Pro ISMS Audit Expert

A specialized skill for Information Security Management System (ISMS) auditing — covering ISO 27001 compliance assessment, security control evaluation, internal audit planning, nonconformity management, risk assessment, and certification preparation.

When to Use This Skill

Choose Pro ISMS Audit Expert when you need to:

• Plan and conduct internal ISMS audits against ISO 27001
• Evaluate the effectiveness of information security controls
• Document audit findings and nonconformities
• Prepare for ISO 27001 certification or surveillance audits
• Create risk assessments and treatment plans for information security
• Review Statement of Applicability (SoA) completeness

Consider alternatives when:

• You need QMS auditing (use a QMS/ISO 13485 skill)
• You need penetration testing (use a security testing skill)
• You need cybersecurity implementation (use a security engineering skill)

Quick Start

Copy
# Plan an internal ISMS audit
claude "Create an internal ISMS audit plan for a 50-person SaaS company. Focus on access control, incident management, and business continuity per ISO 27001:2022 Annex A."

Copy
# Internal ISMS Audit Plan
**Organization**: [Company Name]
**Audit Period**: Dec 16-20, 2024
**Standard**: ISO 27001:2022

## Scope
Information security management system covering:
- Cloud infrastructure (AWS)
- SaaS application and customer data
- Corporate IT and employee endpoints
- Third-party vendor management

## Audit Schedule

| Date   | Time      | Area                    | Auditee          |
|--------|-----------|-------------------------|-------------------|
| Dec 16 | 09:00-12:00| Access Control (A.5.15-18)| IT Manager       |
| Dec 16 | 13:00-16:00| Identity Mgmt (A.5.16) | DevOps Lead       |
| Dec 17 | 09:00-12:00| Incident Mgmt (A.5.24-28)| Security Lead   |
| Dec 17 | 13:00-16:00| Business Continuity (A.5.29-30)| CTO        |
| Dec 18 | 09:00-12:00| Document Review         | Quality Manager   |
| Dec 18 | 13:00-16:00| Risk Assessment Review  | CISO              |
| Dec 19 | All day    | Finding consolidation   | Audit team        |
| Dec 20 | 09:00-11:00| Closing meeting         | Management        |

## Audit Criteria
- ISO 27001:2022 Clauses 4-10
- Annex A Controls: A.5.15-18, A.5.24-28, A.5.29-30
- Organization's ISMS policies and procedures
- Applicable legal/regulatory requirements

Core Concepts

ISO 27001:2022 Annex A Control Categories

Category	Controls	Focus Areas
Organizational	A.5.1-37	Policies, roles, asset management
People	A.6.1-8	Screening, awareness, termination
Physical	A.7.1-14	Perimeters, equipment, utilities
Technological	A.8.1-34	Access, crypto, logging, networks

Audit Finding Classification

Copy
## Finding Severity Levels

### Major Nonconformity
The ISMS requirement is not implemented or has
completely failed to achieve its intended outcome.
**Example**: No incident response procedure exists
despite being required by policy.
**Impact**: Blocks certification. Must be resolved
before certification can be granted.

### Minor Nonconformity
The requirement is partially implemented but has
gaps that do not cause complete failure.
**Example**: Incident response procedure exists but
hasn't been tested in 18 months (policy requires
annual testing).
**Impact**: Must be corrected within agreed timeline.
Doesn't block certification if corrective plan accepted.

### Observation / Opportunity for Improvement
No standard breach, but improvement would strengthen
the ISMS.
**Example**: Incident categorization could be more
granular to improve trend analysis.
**Impact**: Noted in audit report. No required action.

Audit Evidence Collection

Copy
## Evidence Types for ISMS Audits

### Documentation Review
- ISMS policies and procedures
- Risk assessment and treatment plan
- Statement of Applicability (SoA)
- Management review meeting minutes
- Training records and awareness materials

### Technical Verification
- Access control lists and user access reviews
- Firewall rules and network segmentation
- Encryption configurations (at rest and in transit)
- Backup and recovery test results
- Vulnerability scan reports

### Interview Questions (Access Control Example)
1. How are new user accounts provisioned?
2. What is the process for access removal when
   an employee leaves?
3. How often are access rights reviewed?
4. Who approves access to sensitive systems?
5. How are privileged accounts managed differently
   from standard accounts?

Configuration

Parameter	Description	Example
standard	ISO standard version	"ISO 27001:2022"
scope	Audit scope boundaries	"cloud infrastructure"
audit_type	Type of ISMS audit	"internal" / "stage-1"
control_focus	Specific Annex A controls to audit	["A.5.15", "A.5.24"]
organization_size	Approximate employee count	50
output_format	Audit report format	"markdown" / "docx"

Best Practices

1. Audit against objective evidence, not intentions — "We plan to implement MFA" is not compliance. "MFA is enforced on all production systems, verified by configuration screenshot and access logs" is objective evidence. Auditors must verify implementation, not accept promises.

2. Map every Annex A control to specific evidence before the audit — Create an evidence matrix listing which document, log, or configuration proves each control is implemented. Gaps in this matrix before the audit reveal unaddressed controls without the pressure of an auditor watching.

3. Interview operators, not just managers — Managers describe the intended process. Operators describe what actually happens. The gap between these descriptions often reveals the most significant findings. Always include front-line staff in audit interview schedules.

4. Write findings that are specific enough to fix — "Access control is insufficient" tells the organization nothing. "User access reviews for the production database (A.5.18) have not been conducted in the last 12 months; policy requires quarterly reviews" gives a clear nonconformity with traceable evidence.

5. Review previous audit findings before starting — Check whether nonconformities from the last audit have been effectively closed. Recurring findings from previous audits indicate that corrective actions were ineffective, which is itself a finding worth reporting.

Common Issues

Statement of Applicability is incomplete or outdated — The SoA should justify inclusion or exclusion of every Annex A control. Many organizations create it during initial certification and never update it. New controls added in ISO 27001:2022 (93 controls reorganized from 114) must be reflected in the SoA.

Risk assessment doesn't connect to control selection — The risk assessment identifies threats and the SoA lists controls, but there's no documented link between specific risks and the controls that mitigate them. Auditors look for this traceability explicitly. Map each identified risk to the controls that address it.

Internal audits lack independence — ISO 27001 requires auditors to be independent of the area being audited. In small organizations, the person responsible for security often audits their own controls. This conflict of interest undermines audit credibility. Even in small teams, cross-audit (IT audits security, security audits IT) or use external auditors for critical controls.