From 35a519ef4294e1eae9bf619ea41d2ebff341bd8a Mon Sep 17 00:00:00 2001 From: cuph7022 <156067184+cuph7022@users.noreply.github.com> Date: Mon, 8 Jun 2026 15:14:12 +0700 Subject: [PATCH] Add ISO internal audit evidence gates --- skills/compliance/iso27001-gap/SKILL.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/skills/compliance/iso27001-gap/SKILL.md b/skills/compliance/iso27001-gap/SKILL.md index ff8d0279..e8a60aba 100644 --- a/skills/compliance/iso27001-gap/SKILL.md +++ b/skills/compliance/iso27001-gap/SKILL.md @@ -13,7 +13,7 @@ phase: [assess, operate] frameworks: [ISO/IEC-27001:2022, ISO/IEC-27002:2022] difficulty: intermediate time_estimate: "90-180min" -version: "1.0.0" +version: "1.0.1" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -325,6 +325,15 @@ Exclusions are permitted only where the control is genuinely not applicable to t ### Step 6: Internal Audit Readiness (Clause 9.2) + +Require audit-program evidence that proves scope, criteria, risk-based sampling, impartiality, reporting, and corrective-action tracking before marking Clause 9.2 ready. + +| Audit Area | Scope / Criteria | Risk-Based Sampling Basis | Auditor / Impartiality Evidence | Records Sampled | Management Reporting | Corrective Action Link | Currentness | Result | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | +| `[process/control]` | `[clause/control/criteria]` | `[risk, importance, prior results]` | `[independence evidence]` | `[records/interviews/tests]` | `[report recipient/date]` | `[owner, due date, RCA, verification]` | `Current / Stale / Unknown` | `Pass / Fail / Unknown` | + +Mark `Fail` when an audit schedule exists but sampling, impartiality, or corrective-action evidence is missing. + Assess internal audit program against requirements: - Audit program planned, taking into account importance of processes and results of previous audits @@ -413,6 +422,12 @@ Classify each finding using the following severity levels: ## Risk Assessment Findings [Summary of risk methodology review, gaps in risk register, treatment plan status] +## Internal Audit Evidence Matrix + +| Audit Area | Scope / Criteria | Sampling Basis | Impartiality | Sampled Evidence | Reporting | Corrective Action | Currentness | Result | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | +| `[area]` | `[criteria]` | `[basis]` | `[evidence]` | `[sample]` | `[report]` | `[action]` | `Current / Stale / Unknown` | `Pass / Fail / Unknown` | + ## Prioritized Remediation Roadmap ### Phase 1: Critical (0-30 days) @@ -501,6 +516,8 @@ Each control in ISO 27002:2022 is tagged with five attributes: --- +- Treating a calendar invite or summary slide as internal-audit readiness without risk-based sampling, impartiality, management reporting, and corrective-action evidence. + ## Common Pitfalls 1. **Treating Annex A as a checklist rather than risk-driven selection.** ISO 27001 requires controls to be selected through the risk treatment process (Clause 6.1.3). Auditors expect the SoA to trace each included control back to identified risks or legal/contractual requirements, not blanket inclusion of all 93 controls.