Source Code
ISMS Audit Expert
Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.
Table of Contents
- Audit Program Management
- Audit Execution
- Control Assessment
- Finding Management
- Certification Support
- Tools
- References
Audit Program Management
Risk-Based Audit Schedule
| Risk Level | Audit Frequency | Examples |
|---|---|---|
| Critical | Quarterly | Privileged access, vulnerability management, logging |
| High | Semi-annual | Access control, incident response, encryption |
| Medium | Annual | Policies, awareness training, physical security |
| Low | Annual | Documentation, asset inventory |
Annual Audit Planning Workflow
- Review previous audit findings and risk assessment results
- Identify high-risk controls and recent security incidents
- Determine audit scope based on ISMS boundaries
- Assign auditors ensuring independence from audited areas
- Create audit schedule with resource allocation
- Obtain management approval for audit plan
- Validation: Audit plan covers all Annex A controls within certification cycle
Auditor Competency Requirements
- ISO 27001 Lead Auditor certification (preferred)
- No operational responsibility for audited processes
- Understanding of technical security controls
- Knowledge of applicable regulations (GDPR, HIPAA)
Audit Execution
Pre-Audit Preparation
- Review ISMS documentation (policies, SoA, risk assessment)
- Analyze previous audit reports and open findings
- Prepare audit plan with interview schedule
- Notify auditees of audit scope and timing
- Prepare checklists for controls in scope
- Validation: All documentation received and reviewed before opening meeting
Audit Conduct Steps
Opening Meeting
- Confirm audit scope and objectives
- Introduce audit team and methodology
- Agree on communication channels and logistics
Evidence Collection
- Interview control owners and operators
- Review documentation and records
- Observe processes in operation
- Inspect technical configurations
Control Verification
- Test control design (does it address the risk?)
- Test control operation (is it working as intended?)
- Sample transactions and records
- Document all evidence collected
Closing Meeting
- Present preliminary findings
- Clarify any factual inaccuracies
- Agree on finding classification
- Confirm corrective action timelines
Validation: All controls in scope assessed with documented evidence
Evidence Collection Methods
| Method | Use Case | Example |
|---|---|---|
| Inquiry | Process understanding | Interview Security Manager about incident response |
| Observation | Operational verification | Watch visitor sign-in process |
| Inspection | Documentation review | Check access approval records |
| Re-performance | Control testing | Attempt login with weak password |
Control Assessment
ISO 27002 Control Categories
Organizational Controls (A.5):
- Information security policies
- Roles and responsibilities
- Segregation of duties
- Contact with authorities
- Threat intelligence
- Information security in projects
People Controls (A.6):
- Screening and background checks
- Employment terms and conditions
- Security awareness and training
- Disciplinary process
- Remote working security
Physical Controls (A.7):
- Physical security perimeters
- Physical entry controls
- Securing offices and facilities
- Physical security monitoring
- Equipment protection
Technological Controls (A.8):
- User endpoint devices
- Privileged access rights
- Access restriction
- Secure authentication
- Malware protection
- Vulnerability management
- Backup and recovery
- Logging and monitoring
- Network security
- Cryptography
Control Testing Approach
- Identify control objective from ISO 27002
- Determine testing method (inquiry, observation, inspection, re-performance)
- Define sample size based on population and risk
- Execute test and document results
- Evaluate control effectiveness
- Validation: Evidence supports conclusion about control status
Finding Management
Finding Classification
| Severity | Definition | Response Time |
|---|---|---|
| Major Nonconformity | Control failure creating significant risk | 30 days |
| Minor Nonconformity | Isolated deviation with limited impact | 90 days |
| Observation | Improvement opportunity | Next audit cycle |
Finding Documentation Template
Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]
Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]
Risk Impact:
- [Potential consequences if not addressed]
Root Cause:
- [Why the nonconformity occurred]
Recommendation:
- [Specific corrective action steps]
Corrective Action Workflow
- Auditee acknowledges finding and severity
- Root cause analysis completed within 10 days
- Corrective action plan submitted with target dates
- Actions implemented by responsible parties
- Auditor verifies effectiveness of corrections
- Finding closed with evidence of resolution
- Validation: Root cause addressed, recurrence prevented
Certification Support
Stage 1 Audit Preparation
Ensure documentation is complete:
- ISMS scope statement
- Information security policy (management signed)
- Statement of Applicability
- Risk assessment methodology and results
- Risk treatment plan
- Internal audit results (past 12 months)
- Management review minutes
Stage 2 Audit Preparation
Verify operational readiness:
- All Stage 1 findings addressed
- ISMS operational for minimum 3 months
- Evidence of control implementation
- Security awareness training records
- Incident response evidence (if applicable)
- Access review documentation
Surveillance Audit Cycle
| Period | Focus |
|---|---|
| Year 1, Q2 | High-risk controls, Stage 2 findings follow-up |
| Year 1, Q4 | Continual improvement, control sample |
| Year 2, Q2 | Full surveillance |
| Year 2, Q4 | Re-certification preparation |
Validation: No major nonconformities at surveillance audits.
Tools
scripts/
| Script | Purpose | Usage |
|---|---|---|
isms_audit_scheduler.py |
Generate risk-based audit plans | python scripts/isms_audit_scheduler.py --year 2025 --format markdown |
Audit Planning Example
# Generate annual audit plan
python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json
# With custom control risk ratings
python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown
References
| File | Content |
|---|---|
| iso27001-audit-methodology.md | Audit program structure, pre-audit phase, certification support |
| security-control-testing.md | Technical verification procedures for ISO 27002 controls |
| cloud-security-audit.md | Cloud provider assessment, configuration security, IAM review |
Audit Performance Metrics
| KPI | Target | Measurement |
|---|---|---|
| Audit plan completion | 100% | Audits completed vs. planned |
| Finding closure rate | >90% within SLA | Closed on time vs. total |
| Major nonconformities | 0 at certification | Count per certification cycle |
| Audit effectiveness | Incidents prevented | Security improvements implemented |
Compliance Framework Integration
| Framework | ISMS Audit Relevance |
|---|---|
| GDPR | A.5.34 Privacy, A.8.10 Information deletion |
| HIPAA | Access controls, audit logging, encryption |
| PCI DSS | Network security, access control, monitoring |
| SOC 2 | Trust Services Criteria mapped to ISO 27002 |