一键导入
isms-audit-expert
Information Security Management System auditing for ISO 27001 compliance, security control assessment, and certification support
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Information Security Management System auditing for ISO 27001 compliance, security control assessment, and certification support
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Agile product ownership for backlog management and sprint execution. Covers user story writing, acceptance criteria, sprint planning, and velocity tracking. Use for writing user stories, creating acceptance criteria, planning sprints, estimating story points, breaking down epics, or prioritizing backlog.
App Store Optimization toolkit for researching keywords, optimizing metadata, and tracking mobile app performance on Apple App Store and Google Play Store.
B2B demand generation with CAC optimization, multi-channel strategies, and lead qualification frameworks. Use for lead acquisition, nurture campaigns, and conversion optimization. Based on alirezarezvani/claude-skills.
Agile product ownership for backlog management and sprint execution. Covers user story writing, acceptance criteria, sprint planning, and velocity tracking. Use for writing user stories, creating acceptance criteria, planning sprints, estimating story points, breaking down epics, or prioritizing backlog.
App Store Optimization toolkit for researching keywords, optimizing metadata, and tracking mobile app performance on Apple App Store and Google Play Store.
Design AWS architectures for startups using serverless patterns and IaC templates. Use when asked to design serverless architecture, create CloudFormation templates, optimize AWS costs, set up CI/CD pipelines, or migrate to AWS. Covers Lambda, API Gateway, DynamoDB, ECS, Aurora, and cost optimization.
| name | isms-audit-expert |
| description | Information Security Management System auditing for ISO 27001 compliance, security control assessment, and certification support |
| triggers | ["ISMS audit","ISO 27001 audit","security audit","internal audit ISO 27001","security control assessment","certification audit","surveillance audit","audit finding","nonconformity"] |
Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.
| Risk Level | Audit Frequency | Examples |
|---|---|---|
| Critical | Quarterly | Privileged access, vulnerability management, logging |
| High | Semi-annual | Access control, incident response, encryption |
| Medium | Annual | Policies, awareness training, physical security |
| Low | Annual | Documentation, asset inventory |
Opening Meeting
Evidence Collection
Control Verification
Closing Meeting
Validation: All controls in scope assessed with documented evidence
| Method | Use Case | Example |
|---|---|---|
| Inquiry | Process understanding | Interview Security Manager about incident response |
| Observation | Operational verification | Watch visitor sign-in process |
| Inspection | Documentation review | Check access approval records |
| Re-performance | Control testing | Attempt login with weak password |
Organizational Controls (A.5):
People Controls (A.6):
Physical Controls (A.7):
Technological Controls (A.8):
| Severity | Definition | Response Time |
|---|---|---|
| Major Nonconformity | Control failure creating significant risk | 30 days |
| Minor Nonconformity | Isolated deviation with limited impact | 90 days |
| Observation | Improvement opportunity | Next audit cycle |
Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]
Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]
Risk Impact:
- [Potential consequences if not addressed]
Root Cause:
- [Why the nonconformity occurred]
Recommendation:
- [Specific corrective action steps]
Ensure documentation is complete:
Verify operational readiness:
| Period | Focus |
|---|---|
| Year 1, Q2 | High-risk controls, Stage 2 findings follow-up |
| Year 1, Q4 | Continual improvement, control sample |
| Year 2, Q2 | Full surveillance |
| Year 2, Q4 | Re-certification preparation |
Validation: No major nonconformities at surveillance audits.
| Script | Purpose | Usage |
|---|---|---|
isms_audit_scheduler.py | Generate risk-based audit plans | python scripts/isms_audit_scheduler.py --year 2025 --format markdown |
# Generate annual audit plan
python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json
# With custom control risk ratings
python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown
| File | Content |
|---|---|
| iso27001-audit-methodology.md | Audit program structure, pre-audit phase, certification support |
| security-control-testing.md | Technical verification procedures for ISO 27002 controls |
| cloud-security-audit.md | Cloud provider assessment, configuration security, IAM review |
| KPI | Target | Measurement |
|---|---|---|
| Audit plan completion | 100% | Audits completed vs. planned |
| Finding closure rate | >90% within SLA | Closed on time vs. total |
| Major nonconformities | 0 at certification | Count per certification cycle |
| Audit effectiveness | Incidents prevented | Security improvements implemented |
| Framework | ISMS Audit Relevance |
|---|---|
| GDPR | A.5.34 Privacy, A.8.10 Information deletion |
| HIPAA | Access controls, audit logging, encryption |
| PCI DSS | Network security, access control, monitoring |
| SOC 2 | Trust Services Criteria mapped to ISO 27002 |