🔍

ISMS Audit Expert

Conduct ISO 27001 internal audits — audit planning, evidence collection, nonconformance identification, and management review preparation.

by @alirezarezvani · MIT New

Built for: Founders

What this skill does

Navigate security certification confidently by managing your internal ISO 27001 compliance audits from start to finish. You will be able to create audit plans, gather proof of security measures, and identify gaps before external reviewers arrive. Reach for this tool whenever you need to validate your security posture or organize documentation for an upcoming assessment.

@alirezarezvani · Compliance

view on github ↗

name: “isms-audit-expert” description: Information Security Management System (ISMS) audit expert for ISO 27001 compliance verification, security control assessment, and certification support. Use when the user mentions ISO 27001, ISMS audit, Annex A controls, Statement of Applicability (SOA), gap analysis, nonconformity management, internal audit, surveillance audit, or security certification preparation. Helps review control implementation evidence, document audit findings, classify nonconformities, generate risk-based audit plans, map controls to Annex A requirements, prepare Stage 1 and Stage 2 audit documentation, and support corrective action workflows. triggers:

ISMS audit
ISO 27001 audit
security audit
internal audit ISO 27001
security control assessment
certification audit
surveillance audit
audit finding
nonconformity

ISMS Audit Expert

Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.

Audit Program Management
Audit Execution
Control Assessment
Finding Management
Certification Support
Tools
References

Audit Program Management

Risk-Based Audit Schedule

Risk Level	Audit Frequency	Examples
Critical	Quarterly	Privileged access, vulnerability management, logging
High	Semi-annual	Access control, incident response, encryption
Medium	Annual	Policies, awareness training, physical security
Low	Annual	Documentation, asset inventory

Annual Audit Planning Workflow

Review previous audit findings and risk assessment results
Identify high-risk controls and recent security incidents
Determine audit scope based on ISMS boundaries
Assign auditors ensuring independence from audited areas
Create audit schedule with resource allocation
Obtain management approval for audit plan
Validation: Audit plan covers all Annex A controls within certification cycle

Auditor Competency Requirements

ISO 27001 Lead Auditor certification (preferred)
No operational responsibility for audited processes
Understanding of technical security controls
Knowledge of applicable regulations (GDPR, HIPAA)

Audit Execution

Pre-Audit Preparation

Review ISMS documentation (policies, SoA, risk assessment)
Analyze previous audit reports and open findings
Prepare audit plan with interview schedule
Notify auditees of audit scope and timing
Prepare checklists for controls in scope
Validation: All documentation received and reviewed before opening meeting

Audit Conduct Steps

Opening Meeting
- Confirm audit scope and objectives
- Introduce audit team and methodology
- Agree on communication channels and logistics
Evidence Collection
- Interview control owners and operators
- Review documentation and records
- Observe processes in operation
- Inspect technical configurations
Control Verification
- Test control design (does it address the risk?)
- Test control operation (is it working as intended?)
- Sample transactions and records
- Document all evidence collected
Closing Meeting
- Present preliminary findings
- Clarify any factual inaccuracies
- Agree on finding classification
- Confirm corrective action timelines
Validation: All controls in scope assessed with documented evidence

Control Assessment

Control Testing Approach

Identify control objective from ISO 27002
Determine testing method (inquiry, observation, inspection, re-performance)
Define sample size based on population and risk
Execute test and document results
Evaluate control effectiveness
Validation: Evidence supports conclusion about control status

For detailed technical verification procedures by Annex A control, see security-control-testing.md.

Finding Management

Finding Classification

Severity	Definition	Response Time
Major Nonconformity	Control failure creating significant risk	30 days
Minor Nonconformity	Isolated deviation with limited impact	90 days
Observation	Improvement opportunity	Next audit cycle

Finding Documentation Template

Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]

Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]

Risk Impact:
- [Potential consequences if not addressed]

Root Cause:
- [Why the nonconformity occurred]

Recommendation:
- [Specific corrective action steps]

Corrective Action Workflow

Auditee acknowledges finding and severity
Root cause analysis completed within 10 days
Corrective action plan submitted with target dates
Actions implemented by responsible parties
Auditor verifies effectiveness of corrections
Finding closed with evidence of resolution
Validation: Root cause addressed, recurrence prevented

Certification Support

Stage 1 Audit Preparation

Ensure documentation is complete:

ISMS scope statement
Information security policy (management signed)
Statement of Applicability
Risk assessment methodology and results
Risk treatment plan
Internal audit results (past 12 months)
Management review minutes

Stage 2 Audit Preparation

Verify operational readiness:

All Stage 1 findings addressed
ISMS operational for minimum 3 months
Evidence of control implementation
Security awareness training records
Incident response evidence (if applicable)
Access review documentation

Surveillance Audit Cycle

Period	Focus
Year 1, Q2	High-risk controls, Stage 2 findings follow-up
Year 1, Q4	Continual improvement, control sample
Year 2, Q2	Full surveillance
Year 2, Q4	Re-certification preparation

Validation: No major nonconformities at surveillance audits.

Tools

scripts/

Script	Purpose	Usage
`isms_audit_scheduler.py`	Generate risk-based audit plans	`python scripts/isms_audit_scheduler.py --year 2025 --format markdown`

Audit Planning Example

# Generate annual audit plan
python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json

# With custom control risk ratings
python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown

References

File	Content
iso27001-audit-methodology.md	Audit program structure, pre-audit phase, certification support
security-control-testing.md	Technical verification procedures for ISO 27002 controls
cloud-security-audit.md	Cloud provider assessment, configuration security, IAM review

Audit Performance Metrics

KPI	Target	Measurement
Audit plan completion	100%	Audits completed vs. planned
Finding closure rate	>90% within SLA	Closed on time vs. total
Major nonconformities	0 at certification	Count per certification cycle
Audit effectiveness	Incidents prevented	Security improvements implemented

Cloud Security Audit Guide

Assessment framework for cloud service security verification.

Shared Responsibility Model
Cloud Provider Assessment
Configuration Security
Data Protection
Identity and Access Management

Shared Responsibility Model

Responsibility Matrix

Layer	IaaS	PaaS	SaaS
Data classification	Customer	Customer	Customer
Identity management	Customer	Customer	Shared
Application security	Customer	Shared	Provider
Network controls	Shared	Provider	Provider
Host infrastructure	Provider	Provider	Provider
Physical security	Provider	Provider	Provider

Audit Focus by Model

IaaS (AWS EC2, Azure VMs):

Virtual network configuration
OS hardening and patching
Application deployment security
Data encryption implementation

PaaS (Azure App Service, AWS Lambda):

Application code security
Data handling and encryption
Identity integration
Logging configuration

SaaS (Microsoft 365, Salesforce):

User access management
Data classification and handling
Security configuration settings
Integration security

Cloud Provider Assessment

Certification Verification

Check for current certifications:

ISO 27001 (Information Security)
ISO 27017 (Cloud Security)
ISO 27018 (Cloud Privacy)
SOC 2 Type II
CSA STAR certification

Verification Steps:

Request current certificates from provider
Verify certificate scope includes services used
Check certification expiration dates
Review SOC 2 report for relevant controls
Document any scope exclusions

Data Residency Compliance

Requirement	Verification
GDPR (EU data)	Confirm EU region availability
Data sovereignty	Verify no cross-border transfer
Backup location	Confirm backup region
Disaster recovery	Document DR site location

Provider Security Documentation

Request and review:

Shared responsibility documentation
Security whitepapers
Incident notification procedures
SLA for security incidents
Vulnerability disclosure policy

Configuration Security

AWS Security Assessment

Identity and Access (IAM):

Root account has MFA enabled
No access keys for root account
IAM policies follow least privilege
No wildcard (*) permissions on sensitive resources
Password policy meets requirements

Network Configuration (VPC):

Default VPCs removed or secured
Security groups follow least privilege
No 0.0.0.0/0 ingress on management ports
VPC flow logs enabled
Network ACLs configured appropriately

Storage (S3):

No public buckets (unless intended)
Bucket policies restrict access
Encryption at rest enabled
Versioning enabled for critical data
Access logging enabled

Logging (CloudTrail):

CloudTrail enabled in all regions
Log file validation enabled
Logs encrypted with KMS
S3 bucket for logs is secured
CloudWatch alarms configured

Azure Security Assessment

Identity (Azure AD):

MFA enabled for all users
Privileged Identity Management (PIM) configured
Conditional Access policies defined
Guest access restricted
Password protection enabled

Network (Virtual Networks):

NSG rules follow least privilege
No open management ports to internet
Network Watcher enabled
DDoS protection configured
Private endpoints for PaaS services

Storage:

No anonymous access to blob storage
Encryption at rest enabled
Shared access signatures time-limited
Storage analytics logging enabled
Soft delete enabled

Monitoring:

Azure Monitor enabled
Activity log exported to SIEM
Alerts configured for security events
Azure Security Center enabled
Diagnostic settings configured

Data Protection

Encryption Verification

At Rest:

Service	Encryption Check
Block storage	Verify CMK or provider-managed key
Object storage	Check default encryption settings
Databases	Confirm TDE or column encryption
Backups	Verify backup encryption

In Transit:

Connection	Requirement
User to application	TLS 1.2+ required
Service to service	Internal TLS or VPN
API communications	HTTPS only, no HTTP
Database connections	TLS required

Key Management Assessment

Customer-managed keys used for sensitive data
Key rotation policy defined and implemented
Key access restricted to authorized services
Key usage logged and monitored
Disaster recovery for keys documented

Data Classification in Cloud

Classification	Cloud Requirements
Confidential	CMK encryption, access logging, no public access
Internal	Encryption enabled, network restrictions
Public	Integrity protection, CDN appropriate

Identity and Access Management

Privileged Access Review

Identify all administrative roles
Verify role assignment justification
Check for standing vs. just-in-time access
Review privileged activity logs
Confirm MFA required for elevation

Service Account Assessment

Check	Verification
Inventory	All service accounts documented
Permissions	Least privilege applied
Credentials	Keys rotated per policy
Monitoring	Activity logged and reviewed
Ownership	Clear owner assigned

Federation and SSO

SSO configured for cloud console access
Conditional Access/MFA policies applied
Session timeout configured
Failed login monitoring enabled
Emergency access accounts documented

API Security

API keys not embedded in code
Secrets management service used
API access logged
Rate limiting configured
API permissions follow least privilege

ISO 27001 ISMS Audit Methodology

Complete audit framework and procedures for Information Security Management System assessments.

Audit Program Structure
Pre-Audit Phase
Audit Execution
Finding Classification
Certification Audit Support

Audit Program Structure

Annual Audit Schedule

Quarter	Focus Area	Audit Type
Q1	Access Control, Cryptography	Internal
Q2	Operations Security, Communications	Internal
Q3	System Acquisition, Supplier Relations	Internal
Q4	Full ISMS Review	Pre-certification

Risk-Based Scheduling

Prioritize audit frequency based on:

Asset criticality and data classification
Previous finding history
Regulatory requirements
Recent security incidents
Organizational changes

High Risk Areas (Quarterly):

Access management systems
Cryptographic key management
Incident response processes
Third-party access controls

Medium Risk Areas (Semi-Annual):

Change management
Backup and recovery
Physical security
Security awareness training

Lower Risk Areas (Annual):

Documentation management
Asset inventory
Business continuity planning

Pre-Audit Phase

Documentation Review Checklist

ISMS scope statement and boundaries
Information security policy (signed, current)
Statement of Applicability (SoA)
Risk assessment methodology and results
Risk treatment plan
Security objectives and metrics
Previous audit reports and corrective actions

Audit Plan Template

ISMS Audit Plan

Audit ID: ISMS-[YEAR]-[NUMBER]
Scope: [ISMS scope or specific controls]
Date: [Start] to [End]
Lead Auditor: [Name]
Audit Team: [Names]

Day 1:
  09:00 - Opening meeting
  10:00 - Document review (policies, SoA)
  14:00 - Interview: Information Security Manager

Day 2:
  09:00 - Technical control verification
  14:00 - Process observation

Day 3:
  09:00 - Remaining interviews
  14:00 - Finding consolidation
  16:00 - Closing meeting

Auditor Independence

Verify before audit assignment:

No operational responsibility for audited area
No recent (12 months) involvement in audited processes
No conflict of interest with auditees
Required competencies documented

Audit Execution

Evidence Collection Methods

Method	Use Case	Evidence Type
Document review	Policy verification	Screenshots, copies
Interviews	Process understanding	Notes, recordings
Observation	Operational checks	Photos, timestamps
Technical testing	Control effectiveness	System logs, reports

Interview Protocol

Introduce audit purpose and confidentiality
Explain interview will be documented
Ask open-ended questions about processes
Request evidence to support statements
Clarify any inconsistencies
Summarize key points before closing

Sample Interview Questions

For Security Managers:

Describe the risk assessment process
How are security incidents reported and managed?
What metrics track ISMS effectiveness?

For System Administrators:

How is privileged access managed?
Walk through the change management process
Show backup verification records

For End Users:

What security training have you received?
How do you report suspicious activity?
Describe the password policy requirements

Control Testing Procedures

Access Control (A.9):

Request user access list for critical system
Verify access rights match job roles
Check for terminated user accounts
Test password policy enforcement
Verify MFA configuration

Logging (A.12.4):

Confirm logging enabled on systems in scope
Verify log retention meets policy
Check log protection from tampering
Review sample security event alerts

Finding Classification

Severity Levels

Level	Definition	Response Time
Major Nonconformity	Failure of control, significant risk	30 days corrective action
Minor Nonconformity	Isolated deviation, limited impact	90 days corrective action
Observation	Improvement opportunity	Next audit cycle
Good Practice	Exceeds requirements	Document and share

Finding Documentation

Finding ID: ISMS-2025-001
Control Reference: A.9.2.3 - Management of privileged access
Severity: Major Nonconformity

Evidence:
- 15 shared admin accounts identified
- No approval records for privileged access
- Last access review: 18 months ago

Risk Impact:
- Unauthorized access to critical systems
- No accountability for admin actions
- Regulatory non-compliance

Root Cause:
- No defined process for privileged access management
- Insufficient tooling for access tracking

Recommendation:
- Implement PAM solution within 30 days
- Document and enforce privileged access process
- Conduct immediate access review

Corrective Action Tracking

Field	Content
Finding ID	Link to original finding
Root Cause	Why the nonconformity occurred
Corrective Action	Specific steps to address
Responsible Person	Named accountable party
Target Date	Completion deadline
Verification Method	How closure will be confirmed
Status	Open / In Progress / Closed

Certification Audit Support

Stage 1 Audit Preparation

Ensure availability of:

ISMS documentation (scope, policy, SoA)
Risk assessment records
Internal audit results from past 12 months
Management review minutes
Corrective action evidence

Stage 2 Audit Preparation

All Stage 1 findings addressed
ISMS operational for minimum 3 months
Evidence of control effectiveness
Training and awareness records
Incident response records (if any)

Surveillance Audit Cycle

Year	Quarter	Focus
Year 1	Q2	High-risk controls, Stage 2 findings
Year 1	Q4	Remaining controls sample
Year 2	Q2	Full surveillance
Year 2	Q4	Continual improvement evidence
Year 3	Q2	Re-certification preparation

Audit Findings Response Template

Subject: Response to Finding ISMS-2025-001

Finding: Major Nonconformity - Privileged Access Management

Root Cause Analysis:
[5 Whys or fishbone analysis results]

Corrective Action Plan:
1. [Action] - [Owner] - [Date]
2. [Action] - [Owner] - [Date]

Evidence of Correction:
- [Document/screenshot reference]

Preventive Measures:
- [Steps to prevent recurrence]

Verification Request: [Date auditor can verify]

Security Control Testing Guide

Technical verification procedures for ISO 27002 control assessment.

Control Testing Approach
Organizational Controls (A.5)
People Controls (A.6)
Physical Controls (A.7)
Technological Controls (A.8)

Control Testing Approach

Testing Methods

Method	Description	When to Use
Inquiry	Interview control owners	All controls
Observation	Watch process execution	Operational controls
Inspection	Review documentation/config	Policy controls
Re-performance	Execute control procedure	Critical controls

Sampling Guidelines

Population Size	Sample Size
1-10	All items
11-50	10 items
51-250	15 items
251+	25 items

Organizational Controls (A.5)

A.5.1 - Policies for Information Security

Test Procedure:

Obtain current information security policy
Verify management signature and approval date
Check policy is accessible to all employees
Confirm review within past 12 months
Sample 5 employees: verify awareness of policy location

Evidence Required:

Signed policy document
Intranet/portal screenshot showing policy access
Policy review meeting minutes
Employee acknowledgment records

A.5.15 - Access Control

Test Procedure:

Obtain access control policy
Select sample of 10 user accounts
Verify access rights match job descriptions
Check for segregation of duties violations
Verify access provisioning follows documented process

Evidence Required:

Access control policy
User access matrix
Access request forms with approvals
Role definitions

A.5.24 - Information Security Incident Management

Test Procedure:

Review incident management procedure
Select 3 recent incidents from log
Verify incidents followed documented process
Check escalation thresholds were respected
Confirm lessons learned were documented

Evidence Required:

Incident response procedure
Incident tickets with timeline
Escalation records
Post-incident review reports

People Controls (A.6)

A.6.1 - Screening

Test Procedure:

Review background check policy
Select 10 recent hires
Verify background checks completed before start
Check checks match role sensitivity level
Confirm records are securely stored

Evidence Required:

Screening policy
Background check completion records
Role risk classification matrix

A.6.3 - Information Security Awareness

Test Procedure:

Obtain training program documentation
Select sample of 15 employees
Verify training completion records
Review training content for currency
Check phishing simulation results

Evidence Required:

Training materials and schedule
LMS completion reports
Phishing test results
Training effectiveness metrics

A.6.7 - Remote Working

Test Procedure:

Review remote working policy
Verify VPN is required for remote access
Sample 5 remote worker devices for compliance
Check endpoint protection is active
Verify secure data handling requirements

Evidence Required:

Remote working policy
VPN connection logs
Endpoint compliance reports
Remote access agreement signatures

Physical Controls (A.7)

A.7.1 - Physical Security Perimeters

Test Procedure:

Walk perimeter of secure areas
Verify access controls at all entry points
Check visitor management process
Review after-hours access logs
Confirm emergency exits are secure

Evidence Required:

Site security plan
Access control system configuration
Visitor logs
Guard tour records

A.7.4 - Physical Security Monitoring

Test Procedure:

Verify CCTV coverage of critical areas
Check recording retention period
Review sample of recent alert responses
Confirm monitoring is 24/7 or as required
Verify footage protection and access controls

Evidence Required:

CCTV coverage map
Retention policy and settings
Alert response records
Access logs for footage viewing

Technological Controls (A.8)

A.8.2 - Privileged Access Rights

Test Procedure:

Obtain list of privileged accounts
Verify each has documented justification
Check separation of admin and user accounts
Confirm MFA is required for privileged access
Review privileged activity logs

Evidence Required:

Privileged account inventory
Access justification records
PAM solution configuration
Activity audit logs

A.8.5 - Secure Authentication

Test Procedure:

Review password policy configuration
Verify MFA enrollment rates
Test account lockout after failed attempts
Check authentication logging
Verify secure authentication protocols (no plaintext)

Evidence Required:

Password policy settings screenshot
MFA enrollment report
Account lockout configuration
Authentication audit logs

A.8.7 - Protection Against Malware

Test Procedure:

Verify endpoint protection coverage
Check definition update frequency
Review quarantine/detection logs
Confirm central management console
Test sample detection (EICAR)

Evidence Required:

Endpoint protection deployment report
Update status dashboard
Detection/quarantine logs
EICAR test results

A.8.8 - Management of Technical Vulnerabilities

Test Procedure:

Obtain vulnerability scanning schedule
Review recent scan results
Verify critical vulnerabilities patched within SLA
Check vulnerability tracking system
Sample 5 critical findings for remediation evidence

Evidence Required:

Scanning schedule and scope
Scan reports with severity breakdown
Patch deployment records
Remediation tracking tickets

A.8.13 - Information Backup

Test Procedure:

Review backup policy and schedule
Verify backup completion logs
Check encryption of backup data
Request recent restoration test results
Verify offsite/cloud backup location

Evidence Required:

Backup policy
Backup job completion logs
Encryption configuration
Restoration test records

A.8.15 - Logging

Test Procedure:

Identify systems requiring logging
Verify logging is enabled and configured
Check log retention meets requirements
Confirm log integrity protection
Verify SIEM integration and alerting

Evidence Required:

Logging requirements matrix
Log configuration screenshots
Retention settings
SIEM alert rules

A.8.24 - Use of Cryptography

Test Procedure:

Review cryptography policy
Verify encryption at rest configuration
Check TLS configuration (version, ciphers)
Review key management procedures
Verify certificate inventory and expiration tracking

Evidence Required:

Cryptography policy
Encryption configuration settings
SSL/TLS scan results
Key management procedures
Certificate inventory

#!/usr/bin/env python3
"""
ISMS Audit Scheduler

Risk-based audit planning and scheduling for ISO 27001 compliance.
Generates annual audit plans based on control risk ratings.

Usage:
    python isms_audit_scheduler.py --year 2025 --output audit_plan.json
    python isms_audit_scheduler.py --controls controls.csv --format markdown
"""

import argparse
import csv
import json
import sys
from datetime import datetime, timedelta
from typing import Dict, List, Any, Optional


# ISO 27001:2022 Annex A control domains
CONTROL_DOMAINS = {
    "A.5": {"name": "Organizational Controls", "count": 37},
    "A.6": {"name": "People Controls", "count": 8},
    "A.7": {"name": "Physical Controls", "count": 14},
    "A.8": {"name": "Technological Controls", "count": 34},
}

# Default risk ratings for control areas
DEFAULT_RISK_RATINGS = {
    "A.5.1": {"name": "Policies for information security", "risk": "medium"},
    "A.5.2": {"name": "Information security roles", "risk": "medium"},
    "A.5.15": {"name": "Access control", "risk": "high"},
    "A.5.24": {"name": "Incident management planning", "risk": "high"},
    "A.5.25": {"name": "Assessment of security events", "risk": "high"},
    "A.6.1": {"name": "Screening", "risk": "medium"},
    "A.6.3": {"name": "Information security awareness", "risk": "medium"},
    "A.6.7": {"name": "Remote working", "risk": "high"},
    "A.7.1": {"name": "Physical security perimeters", "risk": "medium"},
    "A.7.4": {"name": "Physical security monitoring", "risk": "medium"},
    "A.8.2": {"name": "Privileged access rights", "risk": "critical"},
    "A.8.5": {"name": "Secure authentication", "risk": "critical"},
    "A.8.7": {"name": "Protection against malware", "risk": "high"},
    "A.8.8": {"name": "Management of vulnerabilities", "risk": "critical"},
    "A.8.13": {"name": "Information backup", "risk": "high"},
    "A.8.15": {"name": "Logging", "risk": "critical"},
    "A.8.20": {"name": "Networks security", "risk": "high"},
    "A.8.24": {"name": "Use of cryptography", "risk": "high"},
}

# Audit frequency based on risk level
AUDIT_FREQUENCY = {
    "critical": 4,  # Quarterly
    "high": 2,      # Semi-annual
    "medium": 1,    # Annual
    "low": 1,       # Annual
}


def load_controls_from_csv(filepath: str) -> Dict[str, Dict]:
    """Load control risk ratings from CSV file."""
    controls = {}
    try:
        with open(filepath, "r", encoding="utf-8") as f:
            reader = csv.DictReader(f)
            for row in reader:
                control_id = row.get("control_id", row.get("id", ""))
                if control_id:
                    controls[control_id] = {
                        "name": row.get("name", "Unknown"),
                        "risk": row.get("risk", "medium").lower(),
                    }
    except FileNotFoundError:
        print(f"Error: File not found: {filepath}", file=sys.stderr)
        sys.exit(1)
    return controls


def calculate_audit_dates(
    year: int,
    frequency: int
) -> List[str]:
    """Calculate audit dates based on frequency."""
    dates = []
    interval = 12 // frequency
    for i in range(frequency):
        month = (i * interval) + 2  # Start in February
        if month > 12:
            month = month - 12
        date = datetime(year, month, 15)
        dates.append(date.strftime("%Y-%m-%d"))
    return dates


def generate_audit_plan(
    year: int,
    controls: Optional[Dict[str, Dict]] = None
) -> Dict[str, Any]:
    """Generate risk-based annual audit plan."""
    if controls is None:
        controls = DEFAULT_RISK_RATINGS

    plan = {
        "metadata": {
            "year": year,
            "generated": datetime.now().isoformat(),
            "methodology": "ISO 27001 Risk-Based Internal Auditing",
            "total_controls": len(controls),
        },
        "schedule": {
            "Q1": {"month": "February-March", "audits": []},
            "Q2": {"month": "May-June", "audits": []},
            "Q3": {"month": "August-September", "audits": []},
            "Q4": {"month": "November", "audits": []},
        },
        "controls": {},
    }

    # Assign controls to quarters based on risk
    for control_id, control_data in controls.items():
        risk = control_data.get("risk", "medium")
        frequency = AUDIT_FREQUENCY.get(risk, 1)
        audit_dates = calculate_audit_dates(year, frequency)

        plan["controls"][control_id] = {
            "name": control_data.get("name", "Unknown"),
            "risk": risk,
            "frequency": frequency,
            "scheduled_audits": audit_dates,
        }

        # Add to quarterly schedule
        for i, date in enumerate(audit_dates):
            month = int(date.split("-")[1])
            if month <= 3:
                quarter = "Q1"
            elif month <= 6:
                quarter = "Q2"
            elif month <= 9:
                quarter = "Q3"
            else:
                quarter = "Q4"

            plan["schedule"][quarter]["audits"].append({
                "control_id": control_id,
                "control_name": control_data.get("name", "Unknown"),
                "risk_level": risk,
                "target_date": date,
            })

    # Sort audits within each quarter
    for quarter in plan["schedule"]:
        plan["schedule"][quarter]["audits"].sort(
            key=lambda x: (
                {"critical": 0, "high": 1, "medium": 2, "low": 3}.get(x["risk_level"], 4),
                x["target_date"]
            )
        )

    # Calculate summary statistics
    risk_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0}
    total_audits = 0
    for control_data in plan["controls"].values():
        risk_counts[control_data["risk"]] += 1
        total_audits += control_data["frequency"]

    plan["summary"] = {
        "total_controls_in_scope": len(controls),
        "total_audits_planned": total_audits,
        "risk_distribution": risk_counts,
        "audits_per_quarter": {
            q: len(plan["schedule"][q]["audits"])
            for q in plan["schedule"]
        },
    }

    return plan


def format_markdown(plan: Dict[str, Any]) -> str:
    """Format audit plan as markdown."""
    lines = [
        f"# ISMS Audit Plan {plan['metadata']['year']}",
        f"",
        f"**Generated:** {plan['metadata']['generated'][:10]}",
        f"**Methodology:** {plan['metadata']['methodology']}",
        f"",
        f"## Summary",
        f"",
        f"| Metric | Value |",
        f"|--------|-------|",
        f"| Controls in Scope | {plan['summary']['total_controls_in_scope']} |",
        f"| Total Audits Planned | {plan['summary']['total_audits_planned']} |",
        f"| Critical Risk Controls | {plan['summary']['risk_distribution']['critical']} |",
        f"| High Risk Controls | {plan['summary']['risk_distribution']['high']} |",
        f"| Medium Risk Controls | {plan['summary']['risk_distribution']['medium']} |",
        f"",
    ]

    for quarter, data in plan["schedule"].items():
        lines.extend([
            f"## {quarter}: {data['month']}",
            f"",
            f"| Control | Name | Risk | Target Date |",
            f"|---------|------|------|-------------|",
        ])
        for audit in data["audits"]:
            lines.append(
                f"| {audit['control_id']} | {audit['control_name']} | "
                f"{audit['risk_level'].capitalize()} | {audit['target_date']} |"
            )
        lines.append("")

    lines.extend([
        f"## Risk-Based Audit Frequency",
        f"",
        f"| Risk Level | Audit Frequency |",
        f"|------------|-----------------|",
        f"| Critical | Quarterly (4x/year) |",
        f"| High | Semi-Annual (2x/year) |",
        f"| Medium | Annual (1x/year) |",
        f"| Low | Annual (1x/year) |",
    ])

    return "\n".join(lines)


def main():
    parser = argparse.ArgumentParser(
        description="ISMS Audit Scheduler - Risk-based audit planning"
    )
    parser.add_argument(
        "--year", "-y",
        type=int,
        default=datetime.now().year,
        help="Audit plan year (default: current year)"
    )
    parser.add_argument(
        "--controls", "-c",
        help="CSV file with control risk ratings"
    )
    parser.add_argument(
        "--output", "-o",
        help="Output file path"
    )
    parser.add_argument(
        "--format", "-f",
        choices=["json", "markdown"],
        default="json",
        help="Output format (default: json)"
    )

    args = parser.parse_args()

    # Load controls
    controls = None
    if args.controls:
        controls = load_controls_from_csv(args.controls)

    # Generate plan
    plan = generate_audit_plan(args.year, controls)

    # Format output
    if args.format == "markdown":
        output = format_markdown(plan)
    else:
        output = json.dumps(plan, indent=2)

    # Write output
    if args.output:
        with open(args.output, "w", encoding="utf-8") as f:
            f.write(output)
        print(f"Audit plan saved to: {args.output}", file=sys.stderr)
    else:
        print(output)


if __name__ == "__main__":
    main()

Install this Skill

Skills give your AI agent a consistent, structured approach to this task — better output than a one-off prompt.

npx skills add alirezarezvani/claude-skills --skill ra-qm-team/isms-audit-expert

Download ZIP

Community skill by @alirezarezvani. Need a walkthrough? See the install guide →

Works with

Claude Code OpenAI Codex CLI Gemini CLI

Prefer no terminal? Download the ZIP and place it manually.

Details

Category: Compliance
License: MIT
Author: @alirezarezvani
Source: GitHub →
Source file: show path
ra-qm-team/isms-audit-expert/SKILL.md

ISO-27001 audit ISMS compliance information-security

People who install this also use

🔐

Information Security Manager (ISO 27001)

Implement and manage an ISMS per ISO 27001/27002 — risk assessments, security controls, incident management, and certification readiness.

@alirezarezvani

🔐

CISO Advisor

Information security leadership — risk quantification, compliance roadmaps (SOC2, ISO 27001), security architecture, and board-level security reporting.

@alirezarezvani

✅

QMS Audit Expert

Conduct ISO 13485 internal quality management system audits — audit planning, process evaluation, nonconformance reports, and certification support.

@alirezarezvani

ISMS Audit Expert

ISMS Audit Expert

Table of Contents

Audit Program Management

Risk-Based Audit Schedule

Annual Audit Planning Workflow

Auditor Competency Requirements

Audit Execution

Pre-Audit Preparation

Audit Conduct Steps

Control Assessment

Control Testing Approach

Finding Management

Finding Classification

Finding Documentation Template

Corrective Action Workflow

Certification Support

Stage 1 Audit Preparation

Stage 2 Audit Preparation

Surveillance Audit Cycle

Tools

scripts/

Audit Planning Example

References

Audit Performance Metrics

Cloud Security Audit Guide

Table of Contents

Shared Responsibility Model

Responsibility Matrix

Audit Focus by Model

Cloud Provider Assessment

Certification Verification

Data Residency Compliance

Provider Security Documentation

Configuration Security

AWS Security Assessment

Azure Security Assessment

Data Protection

Encryption Verification

Key Management Assessment

Data Classification in Cloud

Identity and Access Management

Privileged Access Review

Service Account Assessment

Federation and SSO

API Security

ISO 27001 ISMS Audit Methodology

Table of Contents

Audit Program Structure

Annual Audit Schedule

Risk-Based Scheduling

Pre-Audit Phase

Documentation Review Checklist

Audit Plan Template

Auditor Independence

Audit Execution

Evidence Collection Methods

Interview Protocol

Sample Interview Questions

Control Testing Procedures

Finding Classification

Severity Levels

Finding Documentation

Corrective Action Tracking

Certification Audit Support

Stage 1 Audit Preparation

Stage 2 Audit Preparation

Surveillance Audit Cycle

Audit Findings Response Template

Security Control Testing Guide

Table of Contents

Control Testing Approach

Testing Methods

Sampling Guidelines

Organizational Controls (A.5)

A.5.1 - Policies for Information Security

A.5.15 - Access Control

A.5.24 - Information Security Incident Management

People Controls (A.6)

A.6.1 - Screening