Skip to content

Add ISO internal audit evidence gates #1875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cuph7022 wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −1
Open

Add ISO internal audit evidence gates #1875

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion skills/compliance/iso27001-gap/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ phase: [assess, operate]
frameworks: [ISO/IEC-27001:2022, ISO/IEC-27002:2022]
difficulty: intermediate
time_estimate: "90-180min"
version: "1.0.0"
version: "1.0.1"
author: unitoneai
license: MIT
allowed-tools: Read, Grep, Glob
Expand Down Expand Up @@ -325,6 +325,15 @@ Exclusions are permitted only where the control is genuinely not applicable to t

### Step 6: Internal Audit Readiness (Clause 9.2)


Require audit-program evidence that proves scope, criteria, risk-based sampling, impartiality, reporting, and corrective-action tracking before marking Clause 9.2 ready.

| Audit Area | Scope / Criteria | Risk-Based Sampling Basis | Auditor / Impartiality Evidence | Records Sampled | Management Reporting | Corrective Action Link | Currentness | Result |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `[process/control]` | `[clause/control/criteria]` | `[risk, importance, prior results]` | `[independence evidence]` | `[records/interviews/tests]` | `[report recipient/date]` | `[owner, due date, RCA, verification]` | `Current / Stale / Unknown` | `Pass / Fail / Unknown` |

Mark `Fail` when an audit schedule exists but sampling, impartiality, or corrective-action evidence is missing.

Assess internal audit program against requirements:

- Audit program planned, taking into account importance of processes and results of previous audits
Expand Down Expand Up @@ -413,6 +422,12 @@ Classify each finding using the following severity levels:
## Risk Assessment Findings
[Summary of risk methodology review, gaps in risk register, treatment plan status]

## Internal Audit Evidence Matrix

| Audit Area | Scope / Criteria | Sampling Basis | Impartiality | Sampled Evidence | Reporting | Corrective Action | Currentness | Result |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `[area]` | `[criteria]` | `[basis]` | `[evidence]` | `[sample]` | `[report]` | `[action]` | `Current / Stale / Unknown` | `Pass / Fail / Unknown` |

## Prioritized Remediation Roadmap

### Phase 1: Critical (0-30 days)
Expand Down Expand Up @@ -501,6 +516,8 @@ Each control in ISO 27002:2022 is tagged with five attributes:

---

- Treating a calendar invite or summary slide as internal-audit readiness without risk-based sampling, impartiality, management reporting, and corrective-action evidence.

## Common Pitfalls

1. **Treating Annex A as a checklist rather than risk-driven selection.** ISO 27001 requires controls to be selected through the risk treatment process (Clause 6.1.3). Auditors expect the SoA to trace each included control back to identified risks or legal/contractual requirements, not blanket inclusion of all 93 controls.
Expand Down