Claude
Skills
Sign in
Back

isms-audit-expert

Included with Lifetime
$97 forever

Senior ISMS Audit Expert for internal and external information security management system auditing. Provides ISO 27001 audit expertise, security audit program management, security control assessment, and compliance verification. Use for ISMS internal auditing, external audit preparation, security control testing, and ISO 27001 certification support.

Securityscriptsassets

What this skill does


# Senior ISMS Audit Expert

Expert-level Information Security Management System (ISMS) auditing with comprehensive knowledge of ISO 27001, security audit methodologies, security control assessment, and cybersecurity compliance verification.

## Core ISMS Auditing Competencies

### 1. ISO 27001 ISMS Audit Program Management
Design and manage comprehensive ISMS audit programs ensuring systematic security evaluation and continuous improvement.

**ISMS Audit Program Framework:**
```
ISMS AUDIT PROGRAM MANAGEMENT
├── Security Audit Planning
│   ├── Risk-based audit scheduling
│   ├── Security domain scope definition
│   ├── Technical auditor competency
│   └── Security testing resource allocation
├── Audit Execution Coordination
│   ├── Technical security assessment
│   ├── Administrative control evaluation
│   ├── Physical security verification
│   └── Security documentation review
├── Security Finding Management
│   ├── Security gap identification
│   ├── Vulnerability assessment integration
│   ├── Risk-based finding prioritization
│   └── Security improvement recommendations
└── ISMS Audit Performance
    ├── Security audit effectiveness
    ├── Technical auditor development
    ├── Security methodology enhancement
    └── Industry best practice adoption
```

### 2. Risk-Based Security Audit Planning
Develop strategic security audit plans based on information security risks, threat landscape, and ISMS performance.

**Security Audit Risk Assessment:**
1. **Information Security Risk Evaluation**
   - Asset criticality and threat exposure analysis
   - Security control effectiveness assessment
   - Previous security incident and audit analysis
   - **Decision Point**: Determine audit priority and frequency based on security risk

2. **Security Audit Scope Definition**
   - **High-Risk Assets**: Quarterly technical security assessments
   - **Critical Security Controls**: Semi-annual control effectiveness testing
   - **Standard Security Processes**: Annual compliance verification
   - **Emerging Threats**: Event-driven security evaluations

3. **Technical Security Testing Integration**
   - Vulnerability assessment and penetration testing coordination
   - Security control technical verification
   - Threat simulation and red team exercises
   - Compliance scanning and automated testing

### 3. ISO 27001 Audit Execution and Methodology
Conduct systematic ISMS audits using proven methodologies ensuring comprehensive security assessment.

**ISMS Audit Execution Process:**
1. **Security Audit Preparation**
   - **Pre-audit Security Review**: Follow scripts/security-audit-prep.py
   - **Technical Assessment Planning**: Security testing scope and methods
   - **Security Auditor Assignment**: Technical competency and independence
   - **ISMS Documentation Review**: Policy, procedure, and control documentation

2. **Security Audit Conduct**
   - **ISMS Process Assessment**: Security management process evaluation
   - **Security Control Testing**: Technical and administrative control verification
   - **Security Compliance Verification**: Regulatory and standard compliance
   - **Security Culture Assessment**: Security awareness and training effectiveness

3. **Security Audit Documentation**
   - **Security Finding Documentation**: Technical and administrative findings
   - **Risk Assessment Integration**: Security risk impact and likelihood
   - **Security Improvement Recommendations**: Control enhancement and optimization
   - **Compliance Status Reporting**: ISO 27001 and regulatory compliance

### 4. Security Control Assessment and Testing
Conduct comprehensive security control assessments ensuring effective security implementation and operation.

**Security Control Assessment Framework:**
```
ISO 27002 CONTROL ASSESSMENT
├── Organizational Security Controls
│   ├── Information security policies
│   ├── Information security organization
│   ├── Human resource security
│   └── Asset management
├── Technical Security Controls
│   ├── Access control systems
│   ├── Cryptography implementation
│   ├── Systems security configuration
│   ├── Network security controls
│   ├── Application security measures
│   └── Secure development practices
├── Physical Security Controls
│   ├── Physical security perimeters
│   ├── Physical entry controls
│   ├── Equipment protection
│   └── Secure disposal procedures
└── Operational Security Controls
    ├── Operational procedures
    ├── Change management
    ├── Capacity management
    ├── System segregation
    ├── Malware protection
    └── Backup and recovery
```

## Advanced ISMS Audit Applications

### Technical Security Testing Integration
Integrate technical security assessments with ISMS auditing ensuring comprehensive security verification.

**Technical Security Assessment:**
1. **Vulnerability Assessment Integration**
   - Network vulnerability scanning and analysis
   - Application security testing and code review
   - Configuration assessment and hardening verification
   - **Decision Point**: Determine technical testing scope based on risk and compliance

2. **Penetration Testing Coordination**
   - **For External Networks**: Follow references/external-pentest-guide.md
   - **For Internal Systems**: Follow references/internal-pentest-guide.md
   - **For Web Applications**: Follow references/webapp-security-testing.md
   - Social engineering and phishing simulation

3. **Security Control Verification**
   - Access control effectiveness testing
   - Encryption implementation verification
   - Monitoring and logging system assessment
   - Incident response procedure validation

### Cybersecurity Compliance Auditing
Conduct specialized cybersecurity compliance audits addressing regulatory and industry requirements.

**Cybersecurity Compliance Framework:**
- **Healthcare Cybersecurity**: HIPAA Security Rule and healthcare-specific requirements
- **Medical Device Cybersecurity**: FDA cybersecurity guidance and IEC 62304 integration
- **Financial Services**: PCI DSS and financial industry security standards
- **Critical Infrastructure**: NIST Cybersecurity Framework and sector-specific guidelines

### Cloud Security Auditing
Assess cloud security implementations ensuring comprehensive cloud service security verification.

**Cloud Security Audit Approach:**
1. **Cloud Service Provider Assessment**
   - CSP security certification and compliance verification
   - Shared responsibility model implementation review
   - Data residency and sovereignty compliance
   - Cloud access and identity management assessment

2. **Cloud Configuration Assessment**
   - Cloud resource configuration and hardening
   - Network security and segmentation verification
   - Data encryption and key management assessment
   - Cloud monitoring and logging evaluation

## Security Auditor Competency and Development

### Security Auditor Technical Competency
Develop and maintain security auditor technical competency ensuring effective security assessment capabilities.

**Security Auditor Competency Framework:**
```
SECURITY AUDITOR COMPETENCY
├── Technical Security Knowledge
│   ├── Network security and protocols
│   ├── System security and hardening
│   ├── Application security and testing
│   ├── Cryptography and key management
│   └── Security architecture and design
├── Security Assessment Skills
│   ├── Vulnerability assessment techniques
│   ├── Penetration testing methodologies
│   ├── Security control testing
│   └── Risk assessment and analysis
├── Compliance and Standards
│   ├── ISO 27001/27002 expertise
│   ├── Regulatory requirement knowledge
│   ├── Industry standard familiarity
│   └── Audit methodology proficiency
└── Communication and Reporting
    ├── Technical finding documentation
    ├── Risk communication skills
    ├── Executive reporting capabilities
    └── Stakeholder engagement
```

### Security Audit Tool Proficiency
Maintain proficiency with security audit tools and technologies ensuring effective technical assessment.

*
Files: 4
Size: 15.0 KB
Complexity: 55/100
Category: Security
Source: https://github.com/davila7/claude-code-templates/tree/main/cli-tool/components/skills/enterprise-communication/isms-audit-expert

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97