Browse Skills

ISMS Internal Audit Report (Clause 9.2)

    Information Security ISO 27001 ISMS Internal Audit Compliance Clause 9.2
    Get Started with This Skill

    Overview

    Draft and validate the ISO 27001 internal audit report: map findings to clauses, document NCs and OFIs, and ensure auditor impartiality so auditors do not audit their own work.

    Getting Started

    Add your source materials to the project workspace, then activate the ISMS Internal Audit Report (Clause 9.2) skill. The agent will guide you through scope and criteria, auditor independence, findings documentation, clause mapping, and report structure.

    Example Conversation

    You: We’re preparing for our Stage 2 certification audit. I need an internal audit report that maps our findings to ISO 27001 clauses and proves our auditors didn’t audit their own areas.

    Agent: I’ll draft the report with a clear scope, auditor list, and findings table. I’ll run the clause-mapping tool so every NC and OFI is linked to the right clause, and the impartiality checker so we can confirm independence for Clause 9.2.

    You: Our audit plan has Jane Smith and Paul Jones as auditors; the areas audited were IT Operations (owner Jane Smith) and HR (owner Paul Jones). Check that.

    Agent: Running impartiality_checker on the audit plan…

    Agent: IMPARTIALITY CHECK (ISO 27001:2022 Clause 9.2) — Result: FAIL. Conflict(s) found: Auditor and auditee overlap: “jane smith”; Auditor and auditee overlap: “paul jones”. Auditors must not audit their own work. Resolve by swapping: e.g. Jane audits HR, Paul audits IT Operations, or assign a third auditor.

    You: Swap them: Jane audits HR, Paul audits IT. Then map our three findings to clauses.

    Agent: I’ve updated the plan. Running audit_evidence_organizer on the draft report… Here’s the mapping: [1] NC: Missing risk treatment owner for R-12 → Clause 6, (review manually). [2] OFI: Awareness training records not centralized → Clause 7, (review manually). [3] NC: Log retention not evidenced for A.8.15 → A.8.15. I’ll add these clause references into the findings table.

    What the Tools Validate

    The skill includes two tools that run against the audit plan or internal audit report:

    audit_evidence_organizer maps each finding to ISO 27001 so the report is clause-traceable:

    • Parses the document for Findings, Non-conformities (NC), and Opportunities for improvement (OFI) sections
    • Extracts each observation and suggests main clauses (4–10) from keywords (e.g. context, leadership, planning, support, operation, performance evaluation, improvement)
    • Detects any Annex A control IDs (A.5.x–A.8.x) already mentioned in the finding text
    • Outputs a numbered list with suggested clause(s) per finding so you can add explicit references and satisfy auditor expectations for “living” evidence linkage

    impartiality_checker enforces Clause 9.2 (auditors must not audit their own work):

    • Locates auditor(s) (e.g. “Auditors:”, “Audit team”, “Conducted by”) and auditee/area (e.g. “Audited area”, “Process owner”, “Scope”, “Department”)
    • Normalizes names (lists, comma-separated, with roles in parentheses) and checks for overlap
    • Reports PASS when no auditor appears as responsible for the area being audited; FAIL with the conflicting names when there is overlap
    • Use before finalizing the audit plan or report so certification auditors see documented independence

    Output Excerpt

    The internal audit report includes scope, auditors (with independence statement), and a findings table with clause references:

    ## 2. Audit team and independence

- **Lead auditor:** Jane Smith (Quality)
- **Auditor:** Paul Jones (IT)
- **Audited areas:** HR (process owner: Paul Jones), IT Operations (process owner: Jane Smith)

Auditors were assigned so that no auditor audited an area for which they are responsible. Impartiality checked per Clause 9.2.

## 4. Findings

| ID | Type | Description | Clause(s) | Evidence |
|----|------|-------------|-----------|----------|
| F1 | NC | Risk R-12 in the risk register has no assigned treatment owner or deadline. | Clause 6, 8 | Risk register excerpt; risk treatment plan gap. |
| F2 | OFI | Security awareness training completion is tracked in spreadsheets per department; no single evidence repository. | Clause 7 | Interview with HR; sample records. |
| F3 | NC | Logging and monitoring (A.8.15): retention period not evidenced for audit logs. | A.8.15 | Policy states 12 months; no evidence of configuration or archive. |

    Run audit_evidence_organizer on the draft to get suggested clause mappings, and impartiality_checker on the plan or report to document Clause 9.2 compliance before submission.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started