# ISMS Internal Audit Report (Clause 9.2) > Plan and execute ISO 27001 internal audits: create audit plans with sampling strategies, draft structured audit reports with findings mapped to clauses, validate finding completeness (severity, evidence, clause, CAPA), classify finding severity, and verify auditor impartiality. Tags: Information Security, ISO 27001, ISMS, Internal Audit, Compliance, Clause 9.2 ## Example Prompts - Plan an internal audit for our ISO 27001 ISMS - Draft our ISMS internal audit report with findings mapped to ISO 27001 clauses - Check that our internal auditors are not auditing their own work - Validate that our audit findings have severity, evidence, and corrective actions - Classify the severity of an audit finding as Major NC, Minor NC, or OFI URL: https://rakenne.app/skills/iso27001-isms-internal-audit-report/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-isms-internal-audit-report ## Overview Plan and execute the full ISO 27001 internal audit lifecycle: from audit planning with sampling strategies through structured reporting, finding validation, and non-conformity documentation. The skill produces audit plans, reports with findings mapped to clauses, and validated NC records with corrective actions. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Audit planning** — scope, criteria, auditor assignments, sampling strategy, and document requirements - **Finding classification** — Major NC, Minor NC, OFI, and Observation with consistent severity criteria - **Clause mapping** — automatic mapping of findings to ISO 27001 clauses (4–10) and Annex A controls - **Impartiality verification** — ensures auditors are not auditing their own work (Clause 9.2) - **Finding completeness** — validates each finding has severity, clause reference, evidence, and CAPA - **NC documentation** — structured non-conformity records with root cause analysis and corrective actions ## Example Conversation > **You:** We need to plan and conduct an internal audit for our ISO 27001 ISMS. We're a SaaS company with 80 employees, certified last year. This is our second annual audit. > > **Agent:** I'll help you through the full audit lifecycle. Let's start with the audit plan. What type of audit are you planning? > > 1. **Full ISMS** — covers all clauses 4–10 and applicable Annex A controls > 2. **Focused** — specific clauses or control groups (e.g., risk management, access control) > 3. **Follow-up** — verifying closure of previous audit findings > > **You:** Full ISMS. Our auditors are Tom Chen (Head of Engineering) and Maria Garcia (Legal & Compliance). Tom will audit HR and Admin processes, Maria will audit Engineering and IT. > > **Agent:** Good — let me verify independence. Running `audit_impartiality_checker`... > > **Result: PASS** — No auditor/auditee overlap detected. Tom audits areas outside his responsibility, and Maria audits areas outside hers. > > I've drafted the audit plan with scope, criteria, schedule, and sampling strategy. For access control sampling, I recommend reviewing 10% of access changes (minimum 5) from the audit period, plus all privileged access grants. For incident records, review all critical incidents plus a random sample of others. > > **You:** We've completed the audit. Here are our findings: (1) Risk register has 3 entries without treatment owners, (2) Security awareness training completion is at 88% vs 100% target, (3) No evidence of log retention configuration for A.8.15. > > **Agent:** Let me help classify these. Running `audit_finding_severity_classifier` on each... > > - **Finding 1** (risk register gaps): Suggested **Minor NC** — partial conformity, requirement addressed but with gaps. Risk register exists and most entries are complete. > - **Finding 2** (training 88%): Suggested **Minor NC** — below target but not absent. Training program exists and is mostly effective. > - **Finding 3** (log retention): Suggested **Major NC** — no evidence that the control operates. Policy states 12 months but cannot demonstrate compliance. > > I'll draft the report. Running `audit_finding_completeness_validator` on the draft... > > **Result: 2 errors found:** > - NC-001 (line 34): No objective evidence documented > - NC-003 (line 42): No corrective action referenced > > Let me add the specific evidence observed and the required corrective actions for each NC. ## Sample Output Excerpt Below is a representative excerpt from a generated internal audit report showing the findings table and a non-conformity record. --- ### Findings Summary | NC ID | Clause / Control | Severity | Finding | Objective Evidence | Corrective Action | |-------|-----------------|----------|---------|-------------------|------------------| | NC-001 | Clause 6.1.3 | Minor | 3 risk register entries lack assigned treatment owners and target dates | Risk register entries R-008, R-012, R-015 reviewed; owner and date fields blank | Assign treatment owners and dates for all open risks; update risk management procedure to require owner assignment at risk identification | | NC-002 | Clause 7.2, A.6.3 | Minor | Security awareness training completion at 88% vs 100% target | Training records for Q3-Q4 reviewed; 12 of 80 employees have not completed annual training | Complete training for remaining staff within 30 days; implement automated reminders in HR system | | NC-003 | A.8.15 | Major | No evidence that audit log retention meets the 12-month policy requirement | IS policy states 12-month retention; AWS CloudWatch configuration shows 90-day default; no evidence of archival solution | Implement log archival to meet 12-month retention; verify configuration and document evidence | ### Non-Conformity Record — NC-003 | Field | Value | |-------|-------| | **NC ID** | NC-003 | | **Severity** | Major | | **Clause / Control** | A.8.15 — Logging | | **Requirement** | Logs shall be retained for the period defined in the IS policy (12 months) | | **Finding** | No evidence that audit log retention meets policy. CloudWatch default is 90 days. | | **Objective evidence** | AWS CloudWatch configuration screenshot; IS policy section 7.3 | | **Immediate correction** | Increased CloudWatch retention to 12 months for critical log groups | | **Root cause** | Log retention was not included in the infrastructure-as-code templates; default settings were never reviewed against policy | | **Corrective action** | Add log retention configuration to IaC templates; add log retention to quarterly infrastructure review checklist | | **Owner** | Head of Engineering | | **Target date** | 2025-02-28 | | **Effectiveness review** | 2025-05-31 — verify all log groups meet 12-month retention | ## Extension Tools ### `audit_evidence_organizer` Maps audit findings to ISO 27001 clauses (4–10) and Annex A controls using keyword analysis. Parses the report for findings sections, extracts NCs, OFIs, and observations, and suggests clause references for each. ### `audit_impartiality_checker` Verifies auditors are not auditing their own work (Clause 9.2 independence). Extracts auditor and auditee names from the document and flags any overlap. | Result | Meaning | |--------|---------| | PASS | No auditor/auditee overlap — Clause 9.2 satisfied | | FAIL | Overlap found — reassign auditors or document justification | ### `audit_finding_completeness_validator` Validates each finding in the audit report has all required fields: | Field | Severity if Missing | |-------|:-------------------:| | Severity classification (Major NC / Minor NC / OFI / Observation) | ERROR | | Clause or control reference | ERROR | | Objective evidence | WARNING | | Corrective action (for NCs) | ERROR | ### `audit_finding_severity_classifier` Suggests a severity classification for a finding based on language indicators: | Classification | When to Use | |---------------|-------------| | **Major NC** | Absence or total breakdown of a requirement; ISMS cannot achieve its intended outcome | | **Minor NC** | Partial conformity with gaps; requirement is addressed but incompletely | | **OFI** | Conforms to requirements but could be improved | | **Observation** | Informational note or positive finding | ## Getting Started Activate the *ISMS Internal Audit Report* skill. If you've completed the *Organization Profile* skill, load it for organizational context. Have this information ready: - Audit scope (which clauses and controls to audit) - Auditor names and their organizational responsibilities (for independence check) - Previous audit findings (if this is a follow-up audit) - ISMS documentation available for review (policies, risk register, SoA, etc.) The agent guides you through a 6-step workflow: plan the audit, conduct fieldwork, draft the report, map findings to clauses, validate completeness, and document non-conformities with corrective actions. --- Back to [Skill Library](https://rakenne.app/skills/index.md)