alirezarezvani/isms-audit-expert
ra-qm-team/skills/isms-audit-expert/SKILL.md
Information Security Management System (ISMS) audit expert for ISO 27001 compliance verification, security control assessment, and certification support. Use when the user mentions ISO 27001, ISMS audit, Annex A controls, Statement of Applicability (SOA), gap analysis, nonconformity management, internal audit, surveillance audit, or security certification preparation. Helps review control implementation evidence, document audit findings, classify nonconformities, generate risk-based audit plans, map controls to Annex A requirements, prepare Stage 1 and Stage 2 audit documentation, and support corrective action workflows.
$ install --global
skillsauthnpx skillsauth add alirezarezvani/claude-skills isms-audit-expertInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 4:32 AM332.5s6 files scanned
SKILL.md
- name:
- isms-audit-expert
- description:
- Information Security Management System (ISMS) audit expert for ISO 27001 compliance verification, security control assessment, and certification support. Use when the user mentions ISO 27001, ISMS audit, Annex A controls, Statement of Applicability (SOA), gap analysis, nonconformity management, internal audit, surveillance audit, or security certification preparation. Helps review control implementation evidence, document audit findings, classify nonconformities, generate risk-based audit plans, map controls to Annex A requirements, prepare Stage 1 and Stage 2 audit documentation, and support corrective action workflows.
ISMS Audit Expert
Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.
Table of Contents
- Audit Program Management
- Audit Execution
- Control Assessment
- Finding Management
- Certification Support
- Tools
- References
Audit Program Management
Risk-Based Audit Schedule
| Risk Level | Audit Frequency | Examples | |------------|-----------------|----------| | Critical | Quarterly | Privileged access, vulnerability management, logging | | High | Semi-annual | Access control, incident response, encryption | | Medium | Annual | Policies, awareness training, physical security | | Low | Annual | Documentation, asset inventory |
Annual Audit Planning Workflow
- Review previous audit findings and risk assessment results
- Identify high-risk controls and recent security incidents
- Determine audit scope based on ISMS boundaries
- Assign auditors ensuring independence from audited areas
- Create audit schedule with resource allocation
- Obtain management approval for audit plan
- Validation: Audit plan covers all Annex A controls within certification cycle
Auditor Competency Requirements
- ISO 27001 Lead Auditor certification (preferred)
- No operational responsibility for audited processes
- Understanding of technical security controls
- Knowledge of applicable regulations (GDPR, HIPAA)
Audit Execution
Pre-Audit Preparation
- Review ISMS documentation (policies, SoA, risk assessment)
- Analyze previous audit reports and open findings
- Prepare audit plan with interview schedule
- Notify auditees of audit scope and timing
- Prepare checklists for controls in scope
- Validation: All documentation received and reviewed before opening meeting
Audit Conduct Steps
-
Opening Meeting
- Confirm audit scope and objectives
- Introduce audit team and methodology
- Agree on communication channels and logistics
-
Evidence Collection
- Interview control owners and operators
- Review documentation and records
- Observe processes in operation
- Inspect technical configurations
-
Control Verification
- Test control design (does it address the risk?)
- Test control operation (is it working as intended?)
- Sample transactions and records
- Document all evidence collected
-
Closing Meeting
- Present preliminary findings
- Clarify any factual inaccuracies
- Agree on finding classification
- Confirm corrective action timelines
-
Validation: All controls in scope assessed with documented evidence
Control Assessment
Control Testing Approach
- Identify control objective from ISO 27002
- Determine testing method (inquiry, observation, inspection, re-performance)
- Define sample size based on population and risk
- Execute test and document results
- Evaluate control effectiveness
- Validation: Evidence supports conclusion about control status
For detailed technical verification procedures by Annex A control, see security-control-testing.md.
Finding Management
Finding Classification
| Severity | Definition | Response Time | |----------|------------|---------------| | Major Nonconformity | Control failure creating significant risk | 30 days | | Minor Nonconformity | Isolated deviation with limited impact | 90 days | | Observation | Improvement opportunity | Next audit cycle |
Finding Documentation Template
Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]
Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]
Risk Impact:
- [Potential consequences if not addressed]
Root Cause:
- [Why the nonconformity occurred]
Recommendation:
- [Specific corrective action steps]
Corrective Action Workflow
- Auditee acknowledges finding and severity
- Root cause analysis completed within 10 days
- Corrective action plan submitted with target dates
- Actions implemented by responsible parties
- Auditor verifies effectiveness of corrections
- Finding closed with evidence of resolution
- Validation: Root cause addressed, recurrence prevented
Certification Support
Stage 1 Audit Preparation
Ensure documentation is complete:
- [ ] ISMS scope statement
- [ ] Information security policy (management signed)
- [ ] Statement of Applicability
- [ ] Risk assessment methodology and results
- [ ] Risk treatment plan
- [ ] Internal audit results (past 12 months)
- [ ] Management review minutes
Stage 2 Audit Preparation
Verify operational readiness:
- [ ] All Stage 1 findings addressed
- [ ] ISMS operational for minimum 3 months
- [ ] Evidence of control implementation
- [ ] Security awareness training records
- [ ] Incident response evidence (if applicable)
- [ ] Access review documentation
Surveillance Audit Cycle
| Period | Focus | |--------|-------| | Year 1, Q2 | High-risk controls, Stage 2 findings follow-up | | Year 1, Q4 | Continual improvement, control sample | | Year 2, Q2 | Full surveillance | | Year 2, Q4 | Re-certification preparation |
Validation: No major nonconformities at surveillance audits.
Tools
scripts/
| Script | Purpose | Usage |
|--------|---------|-------|
| isms_audit_scheduler.py | Generate risk-based audit plans | python scripts/isms_audit_scheduler.py --year 2025 --format markdown |
Audit Planning Example
# Generate annual audit plan
python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json
# With custom control risk ratings
python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown
References
| File | Content | |------|---------| | iso27001-audit-methodology.md | Audit program structure, pre-audit phase, certification support | | security-control-testing.md | Technical verification procedures for ISO 27002 controls | | cloud-security-audit.md | Cloud provider assessment, configuration security, IAM review |
Audit Performance Metrics
| KPI | Target | Measurement | |-----|--------|-------------| | Audit plan completion | 100% | Audits completed vs. planned | | Finding closure rate | >90% within SLA | Closed on time vs. total | | Major nonconformities | 0 at certification | Count per certification cycle | | Audit effectiveness | Incidents prevented | Security improvements implemented |
Related Skills
alirezarezvani/collab-proof
data-ai
VerifiedTrustedCommunity
Use when you want to understand what Claude contributed vs what you drove in a session. Triggers on: /collab-proof, session retrospective, ai contribution analysis, collaboration evidence, what did claude do.
17,936SKILL.mdUpdated Jun 13, 2026
alirezarezvani/claude-coach
data-ai
VerifiedTrustedCommunity
Personal coach that teaches users to become Claude power users. Use this skill the FIRST time a user asks to "learn Claude", "be a power user", "coach me", "teach me Claude tricks", "what can Claude do", "make me better at prompting", or any variation. After activation, also use it on EVERY subsequent turn to detect missed optimization opportunities (vague prompts, ignored capabilities, manual work Claude could automate) and surface a single power-user tip. Trigger generously — most users do not know what they do not know, so err on the side of coaching.
17,936SKILL.mdUpdated May 23, 2026
alirezarezvani/pricing-strategist
development
VerifiedTrustedCommunity
Use when designing or revisiting product pricing — selecting a pricing model (subscription seat-based, usage-based, value-based, freemium, or hybrid), running Van Westendorp Price Sensitivity Meter analysis on WTP survey data, or designing Good/Better/Best packaging tiers. Recommends a model and a price range with trade-offs, never a single number. For Commercial leads, Product Marketing, and CMOs at the pricing-design moment — not deal-by-deal discounting, not brand positioning.
17,936SKILL.mdUpdated May 20, 2026
alirezarezvani/partnerships-architect
testing
VerifiedTrustedCommunity
Use when a startup is approached by a prospective partner and someone has to decide should we sign this partner, at what partner tier (referral / reseller / OEM / SI-consulting / strategic alliance), with what joint GTM commitment, and at what revshare. Classifies partner tier from independent-demand evidence vs. preferential-terms hunting, designs a 90-day joint GTM plan, models revshare against direct-sale margin, and surfaces kill criteria for unwinding under-performing partnerships. For Head of Partnerships, Head of BD, and Founder-CEOs doing reseller agreement, OEM deal, or strategic alliance review — not technical sale enablement, not channel cost economics, not M&A.
17,936SKILL.mdUpdated May 20, 2026