~$0.19
compliance-checklists-audit-prep	~12.9K	~29.7K	~42.6K	~4.0K	~$0.19
compliance-checklists-generate	~12.4K	~34.5K	~46.9K	~6.0K	~$0.23
Pipeline total			~204.2K	~36.0K	~$1.15

Running the full pipeline once typically costs $0.81–$1.50 in API tokens (Claude Sonnet 4.6).

Known Limitations

The plugin is designed for documentation and planning, not continuous monitoring or real-time security checks. Understand these boundaries:

1. No Real-Time Monitoring

• Cannot continuously scan systems for compliance
• Does not integrate with AWS, GCP, Azure, or other cloud platforms
• All assessments are point-in-time snapshots based on manual input
• Workaround: Re-run gap analysis and audit prep monthly; integrate separate monitoring tools for real-time data

2. Framework Versioning

• Checklists based on framework versions at Claude's training time (Feb 2025)
• Frameworks evolve over time (GDPR guidance, ISO 27001 updates, etc.)
• Generated checklists may miss very recent updates or changes
• Workaround: Verify against official framework documentation; generated checklists provide a comprehensive starting point — review against official framework documentation for any recent changes

3. No Persistent Database

• Compliance data stored as local JSON/DOCX files, not in a centralized database
• No built-in backup or version control
• Data is not searchable across documents without manual search
• Workaround: Organize files in folders; create manual backups; use Git to version control your compliance work

4. No Auditor Portal

• Cannot share evidence with auditors through a secure portal
• No real-time auditor access or collaboration features
• Audit evidence must be packaged and shared manually (email, Google Drive, etc.)
• Workaround: Export evidence to DOCX; use standard file sharing tools (Google Drive, OneDrive, Sharepoint); zip files for email

5. Session-Based Operation

• No automatic deadline reminders between sessions
• No background tracking or notifications
• No task assignment to other users with automatic reminders
• Workaround: Export deadlines to calendar; create shared spreadsheet for team tracking; integrate with project management tools manually

6. No Custom Framework Support (v1)

• Only supports SOC 2, GDPR, HIPAA, ISO 27001
• Cannot create or add custom compliance frameworks
• Cannot modify framework definitions
• Workaround: Extend generated checklists manually; run gap analysis against closest framework and customize

7. Limited AI-Powered Recommendations

• Risk prioritization is based on framework guidance, not your specific context
• Cannot analyze your actual codebase, infrastructure, or logs to detect real compliance issues
• Recommendations are template-based, not customized to your actual systems
• Workaround: Have security professionals review recommendations; run separate security assessments to find actual vulnerabilities

8. No Integration with Third-Party Tools

• Does not connect to Jira, GitHub, Slack, or other tools for tracking remediation
• Evidence collection tasks are not automatically assigned
• No webhook or API integration
• Workaround: Manually create tasks in your existing project management tool

9. No Automated Evidence Collection

• Does not scan cloud environments for compliance evidence
• Cannot automatically export logs from AWS CloudTrail, GCP Audit Logs, etc.
• Requires manual collection and upload of evidence
• Workaround: Export logs manually from your systems; store in organized folder structure

10. Knowledge Cutoff Limitations

• Training data current to February 2025
• Very recent regulatory changes may not be reflected
• Industry-specific guidance may be incomplete
• Workaround: Always verify against official regulatory sources; consult compliance professionals

Feature Comparison vs. Competitors

Feature	This Plugin	Vanta	Sprinto	Drata
Compliance Checklists	✓ Full	✓ Full	✓ Full	✓ Full
Policy Documentation	✓ Full	✓ Full	✓ Full	✓ Full
Gap Analysis	✓ Manual	✓ Auto	✓ Auto	✓ Auto
Evidence Tracking	✓ Manual	✓ Auto	✓ Auto	✓ Auto
Continuous Monitoring	✗ No	✓ Yes	✓ Yes	✓ Yes
Cloud Integrations (AWS/GCP/Azure)	✗ None	✓ 200+	✓ 200+	✓ 200+
Auditor Portal	✗ No	✓ Yes	✓ Yes	✓ Yes
Cross-Framework Mapping	✓ 10 control domains	⚠ Manual	⚠ Manual	⚠ Manual
Source-Level Citations	✓ Every control	⚠ Partial	⚠ Partial	⚠ Partial
Multi-Framework	✓ 6	✓ 12+	✓ 200+	✓ 20+
Local Data Only	✓ Yes	✗ Cloud	✗ Cloud	✗ Cloud
Customizable	✓ Yes	⚠ Limited	⚠ Limited	⚠ Limited
Cost	included with your subscription	$7.5K-$80K/yr	$4K-$25K/yr	$7K-$12K+/yr
Setup Time	5 min	1-2 weeks	2-4 weeks	1-2 weeks
Best For	Startups, first audit, documentation	Enterprise, continuous monitoring	Enterprise, automation	Enterprise, full SaaS

What the Plugin IS Good For

✓ Creating a starting point for compliance documentation (saves 20-30 hours of research) ✓ Understanding what compliance frameworks require ✓ Planning compliance implementation roadmap ✓ Organizing compliance work ✓ Preparing for initial audit discussions ✓ Learning compliance terminology ✓ Creating internal checklists for tracking progress

What the Plugin IS NOT Good For

✗ Substituting for compliance professionals or legal counsel ✗ Providing legal compliance advice ✗ Certifying compliance readiness ✗ Guaranteeing audit success ✗ Continuous security monitoring ✗ Detecting actual security vulnerabilities ✗ Meeting all industry-specific requirements without customization

Getting Help

View the User Guide

See USER-GUIDE.md for detailed walkthrough with examples

Check Command Help

/compliance-checklists:status     # See what you've completed
/compliance-checklists:help       # Available commands

Troubleshooting

python-docx not installed:

pip install python-docx --break-system-packages

Files not generating:

• Ensure setup completed: /compliance-checklists:setup
• Check workspace folder exists and is writable
• Verify python-docx is installed

Need different content:

• All generated DOCX files are editable — customize after generation
• Edit templates to match your company's specific requirements
• Save edited versions separately

Contributing

Found an issue or have a suggestion? The plugin can be improved by:

• Reporting gaps in framework coverage
• Suggesting additional policies per framework
• Requesting new compliance frameworks
• Improving plain-English explanations of controls

Roadmap (Future Versions)

Potential enhancements for future versions:

• Custom framework creation
• Integration with GitHub Actions for evidence collection
• AWS/GCP/Azure evidence scanning
• Automated evidence collection plugins
• Multi-user collaboration with assignments
• Persistent database instead of JSON files
• Auditor portal for evidence sharing
• Additional frameworks (SOC 3, HITRUST, CMMC)
• Continuous monitoring via webhooks
• Risk scoring for prioritization

License

This plugin is provided as part of the Claude Desktop / Cowork ecosystem.

Support

For support:

1. Check USER-GUIDE.md for detailed examples
2. Run /compliance-checklists:status to understand current state
3. Review generated DOCX files for detailed guidance
4. Consult the specific command help (e.g., /compliance-checklists:pipeline --help)

---

Ready to get started? Run /compliance-checklists:setup and follow the prompts!

Important Disclaimers

• AI-Generated Content: This plugin uses AI (LLM) technology which can produce inaccurate or incomplete outputs. All content should be treated as a starting point and reviewed for accuracy before use.
• Not Professional Advice: Outputs do not constitute legal, financial, tax, medical, or other professional advice. Consult qualified professionals before making decisions based on generated content.
• No Compliance Guarantee: References to industry standards, regulations, or guidelines are for informational purposes only. This plugin does not guarantee compliance with any law or regulation. Users are responsible for verifying all outputs meet their specific regulatory requirements.
• No Endorsement or Affiliation: Mention of third-party products, standards, or organizations does not imply endorsement, partnership, or certification by those entities.
• Not Legal Advice: This plugin does not provide legal services or legal advice. All legal documents and analysis should be reviewed by a licensed attorney before use.