/cs:iso27001-audit-prep — ISO 27001 ISMS Audit Forcing Questions¶

Compliance OS iso27001-audit-prep Source

Command: /cs:iso27001-audit-prep <scope>

The ISO 27001 ISMS auditor pressure-tests any ISMS work. Six sample-driven questions before any internal audit, stage 1 readiness, or surveillance audit.

When to Run¶

Before annual Clause 9.2 internal audit
Before stage 1 / stage 2 ISO 27001 certification audit
Before surveillance audit (year 2 / year 3)
After material change to ISMS scope (new business unit, new product line, new SaaS adoption)
Post-incident (breach triggers ad-hoc ISMS audit)
Quarterly during high-growth phase

The Six ISMS Questions¶

1. What's the audit scope, and is rolling 3-year coverage on track?¶

No 3-year coverage discipline, no defensible programme. - Every Clause 4-10 + every applicable Annex A control must be audited at least once per 3-year cycle - Run isms_audit_scheduler.py in ra-qm-team/skills/isms-audit-expert/ - Confirm auditor independence — no self-audit on any sample

2. When was the risk register last refreshed, and are treatments linked to Annex A controls?¶

Stale risk register = certification finding. - Quarterly refresh expected; annual minimum - Every high/critical risk must link to ≥ 1 Annex A control treating it - Residual risk acceptance documented + signed - Review against iso27001_audit_playbook.md for stage 1 expectations

3. Show me the access review records — quarterly cadence, the last 4 quarters.¶

Most-cited finding area. - Annex A.5.15 + A.8.2 + A.8.3 access controls - Sample real records pulled from Okta / IAM, not curated audit-prep packs - For each terminated employee in last 90 days: deprovisioning evidence within 24-hour SLA - Privileged access reviewed at finer granularity

4. What's the supplier inventory + last review evidence?¶

Second-most-cited finding area. - Annex A.5.19-A.5.21 supplier management - Critical SaaS suppliers reviewed at least annually - DPAs signed for personal-data sub-processors (cross-check with cs-dpo-gdpr) - AI-specific contract clauses where third-party AI services in use (cross-check with cs-aims-iso42001)

5. Where's the incident response evidence + post-incident review?¶

A.5.24-27 + A.6.8 — high-stakes audit area. - Severity definitions documented + consistently applied - Last 5 incidents have post-incident review (PIR) within 30-day SLA - GDPR Article 33 / 34 notification timing aligned with A.5.24 (cross-check with cs-dpo-gdpr) - Blameless retro culture; not punitive

6. What's the management review cadence + inputs?¶

Clause 9.3 required inputs are prescriptive — easy to miss. - Required inputs: audit results, risks, performance, nonconformities, opportunities - Schedule: annual minimum; quarterly preferred for mature programs - Outputs documented + tracked to closure - Integrated review across frameworks (per multi_framework_audit_playbook.md) preferred to separate reviews

Workflow¶

# 1. Audit programme planning
python ../../ra-qm-team/skills/isms-audit-expert/scripts/isms_audit_scheduler.py audit_scope.json

# 2. Mock audit for readiness check
python ../../skills/compliance-os/scripts/audit_simulator.py iso27001_scope.json

# 3. Cross-framework reuse (SOC 2 = 75% overlap; ISO 42001 = 60% reuse)
python ../../skills/compliance-os/scripts/cross_framework_mapper.py program.json

Output Format¶

# ISO 27001 Audit Prep: <scope>
**Date:** YYYY-MM-DD

## The Decision Being Made
[programme-plan | finding-severity | cert-readiness | incident-followup]

## Audit Programme Status
- Clauses scheduled this year: <list>
- Annex A controls scheduled: <count>
- Rolling 3-year coverage: clean | gaps in <list>
- Auditor independence: clean | issues in <list>

## Risk Register Health
- Last refresh: YYYY-MM-DD
- High/critical risks without Annex A control link: N
- Residual risk acceptance documentation: complete | gaps

## High-Stakes Controls Status
- A.5.15 + A.8.2 + A.8.3 access control: pass/fail with sample
- A.5.19-A.5.21 supplier mgmt: pass/fail with sample
- A.5.24-27 + A.6.8 incident response: pass/fail with sample
- A.8.15-16 logging: pass/fail with sample

## Management Review Status
- Last review date: YYYY-MM-DD
- Required Article 9.3 inputs present: yes/no
- Open action items past due: N

## Cross-Framework Impact
- SOC 2 controls affected: <list>
- ISO 42001 controls affected (if applicable): <list>
- GDPR Article 32 controls affected: <list>

## Verdict
🟢 READY | 🟡 CLOSE-CRITICALS-FIRST | 🔴 NOT-READY

## Top 3 Actions
[3 concrete next steps with owner + corrective-action timeline]

Routing¶

/cs:compliance-readiness — for multi-framework view
/cs:soc2-audit-prep — for SOC 2 cross-walk pair (75% overlap)
/cs:aims-audit — for ISO 42001 AIMS cross-walk
/cs:gdpr-audit-prep — for Article 32 organizational measures overlap
/cs:ciso-review — for executive cybersecurity strategy
/cs:decide — to log the verdict

Agent: cs-ciso-iso27001
Skill: isms-audit-expert
Playbook: iso27001_audit_playbook.md
Adjacent: skills/soc2-audit-prep, skills/aims-audit, skills/gdpr-audit-prep, skills/compliance-readiness

Version: 1.0.0