Add ISO internal audit evidence gates

[yZangEren]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: iso27001-gap
Skill path: skills/compliance/iso27001-gap/

What Was Wrong

The skill correctly mentioned Clause 9.2 internal audit readiness, but the section was too shallow to prevent a false-ready assessment. An organization could provide an audit calendar and a final summary slide, while missing the evidence needed to prove:

• risk-based audit program planning;
• audit criteria and scope per engagement;
• auditor objectivity and impartiality;
• sample population and sampling method;
• retained workpapers and management reporting;
• corrective action ownership, root cause, implementation evidence, and effectiveness verification.

This makes Clause 9.2 and Clause 10.2 readiness harder to evaluate during a real ISO 27001:2022 gap analysis.

Related review issue: #1633.

What This PR Fixes

• Adds ISO-AUDIT-01 through ISO-AUDIT-07 evidence gates for audit program planning, criteria/scope, impartiality, sampling, evidence retention, management reporting, and corrective action linkage.
• Adds a small-organization independence pattern so limited staffing is handled fairly without accepting self-audit conflicts as sufficient evidence.
• Adds sampling and workpaper traceability guidance.
• Links internal audit findings to Clause 10.2 corrective action closure and effectiveness verification.
• Updates the output template with internal audit and corrective action evidence tables.
• Adds two common pitfalls and bumps the skill version to 1.0.1.
• Adds vulnerable and benign markdown fixtures to show the intended false-ready and acceptable-evidence outcomes.

Evidence

Before (skill can over-credit weak audit evidence):

Internal audit plan:
  Q1: review access control policy
  Q2: review supplier contracts
  Q3: review incident response procedure
  Q4: review backup procedure
Auditor: CISO performs all audits
Evidence retained:
  - calendar invite
  - final summary slide

After (now requires auditable evidence fields):

Audit ID:
Audit objective:
Criteria: [ISO clause/control, policy, procedure, contract]
Scope: [process, site, system, period]
Population: [record set reviewed]
Sampling method: [judgmental / random / risk-based / full population]
Selected samples: [record IDs, dates, owners]
Evidence retained: [links or storage location]
Conclusion:
Finding IDs:

The output report now also includes:

## Internal Audit Program Evidence
| Audit Area | Criteria | Scope | Risk / Prior Finding Link | Sample Method | Auditor | Independence Evidence | Result | Management Reported | Corrective Action Link |

## Corrective Action Closure Evidence
| Finding | ISO Ref | Root Cause | Owner | Due Date | Action Taken | Effectiveness Evidence | Closure Date | Status |

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
  • skills/compliance/iso27001-gap/tests/vulnerable/internal-audit-calendar-only.md
• Added benign test cases (tests/benign/)
  • skills/compliance/iso27001-gap/tests/benign/audit-program-with-sampling-and-closure.md
• Existing checks still pass

The vulnerable fixture is a calendar-only internal audit program with self-audit, no audit criteria/scope, no sampling basis, weak retained evidence, and no corrective-action closure proof. It should trigger the new ISO-AUDIT-* findings.

The benign fixture includes criteria, scope, risk/prior-finding linkage, independence evidence, sample population and method, retained workpapers, management reporting, and a closed corrective action with effectiveness evidence. It should not trigger ISO-AUDIT-01 through ISO-AUDIT-07.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto. Payment details can be provided privately after maintainer acceptance.

Validation

• git diff --cached --check before the fixture commit: clean.
• git diff --check after the fixture commit: clean.
• Markdown fence balance check for SKILL.md and both new fixtures: passed.
• Marker checks for version: "1.0.1", ISO-AUDIT-01, ISO-AUDIT-07, Internal Audit Program Evidence, and Corrective Action Closure Evidence: passed.
• Added fixture ASCII checks: passed.
• Added fixture prompt-injection/sensitive phrase scan: no matches.