Overview
Plan and execute the full ISO 27001 internal audit lifecycle: from audit planning with sampling strategies through structured reporting, finding validation, and non-conformity documentation. The skill produces audit plans, reports with findings mapped to clauses, and validated NC records with corrective actions.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Audit planning — scope, criteria, auditor assignments, sampling strategy, and document requirements
- Finding classification — Major NC, Minor NC, OFI, and Observation with consistent severity criteria
- Clause mapping — automatic mapping of findings to ISO 27001 clauses (4–10) and Annex A controls
- Impartiality verification — ensures auditors are not auditing their own work (Clause 9.2)
- Finding completeness — validates each finding has severity, clause reference, evidence, and CAPA
- NC documentation — structured non-conformity records with root cause analysis and corrective actions
Example Conversation
You: We need to plan and conduct an internal audit for our ISO 27001 ISMS. We’re a SaaS company with 80 employees, certified last year. This is our second annual audit.
Agent: I’ll help you through the full audit lifecycle. Let’s start with the audit plan. What type of audit are you planning?
- Full ISMS — covers all clauses 4–10 and applicable Annex A controls
- Focused — specific clauses or control groups (e.g., risk management, access control)
- Follow-up — verifying closure of previous audit findings
You: Full ISMS. Our auditors are Tom Chen (Head of Engineering) and Maria Garcia (Legal & Compliance). Tom will audit HR and Admin processes, Maria will audit Engineering and IT.
Agent: Good — let me verify independence. Running
audit_impartiality_checker…Result: PASS — No auditor/auditee overlap detected. Tom audits areas outside his responsibility, and Maria audits areas outside hers.
I’ve drafted the audit plan with scope, criteria, schedule, and sampling strategy. For access control sampling, I recommend reviewing 10% of access changes (minimum 5) from the audit period, plus all privileged access grants. For incident records, review all critical incidents plus a random sample of others.
You: We’ve completed the audit. Here are our findings: (1) Risk register has 3 entries without treatment owners, (2) Security awareness training completion is at 88% vs 100% target, (3) No evidence of log retention configuration for A.8.15.
Agent: Let me help classify these. Running
audit_finding_severity_classifieron each…
- Finding 1 (risk register gaps): Suggested Minor NC — partial conformity, requirement addressed but with gaps. Risk register exists and most entries are complete.
- Finding 2 (training 88%): Suggested Minor NC — below target but not absent. Training program exists and is mostly effective.
- Finding 3 (log retention): Suggested Major NC — no evidence that the control operates. Policy states 12 months but cannot demonstrate compliance.
I’ll draft the report. Running
audit_finding_completeness_validatoron the draft…Result: 2 errors found:
- NC-001 (line 34): No objective evidence documented
- NC-003 (line 42): No corrective action referenced
Let me add the specific evidence observed and the required corrective actions for each NC.
Sample Output Excerpt
Below is a representative excerpt from a generated internal audit report showing the findings table and a non-conformity record.
Findings Summary
| NC ID | Clause / Control | Severity | Finding | Objective Evidence | Corrective Action |
|---|---|---|---|---|---|
| NC-001 | Clause 6.1.3 | Minor | 3 risk register entries lack assigned treatment owners and target dates | Risk register entries R-008, R-012, R-015 reviewed; owner and date fields blank | Assign treatment owners and dates for all open risks; update risk management procedure to require owner assignment at risk identification |
| NC-002 | Clause 7.2, A.6.3 | Minor | Security awareness training completion at 88% vs 100% target | Training records for Q3-Q4 reviewed; 12 of 80 employees have not completed annual training | Complete training for remaining staff within 30 days; implement automated reminders in HR system |
| NC-003 | A.8.15 | Major | No evidence that audit log retention meets the 12-month policy requirement | IS policy states 12-month retention; AWS CloudWatch configuration shows 90-day default; no evidence of archival solution | Implement log archival to meet 12-month retention; verify configuration and document evidence |
Non-Conformity Record — NC-003
| Field | Value |
|---|---|
| NC ID | NC-003 |
| Severity | Major |
| Clause / Control | A.8.15 — Logging |
| Requirement | Logs shall be retained for the period defined in the IS policy (12 months) |
| Finding | No evidence that audit log retention meets policy. CloudWatch default is 90 days. |
| Objective evidence | AWS CloudWatch configuration screenshot; IS policy section 7.3 |
| Immediate correction | Increased CloudWatch retention to 12 months for critical log groups |
| Root cause | Log retention was not included in the infrastructure-as-code templates; default settings were never reviewed against policy |
| Corrective action | Add log retention configuration to IaC templates; add log retention to quarterly infrastructure review checklist |
| Owner | Head of Engineering |
| Target date | 2025-02-28 |
| Effectiveness review | 2025-05-31 — verify all log groups meet 12-month retention |
Extension Tools
audit_evidence_organizer
Maps audit findings to ISO 27001 clauses (4–10) and Annex A controls using keyword analysis. Parses the report for findings sections, extracts NCs, OFIs, and observations, and suggests clause references for each.
audit_impartiality_checker
Verifies auditors are not auditing their own work (Clause 9.2 independence). Extracts auditor and auditee names from the document and flags any overlap.
| Result | Meaning |
|---|---|
| PASS | No auditor/auditee overlap — Clause 9.2 satisfied |
| FAIL | Overlap found — reassign auditors or document justification |
audit_finding_completeness_validator
Validates each finding in the audit report has all required fields:
| Field | Severity if Missing |
|---|---|
| Severity classification (Major NC / Minor NC / OFI / Observation) | ERROR |
| Clause or control reference | ERROR |
| Objective evidence | WARNING |
| Corrective action (for NCs) | ERROR |
audit_finding_severity_classifier
Suggests a severity classification for a finding based on language indicators:
| Classification | When to Use |
|---|---|
| Major NC | Absence or total breakdown of a requirement; ISMS cannot achieve its intended outcome |
| Minor NC | Partial conformity with gaps; requirement is addressed but incompletely |
| OFI | Conforms to requirements but could be improved |
| Observation | Informational note or positive finding |
Getting Started
Activate the ISMS Internal Audit Report skill. If you’ve completed the Organization Profile skill, load it for organizational context.
Have this information ready:
- Audit scope (which clauses and controls to audit)
- Auditor names and their organizational responsibilities (for independence check)
- Previous audit findings (if this is a follow-up audit)
- ISMS documentation available for review (policies, risk register, SoA, etc.)
The agent guides you through a 6-step workflow: plan the audit, conduct fieldwork, draft the report, map findings to clauses, validate completeness, and document non-conformities with corrective actions.