ISMS Audit Expert

Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.

Table of Contents

• Audit Program Management

• Audit Execution

• Control Assessment

• Finding Management

• Certification Support

• Tools

• References

Audit Program Management

Risk-Based Audit Schedule

Risk Level Audit Frequency Examples

Critical Quarterly Privileged access, vulnerability management, logging

High Semi-annual Access control, incident response, encryption

Medium Annual Policies, awareness training, physical security

Low Annual Documentation, asset inventory

Annual Audit Planning Workflow

• Review previous audit findings and risk assessment results

• Identify high-risk controls and recent security incidents

• Determine audit scope based on ISMS boundaries

• Assign auditors ensuring independence from audited areas

• Create audit schedule with resource allocation

• Obtain management approval for audit plan

• Validation: Audit plan covers all Annex A controls within certification cycle

Auditor Competency Requirements

• ISO 27001 Lead Auditor certification (preferred)

• No operational responsibility for audited processes

• Understanding of technical security controls

• Knowledge of applicable regulations (GDPR, HIPAA)

Audit Execution

Pre-Audit Preparation

• Review ISMS documentation (policies, SoA, risk assessment)

• Analyze previous audit reports and open findings

• Prepare audit plan with interview schedule

• Notify auditees of audit scope and timing

• Prepare checklists for controls in scope

• Validation: All documentation received and reviewed before opening meeting

Audit Conduct Steps

Opening Meeting

• Confirm audit scope and objectives

• Introduce audit team and methodology

• Agree on communication channels and logistics

Evidence Collection

• Interview control owners and operators

• Review documentation and records

• Observe processes in operation

• Inspect technical configurations

Control Verification

• Test control design (does it address the risk?)

• Test control operation (is it working as intended?)

• Sample transactions and records

• Document all evidence collected

Closing Meeting

• Present preliminary findings

• Clarify any factual inaccuracies

• Agree on finding classification

• Confirm corrective action timelines

Validation: All controls in scope assessed with documented evidence

Evidence Collection Methods

Method Use Case Example

Inquiry Process understanding Interview Security Manager about incident response

Observation Operational verification Watch visitor sign-in process

Inspection Documentation review Check access approval records

Re-performance Control testing Attempt login with weak password

Control Assessment

ISO 27002 Control Categories

Organizational Controls (A.5):

• Information security policies

• Roles and responsibilities

• Segregation of duties

• Contact with authorities

• Threat intelligence

• Information security in projects

People Controls (A.6):

• Screening and background checks

• Employment terms and conditions

• Security awareness and training

• Disciplinary process

• Remote working security

Physical Controls (A.7):

• Physical security perimeters

• Physical entry controls

• Securing offices and facilities

• Physical security monitoring

• Equipment protection

Technological Controls (A.8):

• User endpoint devices

• Privileged access rights

• Access restriction

• Secure authentication

• Malware protection

• Vulnerability management

• Backup and recovery

• Logging and monitoring

• Network security

• Cryptography

Control Testing Approach

• Identify control objective from ISO 27002

• Determine testing method (inquiry, observation, inspection, re-performance)

• Define sample size based on population and risk

• Execute test and document results

• Evaluate control effectiveness

• Validation: Evidence supports conclusion about control status

Finding Management

Finding Classification

Severity Definition Response Time

Major Nonconformity Control failure creating significant risk 30 days

Minor Nonconformity Isolated deviation with limited impact 90 days

Observation Improvement opportunity Next audit cycle

Finding Documentation Template

Finding ID: ISMS-[YEAR]-[NUMBER] Control Reference: A.X.X - [Control Name] Severity: [Major/Minor/Observation]

Evidence:

• [Specific evidence observed]
• [Records reviewed]
• [Interview statements]

Risk Impact:

• [Potential consequences if not addressed]

Root Cause:

• [Why the nonconformity occurred]

Recommendation:

• [Specific corrective action steps]

Corrective Action Workflow

• Auditee acknowledges finding and severity

• Root cause analysis completed within 10 days

• Corrective action plan submitted with target dates

• Actions implemented by responsible parties

• Auditor verifies effectiveness of corrections

• Finding closed with evidence of resolution

• Validation: Root cause addressed, recurrence prevented

Certification Support

Stage 1 Audit Preparation

Ensure documentation is complete:

• ISMS scope statement

• Information security policy (management signed)

• Statement of Applicability

• Risk assessment methodology and results

• Risk treatment plan

• Internal audit results (past 12 months)

• Management review minutes

Stage 2 Audit Preparation

Verify operational readiness:

• All Stage 1 findings addressed

• ISMS operational for minimum 3 months

• Evidence of control implementation

• Security awareness training records

• Incident response evidence (if applicable)

• Access review documentation

Surveillance Audit Cycle

Period Focus

Year 1, Q2 High-risk controls, Stage 2 findings follow-up

Year 1, Q4 Continual improvement, control sample

Year 2, Q2 Full surveillance

Year 2, Q4 Re-certification preparation

Validation: No major nonconformities at surveillance audits.

Tools

scripts/

Script Purpose Usage

isms_audit_scheduler.py

Generate risk-based audit plans python scripts/isms_audit_scheduler.py --year 2025 --format markdown

Audit Planning Example

Generate annual audit plan

python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json

With custom control risk ratings

python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown

References

File Content

iso27001-audit-methodology.md Audit program structure, pre-audit phase, certification support

security-control-testing.md Technical verification procedures for ISO 27002 controls

cloud-security-audit.md Cloud provider assessment, configuration security, IAM review

Audit Performance Metrics

KPI Target Measurement

Audit plan completion 100% Audits completed vs. planned

Finding closure rate

90% within SLA Closed on time vs. total

Major nonconformities 0 at certification Count per certification cycle

Audit effectiveness Incidents prevented Security improvements implemented

Compliance Framework Integration

Framework ISMS Audit Relevance

GDPR A.5.34 Privacy, A.8.10 Information deletion

HIPAA Access controls, audit logging, encryption

PCI DSS Network security, access control, monitoring

SOC 2 Trust Services Criteria mapped to ISO 27002