ISMS Audit Expert
Information Security Management System auditing for ISO 27001.
$skillfish add ~skills/isms-audit-expert Real Conversations
See how the ISMS Audit Expert skill responds to actual requests. These are representative examples of what your AI agent will produce.
We got ISO 27001 certified 12 months ago. Our first surveillance audit is in 6 weeks. Last year the auditor found two minor nonconformances: our access review wasn't documented and our supplier risk assessments were incomplete. What do I need to prepare?
Surveillance Audit Prep — 6 Weeks Out
Surveillance audits focus on: (1) have you closed last year's nonconformances, (2) is the ISMS still operating effectively, (3) internal audit and management review completed.
Priority 1: Close last year's NCs (auditor will check these first)
NC1 — Access review not documented:
- Completed access review spreadsheet showing all users, access levels, reviewed and approved
- Formal sign-off by system owner or IT Manager
- Policy updated to specify review frequency (quarterly or semi-annual)
- Evidence of two completed review cycles since certification
NC2 — Supplier risk assessments incomplete:
- Updated supplier register listing all third parties processing sensitive data
- Risk assessment completed per supplier (likelihood × impact; inherent vs. residual risk)
- Due diligence questionnaires sent and responses filed for top-tier suppliers
- DPA/contractual clauses confirmed for all data processors
Priority 2: Internal audit evidence ISO 27001 requires at least one internal audit per year. Auditor will look for:
- Internal audit schedule (approved by management)
- Completed audit report with findings
- Evidence that findings were addressed
Priority 3: Management review minutes Must cover: ISMS performance, audit results, risk register updates, resource needs, improvement opportunities. Needs a dated, signed record from the past 12 months.
Priority 4: Key controls spot-check
| Control | Evidence to have ready |
|---|---|
| MFA enforcement | Screenshot of IdP MFA policy + compliance report |
| Patch management | Last 3 months of patch compliance reports |
| Incident log | Security incident register (even if zero incidents) |
| Backup/restore | Most recent restore test result |
Week-by-week plan:
- Week 1–2: Close NC evidence; run access review cycle 2
- Week 3: Complete internal audit if not done
- Week 4: Management review meeting + minutes
- Week 5: Mock audit — walk through all Annex A controls
- Week 6: Document pack ready; auditor liaison confirmed
Want me to generate the access review template and the supplier risk assessment matrix?
Get Started
How to install and use this skill in your preferred environment.
Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.
Models & Context
Which AI models and context windows work best with this skill.
Recommended Models
Larger models produce more detailed, production-ready outputs.
Context Window
This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.
All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.
Pro tips for best results
Be specific
Include numbers — users, budget, RPS — so the skill can size the architecture.
Share constraints
Compliance needs, team size, and existing stack all improve the output.
Iterate
Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.
Combine skills
Pair with companion skills below for end-to-end coverage.
Ready to try ISMS Audit Expert?
Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.
$skillfish add ~skills/isms-audit-expert