CommunicationDocumentedScanned
isms-audit-expert
Information Security Management System auditing for ISO 27001 compliance, security control assessment.
Share:
Installation
npx clawhub@latest install isms-audit-expertView the full skill documentation and source below.
Documentation
ISMS Audit Expert
Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.
Table of Contents
- Audit Program Management
- Audit Execution
- Control Assessment
- Finding Management
- Certification Support
- Tools
- References
Audit Program Management
Risk-Based Audit Schedule
| Risk Level | Audit Frequency | Examples |
| Critical | Quarterly | Privileged access, vulnerability management, logging |
| High | Semi-annual | Access control, incident response, encryption |
| Medium | Annual | Policies, awareness training, physical security |
| Low | Annual | Documentation, asset inventory |
Annual Audit Planning Workflow
Auditor Competency Requirements
- ISO 27001 Lead Auditor certification (preferred)
- No operational responsibility for audited processes
- Understanding of technical security controls
- Knowledge of applicable regulations (GDPR, HIPAA)
Audit Execution
Pre-Audit Preparation
Audit Conduct Steps
- Confirm audit scope and objectives
- Introduce audit team and methodology
- Agree on communication channels and logistics
- Interview control owners and operators
- Review documentation and records
- Observe processes in operation
- Inspect technical configurations
- Test control design (does it address the risk?)
- Test control operation (is it working as intended?)
- Sample transactions and records
- Document all evidence collected
- Present preliminary findings
- Clarify any factual inaccuracies
- Agree on finding classification
- Confirm corrective action timelines
Evidence Collection Methods
| Method | Use Case | Example |
| Inquiry | Process understanding | Interview Security Manager about incident response |
| Observation | Operational verification | Watch visitor sign-in process |
| Inspection | Documentation review | Check access approval records |
| Re-performance | Control testing | Attempt login with weak password |
Control Assessment
ISO 27002 Control Categories
Organizational Controls (A.5):
- Information security policies
- Roles and responsibilities
- Segregation of duties
- Contact with authorities
- Threat intelligence
- Information security in projects
People Controls (A.6):
- Screening and background checks
- Employment terms and conditions
- Security awareness and training
- Disciplinary process
- Remote working security
Physical Controls (A.7):
- Physical security perimeters
- Physical entry controls
- Securing offices and facilities
- Physical security monitoring
- Equipment protection
Technological Controls (A.8):
- User endpoint devices
- Privileged access rights
- Access restriction
- Secure authentication
- Malware protection
- Vulnerability management
- Backup and recovery
- Logging and monitoring
- Network security
- Cryptography
Control Testing Approach
Finding Management
Finding Classification
| Severity | Definition | Response Time |
| Major Nonconformity | Control failure creating significant risk | 30 days |
| Minor Nonconformity | Isolated deviation with limited impact | 90 days |
| Observation | Improvement opportunity | Next audit cycle |
Finding Documentation Template
Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]
Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]
Risk Impact:
- [Potential consequences if not addressed]
Root Cause:
- [Why the nonconformity occurred]
Recommendation:
- [Specific corrective action steps]Corrective Action Workflow
Certification Support
Stage 1 Audit Preparation
Ensure documentation is complete:
- ○ISMS scope statement
- ○Information security policy (management signed)
- ○Statement of Applicability
- ○Risk assessment methodology and results
- ○Risk treatment plan
- ○Internal audit results (past 12 months)
- ○Management review minutes
Stage 2 Audit Preparation
Verify operational readiness:
- ○All Stage 1 findings addressed
- ○ISMS operational for minimum 3 months
- ○Evidence of control implementation
- ○Security awareness training records
- ○Incident response evidence (if applicable)
- ○Access review documentation
Surveillance Audit Cycle
| Period | Focus |
| Year 1, Q2 | High-risk controls, Stage 2 findings follow-up |
| Year 1, Q4 | Continual improvement, control sample |
| Year 2, Q2 | Full surveillance |
| Year 2, Q4 | Re-certification preparation |
Tools
scripts/
| Script | Purpose | Usage |
isms_audit_scheduler.py | Generate risk-based audit plans | python scripts/isms_audit_scheduler.py --year 2025 --format markdown |
Audit Planning Example
# Generate annual audit plan
python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json
# With custom control risk ratings
python scripts/isms_audit_scheduler.py --controls controls.csv --format markdownReferences
| File | Content |
| iso27001-audit-methodology.md | Audit program structure, pre-audit phase, certification support |
| security-control-testing.md | Technical verification procedures for ISO 27002 controls |
| cloud-security-audit.md | Cloud provider assessment, configuration security, IAM review |
Audit Performance Metrics
| KPI | Target | Measurement |
| Audit plan completion | 100% | Audits completed vs. planned |
| Finding closure rate | >90% within SLA | Closed on time vs. total |
| Major nonconformities | 0 at certification | Count per certification cycle |
| Audit effectiveness | Incidents prevented | Security improvements implemented |
Compliance Framework Integration
| Framework | ISMS Audit Relevance |
| GDPR | A.5.34 Privacy, A.8.10 Information deletion |
| HIPAA | Access controls, audit logging, encryption |
| PCI DSS | Network security, access control, monitoring |
| SOC 2 | Trust Services Criteria mapped to ISO 27002 |