This guide covers how to install the GRC Skills marketplace in Claude Code, the AI-powered CLI for developers. The marketplace provides 30 compliance skills as Claude Code plugins — each one extends Claude with deep, framework-specific expertise across data privacy, information security, AI governance, export controls, sustainability, and accessibility.
Plugins let you extend Claude with custom functionality that can be shared across projects and teams. A plugin can contain skills (instructions Claude follows automatically), commands (slash commands you invoke), agents, hooks, and MCP servers. Once installed, a plugin is available in every Claude session on that machine.
A marketplace is a catalog of plugins hosted in a Git repository. You add a marketplace once, then install any plugin it lists by name.
- Claude Code installed (
claude --versionto confirm) - Git installed and accessible on your PATH
- An active Claude subscription or API key configured
Register the GRC Skills marketplace with a single command. You only need to do this once per machine.
/plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-ComplianceClaude Code will clone the repository, read the .claude-plugin/marketplace.json catalog, and register it locally as grc-skills. Confirm it was added with:
/plugin marketplace listOnce the marketplace is registered, install only the frameworks you need.
/plugin install iso27001@grc-skills
/plugin install soc2@grc-skills
/plugin install fedramp@grc-skills
/plugin install nist-csf@grc-skills
/plugin install nist-800-53@grc-skills
/plugin install cmmc@grc-skills
/plugin install swift-csp@grc-skills
/plugin install ism@grc-skills
/plugin install nzism@grc-skills
/plugin install cis-controls@grc-skills/plugin install gdpr-compliance@grc-skills
/plugin install hipaa-compliance@grc-skills
/plugin install pci-compliance@grc-skills
/plugin install dpdpa@grc-skills
/plugin install ccpa@grc-skills
/plugin install lgpd@grc-skills
/plugin install vn-pdpl@grc-skills
/plugin install iso27701@grc-skills/plugin install nis2@grc-skills
/plugin install dora@grc-skills
/plugin install tsa-compliance@grc-skills
/plugin install eu-cra@grc-skills/plugin install iso42001@grc-skills
/plugin install nist-ai-rmf@grc-skills
/plugin install eu-ai-act@grc-skills/plugin install itar@grc-skills
/plugin install ear@grc-skills
/plugin install csrd@grc-skills/plugin install section-508@grc-skills
/plugin install wcag@grc-skillsEach plugin is installed to a local cache (~/.claude/plugins/cache) and activates immediately in new Claude sessions.
To install the full GRC suite in a single command:
/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills nist-csf@grc-skills nist-800-53@grc-skills cmmc@grc-skills swift-csp@grc-skills ism@grc-skills nzism@grc-skills cis-controls@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills pci-compliance@grc-skills dpdpa@grc-skills ccpa@grc-skills lgpd@grc-skills vn-pdpl@grc-skills iso27701@grc-skills nis2@grc-skills dora@grc-skills tsa-compliance@grc-skills eu-cra@grc-skills iso42001@grc-skills nist-ai-rmf@grc-skills eu-ai-act@grc-skills itar@grc-skills ear@grc-skills csrd@grc-skills section-508@grc-skills wcag@grc-skillsFor teams, you can pre-wire the marketplace into your project so every developer gets the skills automatically when they open the project in Claude Code — no manual install step required.
Add the following to your project's .claude/settings.json (include only the skills your team needs):
{
"extraKnownMarketplaces": {
"grc-skills": {
"source": {
"source": "github",
"repo": "Sushegaad/Claude-Skills-Governance-Risk-and-Compliance"
}
}
},
"enabledPlugins": {
"iso27001@grc-skills": true,
"soc2@grc-skills": true,
"fedramp@grc-skills": true,
"gdpr-compliance@grc-skills": true,
"hipaa-compliance@grc-skills": true
}
}Commit this file to your repository. The next time a team member trusts the project folder in Claude Code, the marketplace and plugins will be registered automatically. Only enable the skills your team actually needs — you don't have to include all 30.
When this repository is updated with new skill content or bug fixes, refresh your local copy with:
/plugin marketplace update grc-skillsTo update a specific installed plugin:
/plugin update iso27001@grc-skillsTo remove a plugin:
/plugin uninstall iso27001@grc-skillsTo remove the marketplace entirely:
/plugin marketplace remove grc-skills| Plugin name | Framework | What it does |
|---|---|---|
iso27001 |
ISO 27001:2022 | Gap analysis, policy writing, Annex A control guidance, SoA generation, risk registers |
soc2 |
SOC 2 | TSC gap analysis, policy drafting, control documentation, audit evidence, vendor risk |
fedramp |
FedRAMP Moderate/High | Readiness assessments, SSP narratives, POA&M, NIST 800-53 control mapping, ConMon |
nist-csf |
NIST CSF 2.0 / 1.1 | Gap assessments, organisational profiles, implementation tiers, roadmaps, cross-framework mapping |
nist-800-53 |
NIST SP 800-53 Rev 5 | All 20 control families, FIPS 199/200 categorisation, baseline selection, SSP narratives, RMF |
cmmc |
CMMC 2.0 | CMMC Level 1/2/3 gap analysis, SPRS scoring, POA&M, OSC assessment prep, CUI scoping |
swift-csp |
SWIFT CSP 2025 | CSCF v2025 mandatory/advisory controls, independent assessment prep, KYC/AML integration |
ism |
Australian ISM (ACSC) | ISM control assessment, Essential Eight maturity, system authorisation, ACSC guidance |
nzism |
NZISM (GCSB/NCSC NZ) | NZISM gap analysis, C&A for Restricted+ systems, NZ classification framework, SSP preparation |
cis-controls |
CIS Controls v8 | IG selection, all 153 safeguards, gap assessment, SIEM/log design, cross-framework mapping |
| Plugin name | Framework | What it does |
|---|---|---|
gdpr-compliance |
GDPR / UK GDPR | Code audits, privacy notices, DPAs, DPIAs, data flow reviews, article-cited Q&A |
hipaa-compliance |
HIPAA | Document generation, technical safeguards for cloud, breach response guidance |
pci-compliance |
PCI DSS v4.0.1 | CDE scoping, SAQ selection, gap assessments, control guidance, QSA audit prep |
dpdpa |
India DPDPA 2023 | Data principal rights, consent management, DPDPB registration, breach notification |
ccpa |
CCPA / CPRA | Consumer rights workflows, opt-out mechanisms, CPPA enforcement, B2B exemptions |
lgpd |
Brazil LGPD | All 10 legal bases, data subject rights, ANPD enforcement, breach notification |
vn-pdpl |
Vietnam PDPL 2026 | Gap analysis, cross-border transfer impact assessments, DPIAs, breach notification (72h) |
iso27701 |
ISO 27701:2019 | PIMS gap analysis, PII controller/processor mapping, GDPR alignment |
| Plugin name | Framework | What it does |
|---|---|---|
nis2 |
NIS2 Directive (EU) | Essential/important entity scoping, Art. 21 technical measures, 24h/72h incident reporting |
dora |
DORA (EU) | ICT risk management, TLPT, register of information, incident classification, third-party oversight |
tsa-compliance |
TSA Security Directives | Pipeline, freight rail, and transit OT/ICS cybersecurity — CIP/COIP, IRP, ADR, CAP |
eu-cra |
EU CRA 2024/2847 | PDE classification (Default/Class I/Class II), Annex I gap analysis, SBOM, 24/72h ENISA reporting |
| Plugin name | Framework | What it does |
|---|---|---|
iso42001 |
ISO/IEC 42001:2023 | AI Management System gap analysis, AISIA, AI risk assessment, SoA, certification readiness |
nist-ai-rmf |
NIST AI RMF 1.0 | GOVERN/MAP/MEASURE/MANAGE function guidance, AI risk registers, organisational profiles |
eu-ai-act |
EU AI Act 2024/1689 | Risk classification (prohibited/high-risk/limited/minimal), conformity assessment, GPAI obligations |
| Plugin name | Framework | What it does |
|---|---|---|
itar |
ITAR (22 CFR 120–130) | USML classification, DSP-5/73/85 licence workflows, TAA/MLA drafting, deemed export, DDTC |
ear |
EAR (15 CFR 730–774) | ECCN classification, licence requirements, Entity List screening, licence exceptions |
csrd |
CSRD / ESRS | Double materiality assessment, Wave 1–4 scoping, GRI/TCFD gap analysis, EU Taxonomy alignment |
| Plugin name | Framework | What it does |
|---|---|---|
section-508 |
Section 508 (US) | VPAT 2.x ACR completion, procurement language (FAR 52.239-2), AT testing, undue burden exceptions |
wcag |
WCAG 2.0/2.1/2.2 | POUR audit, SC-level gap analysis, ARIA patterns, screen reader testing, legal compliance mapping |
Marketplace not found after adding
Run /plugin marketplace list to confirm it was registered. If it's missing, check that your Git credentials allow access and retry.
Plugin installation fails
Verify you have network access to GitHub and that your Git version is current. You can also clone the repo manually to test: git clone https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance.git
Skills not activating in sessions Restart Claude Code after installing plugins. Skills activate in new sessions, not mid-session.
Git timeout on slow connections Increase the timeout via environment variable before running Claude Code:
export CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS=300000For additional help, open an issue on the repository.
- Claude Code documentation
- Plugin marketplace docs
- README — full skill descriptions and use cases
- GitHub repository