{"id":"1fc560ab-5888-4989-be46-8f15161c80ac","shortId":"XwYLmS","kind":"skill","title":"iso-27001-internal-audit","tagline":">-","description":"# ISO 27001 Internal Audit\n\nRun a structured internal audit against ISO 27001:2022. This skill walks you through scoping, control assessment, evidence collection, and findings generation — following the same workflow a certified auditor uses.\n\n## Security Model\n\n- **No scripts executed** — this skill is markdown-only procedural guidance\n- **No secrets required** — works with public reference data\n- **IP-clean** — all control descriptions are original writing referencing NIST SP 800-53 (public domain). ISO 27001:2022 controls are referenced by section ID only (e.g., \"A.5.15\"), never by copyrighted title or description\n- **Evidence stays local** — all evidence collection commands output to local filesystem\n\n## When to Use\n\nActivate this skill when:\n\n1. **Preparing for a surveillance or certification audit** — run 4-6 weeks before the external audit\n2. **Performing quarterly internal audit** — ISO 27001 requires at least annual internal audits; quarterly is best practice\n3. **Post-incident review** — assess whether controls failed and what corrective actions are needed\n4. **New framework adoption** — map existing controls to ISO 27001 requirements\n5. **Onboarding a new compliance tool** — validate that automated checks cover the right controls\n\nDo NOT use for:\n- Generating the ISO 27001 Statement of Applicability (SoA) from scratch — use `iso-27001-evidence-collection` for evidence gathering first\n- SOC 2-only audits — use `soc2-readiness` instead\n- Reading or interpreting a specific contract clause — use legal agreement skills\n\n## Core Concepts\n\n### Control Domains (ISO 27001:2022 Annex A)\n\nISO 27001:2022 has 93 Annex A controls across 4 domains, plus ISMS clauses 4-10 (30 sub-clauses). This skill covers **48 priority Annex A controls** (of 93 total) — the most critical per domain for cloud-native startups. Remaining controls are lower-tier or typically N/A for cloud-native organizations.\n\n| Domain | Controls | Focus |\n|--------|----------|-------|\n| A.5 Organizational | 37 | Policies, roles, incident management, supplier relations |\n| A.6 People | 8 | Screening, training, termination, confidentiality |\n| A.7 Physical | 14 | Facility security, equipment, media — mostly N/A for cloud startups |\n| A.8 Technological | 34 | Access control, crypto, logging, SDLC, network security |\n| Clauses 4-10 | 30 | ISMS management system (context, leadership, planning, support, operation, performance, improvement) |\n\n### Decision Tree: Startup Scoping\n\n```\nIs the organization cloud-native (no owned data centers)?\n├── YES → Mark A.7.1-A.7.9, A.7.11-A.7.13 as \"satisfied by cloud provider SOC 2\"\n│         Focus evidence on: laptops, home offices, mobile devices\n├── NO  → Full A.7 assessment required\n│\nDoes the organization develop software?\n├── YES → A.8.25-A.8.34 (SDLC controls) are in scope\n├── NO  → A.8.25-A.8.34 can be scoped out with justification\n│\nDoes the organization handle PII?\n├── YES → A.5.34 (privacy) is critical, cross-reference with GDPR/CCPA\n├── NO  → A.5.34 is checkbox tier\n```\n\n### Control Tiering\n\nNot all 93 controls fail equally. Prioritize by audit failure frequency:\n\n| Tier | Count | Treatment |\n|------|-------|-----------|\n| **Critical** | ~30 | Full assessment: evidence, interviews, observation |\n| **Relevant** | ~30 | Standard check: evidence review, spot-check |\n| **Checkbox** | ~33 | Verify policy exists or cloud provider covers it |\n\nFor detailed per-control guidance, load `rules/<domain>.md`.\n\n## Step-by-Step Workflow\n\n### Step 1: Scope and Context\n\n1. **Identify the ISMS scope** — What systems, processes, locations, and people are in scope?\n2. **Gather the Statement of Applicability (SoA)** — Which of the 93 Annex A controls apply?\n3. **Review previous audit findings** — What was flagged last time? Are corrective actions closed?\n4. **Check data freshness** — If using a monitoring dashboard or automated testing system, verify data is < 7 days old\n\n```\n# If Internal ISO Audit MCP server is available:\nlist_controls()                                    # Get all controls with tier classifications\nget_control_guidance(control_id=\"Clause 9.2\")      # Check specific ISMS clause requirements\n\n# If reading local files:\n# Check compliance/status/last_refresh.yaml for staleness\n```\n\n### Step 2: ISMS Clause Assessment (Clauses 4-10)\n\nMost startups fail here — they treat ISMS as documentation, not a functioning management system.\n\n1. **Clause 5 (Leadership)** — Is there a signed security policy? Who is the ISMS owner? Is there evidence of management review?\n2. **Clause 6 (Planning)** — Is there a risk assessment? Is it current (< 12 months)? Does it reference the SoA?\n3. **Clause 7 (Support)** — Is there a competence matrix? Are training records current?\n4. **Clause 8 (Operation)** — Is the risk treatment plan being executed?\n5. **Clause 9 (Performance)** — Are there metrics? Has an internal audit been done? Is there a management review record?\n6. **Clause 10 (Improvement)** — Are nonconformities tracked? Are corrective actions implemented?\n\n**Auditor hint**: Auditors look for a CONNECTED chain — risk assessment → SoA → risk treatment plan → evidence of implementation → monitoring → management review → improvement. Any break in the chain is a nonconformity.\n\n### Step 3: Annex A Control Assessment\n\nWork through controls by domain, prioritizing Critical tier:\n\n1. **For each Critical control**:\n   - Check: Is there a documented policy/procedure?\n   - Check: Is there evidence of implementation?\n   - Check: Is there evidence of monitoring/review?\n   - Record finding: Conformity / Minor nonconformity / Major nonconformity / Observation\n\n2. **For each Relevant control**:\n   - Check: Is there evidence of implementation?\n   - Spot-check one or two items\n   - Record finding\n\n3. **For each Checkbox control**:\n   - Verify policy exists or cloud provider SOC 2 covers it\n   - Record as conforming or note exception\n\n```\n# If Internal ISO Audit MCP server is available:\nlist_controls(domain=\"organizational\")                      # List all controls in a domain with tiers\nget_control_guidance(control_id=\"A.5.15\")                   # Full guidance: auditor hints, pitfalls, evidence\nsearch_guidance(query=\"access review\", domain=\"organizational\")  # Find related controls by keyword\nget_nist_mapping(control_id=\"A.5.15\")                       # Cross-reference to NIST SP 800-53\n```\n\n### Step 4: Evidence Collection\n\nFor each finding, collect supporting evidence:\n\n1. **API exports** (preferred) — timestamped JSON/CSV from source systems\n2. **Screenshots** (when API unavailable) — must include visible system clock\n3. **Interview notes** — summarize who said what, when\n4. **Document review** — note document name, version, date reviewed\n\n**Evidence naming convention**: `{control_id}_{evidence_type}_{date}.{ext}`\nExample: `A.5.15_user-access-list_2026-02-28.json`\n\nFor detailed collection commands, load `rules/` files or use the `iso-27001-evidence-collection` skill.\n\n### Step 5: Generate Findings\n\nFor each nonconformity:\n\n```markdown\n## Finding: [Short title]\n\n- **Control**: A.x.x\n- **NIST Reference**: [NIST control ID]\n- **Severity**: Major / Minor / Observation\n- **Description**: [What was found]\n- **Evidence**: [What evidence supports the finding]\n- **Root Cause**: [Why the control failed]\n- **Corrective Action**: [Specific remediation steps]\n- **Due Date**: [Agreed timeline]\n- **Owner**: [Person responsible]\n```\n\n**Severity definitions**:\n- **Major nonconformity**: Control is missing or completely ineffective. Audit failure risk.\n- **Minor nonconformity**: Control exists but has gaps. Must fix before next surveillance audit.\n- **Observation**: Potential improvement. Not required but recommended.\n\n### Step 6: Audit Report\n\nGenerate a structured audit report:\n\n1. **Executive summary** — overall ISMS maturity, key findings, recommendation\n2. **Scope** — what was audited, what was excluded\n3. **Methodology** — controls assessed, evidence reviewed, people interviewed\n4. **Findings** — grouped by domain, with severity and corrective actions\n5. **Positive observations** — what's working well (auditors do note these)\n6. **Conclusion** — readiness for external audit, recommended timeline\n\n## Quick Reference: Top 10 Controls That Fail Most Often\n\n| # | Control | Common Failure | Fix |\n|---|---------|---------------|-----|\n| 1 | A.5.15 | No periodic access review | Schedule quarterly reviews, export user lists |\n| 2 | A.8.8 | No vulnerability scanning | Deploy Dependabot/Snyk, schedule infra scans |\n| 3 | A.5.24 | Incident response plan untested | Run tabletop exercise, document results |\n| 4 | A.8.5 | MFA not enforced everywhere | Enable MFA on all production + admin accounts |\n| 5 | A.5.30 | No business continuity test | Run DR failover test, document RTO/RPO results |\n| 6 | A.8.15 | Audit logs not centralized | Ship logs to SIEM/CloudWatch/Stackdriver |\n| 7 | A.8.9 | No baseline configuration | Document server/container base images |\n| 8 | A.6.1 | Background checks incomplete | Verify all employees have completed screening |\n| 9 | A.8.32 | No change management process | Require PR reviews, document deployment process |\n| 10 | A.5.9 | Asset inventory incomplete | Export from cloud provider + endpoint management |\n\n## DO / DON'T\n\n### DO\n- Collect evidence via API exports with ISO 8601 timestamps — always preferred over screenshots\n- Test controls, don't just review documentation — auditors check implementation, not just policies\n- Interview people at different levels — manager says one thing, engineer may say another\n- Document positive findings — shows the audit is balanced and thorough\n- Keep the SoA aligned with actual controls — gaps between SoA and implementation are major findings\n- Use `screencapture -x ~/evidence/{filename}.png` on macOS when screenshots are necessary\n\n### DON'T\n- Screenshot portals without visible system clock — auditors will reject undated evidence\n- Accept \"we have a policy\" without checking implementation — \"show me\" > \"tell me\"\n- Audit your own work — independence requirement (Clause 9.2) means auditors can't audit their own area\n- Treat checkbox controls as zero-effort — even N/A controls need justification in the SoA\n- Skip ISMS clauses to focus only on Annex A — most first-time failures are in clauses 4-10\n\n## Troubleshooting\n\n| Problem | Solution |\n|---------|----------|\n| Data is stale (> 7 days old) | Refresh from monitoring dashboard or re-export from source systems |\n| Can't determine which controls apply | Start with the SoA; if no SoA exists, use the decision tree above |\n| Too many findings to address before audit | Prioritize: fix all Major nonconformities first, then Critical-tier Minors |\n| Evidence timestamps don't match audit period | Re-collect evidence within the audit window (typically 12 months) |\n| Cloud provider controls not documented | Request SOC 2 Type II report from provider; map their controls to your SoA |\n| Internal audit has never been done | This IS the first internal audit — document that in the report and plan for regular cadence |\n\n## Rules\n\nFor detailed per-control guidance, load the appropriate rules file:\n\n| File | Coverage |\n|------|----------|\n| `rules/access-control.md` | A.5.15-A.5.18, A.8.2-A.8.5 — identity, authentication, authorization |\n| `rules/incident-response.md` | A.5.24-A.5.29, A.6.8 — incident lifecycle |\n| `rules/encryption.md` | A.8.24, A.8.10-A.8.12 — cryptographic controls |\n| `rules/change-management.md` | A.8.25-A.8.34, A.8.9, A.8.32 — SDLC and configuration |\n| `rules/logging-monitoring.md` | A.8.15-A.8.17 — audit trails and monitoring |\n| `rules/business-continuity.md` | A.5.30, A.8.13-A.8.14 — backup, DR, BCP |\n| `rules/people-controls.md` | A.6.1-A.6.8 — HR security lifecycle |\n| `rules/supplier-management.md` | A.5.19-A.5.23 — third-party risk |\n| `rules/isms-management.md` | Clauses 4-10 — management system operation |\n\n## Attribution\n\nAudit procedures and control guidance developed with [Internal ISO Audit](https://internalisoaudit.com) (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).\n\n## Runtime Detection\n\nThis skill operates in three modes, detected automatically:\n\n1. **Internal ISO Audit MCP server available** (best) — Live control guidance lookup with auditor hints, NIST cross-references, and full-text search\n   - Detected by: `internalisoaudit` MCP server configured in client\n   - Tools: `get_control_guidance`, `list_controls`, `get_nist_mapping`, `search_guidance`\n   - Server: `internalisoaudit.com/api/mcp`\n\n2. **Local compliance data available** (good) — Reads `compliance/` directory directly\n   - Detected by: `compliance/status/last_refresh.yaml` exists\n   - Benefits: Historical test data, evidence status, control mappings\n\n3. **Reference only** (baseline) — Uses embedded `rules/` files, no live data\n   - Always available\n   - Benefits: Procedural guidance, control descriptions, evidence checklists\n   - Limitation: No organization-specific status data\n\n## Connectors\n\nFor Internal ISO Audit MCP server setup, see [CONNECTORS.md](./CONNECTORS.md).","tags":["iso","27001","internal","audit","open","agreements","open-agreements","agent-skills","anthropic","claude","claude-code","claude-code-cli"],"capabilities":["skill","source-open-agreements","skill-iso-27001-internal-audit","topic-agent-skills","topic-anthropic","topic-claude","topic-claude-code","topic-claude-code-cli","topic-claude-code-commands","topic-claude-code-plugin","topic-claude-code-plugins","topic-claude-code-skills","topic-claude-code-subagents","topic-claude-skills","topic-contract-automation"],"categories":["open-agreements"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/open-agreements/open-agreements/iso-27001-internal-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add open-agreements/open-agreements","source_repo":"https://github.com/open-agreements/open-agreements","install_from":"skills.sh"}},"qualityScore":"0.465","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 31 github stars · SKILL.md body (13,073 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T06:57:03.096Z","embedding":null,"createdAt":"2026-04-18T22:22:44.934Z","updatedAt":"2026-05-01T06:57:03.096Z","lastSeenAt":"2026-05-01T06:57:03.096Z","tsv":"'-10':254,337,593,1373,1553 '-27001':2,202,943 '-53':74,874 '-6':123 '/api/mcp':1635 '/connectors.md':1695 '/evidence':1290 '1':113,484,488,608,745,885,1040,1107,1589 '10':693,1097,1208 '100':1577 '12':641,1447 '14':315,1575 '2':129,211,373,502,587,629,776,808,894,1049,1119,1456,1636 '2022':18,79,236,241 '27001':7,17,78,135,170,193,235,240,1572 '3':146,517,648,732,796,904,1057,1129,1658 '30':255,338,444,451 '33':460 '34':327 '37':299 '4':122,161,248,253,336,531,592,661,876,912,1065,1140,1372,1552 '48':262 '5':172,610,672,949,1075,1153 '6':631,691,1032,1086,1166 '7':547,650,1176,1380 '8':308,663,1185 '800':73,873 '8601':1230 '9':674,1196 '9.2':572,1331 '93':243,268,431,512 'a.5':297 'a.5.15':88,842,866,1108 'a.5.15-a.5.18':1505 'a.5.15_user-access-list_2026-02-28.json':931 'a.5.19-a.5.23':1545 'a.5.24':1130 'a.5.24-a.5.29':1511 'a.5.30':1154,1534 'a.5.34':413,423 'a.5.9':1209 'a.6':306 'a.6.1':1186 'a.6.1-a.6.8':1540 'a.6.8':1512 'a.7':313,384 'a.7.1-a.7.9':365 'a.7.11-a.7.13':366 'a.8':325 'a.8.10-a.8.12':1517 'a.8.13-a.8.14':1535 'a.8.15':1167 'a.8.15-a.8.17':1528 'a.8.2-a.8.5':1506 'a.8.24':1516 'a.8.25-a.8.34':393,400,1521 'a.8.32':1197,1523 'a.8.5':1141 'a.8.8':1120 'a.8.9':1177,1522 'a.x.x':960 'accept':1312 'access':328,852,1111 'account':1152 'across':247 'action':158,529,700,987,1074 'activ':109 'actual':1277 'address':1417 'admin':1151 'adopt':164 'agre':993 'agreement':228 'align':1275 'alway':1232,1669 'annex':237,244,264,513,733,1362 'annual':139 'anoth':1261 'api':886,897,1226 'appli':516,1399 'applic':196,507 'appropri':1499 'area':1339 'assess':26,151,385,446,590,637,711,736,1060 'asset':1210 'attribut':1557 'audit':5,9,14,120,128,133,141,213,437,520,553,682,820,1008,1023,1033,1038,1053,1091,1168,1267,1324,1336,1419,1436,1444,1469,1479,1529,1558,1567,1578,1592,1689 'auditor':38,702,704,845,1082,1243,1307,1333,1574,1602 'authent':1508 'author':1509 'autom':180,541 'automat':1588 'avail':557,824,1595,1640,1670 'background':1187 'backup':1536 'balanc':1269 'base':1183 'baselin':1179,1661 'bcp':1538 'benefit':1650,1671 'best':144,1596 'break':724 'busi':1156 'cadenc':1489 'castro':1570 'caus':981 'center':362 'central':1171 'certif':119 'certifi':37 'chain':709,727 'chang':1199 'check':181,453,458,532,573,582,750,756,762,781,789,1188,1244,1318 'checkbox':425,459,799,1341 'checklist':1677 'classif':565 'claus':225,252,258,335,571,576,589,591,609,630,649,662,673,692,1330,1357,1371,1551 'clean':63 'client':1620 'clock':903,1306 'close':530 'cloud':277,291,323,357,370,465,805,1215,1449 'cloud-nat':276,290,356 'collect':28,100,205,878,882,934,946,1223,1440 'command':101,935 'common':1104 'compet':655 'complet':1006,1194 'complianc':176,1638,1643 'compliance/status/last_refresh.yaml':583,1648 'concept':231 'conclus':1087 'confidenti':312 'configur':1180,1526,1618 'conform':770,813 'connect':708 'connector':1685 'connectors.md':1694 'context':342,487 'continu':1157 'contract':224 'control':25,65,80,153,167,185,232,246,266,281,295,329,395,427,432,473,515,559,562,567,569,735,739,749,780,800,826,831,838,840,858,864,924,959,964,984,1002,1013,1059,1098,1103,1237,1278,1342,1349,1398,1451,1464,1495,1519,1561,1598,1623,1626,1656,1674 'convent':923 'copyright':91 'core':230 'correct':157,528,699,986,1073 'count':441 'cover':182,261,467,809 'coverag':1503 'critic':272,416,443,743,748,1428 'critical-ti':1427 'cross':418,868,1606 'cross-refer':417,867,1605 'crypto':330 'cryptograph':1518 'current':640,660 'dashboard':539,1386 'data':60,361,533,545,1377,1639,1653,1668,1684 'date':919,928,992 'day':548,1381 'decis':349,1410 'definit':999 'dependabot/snyk':1125 'deploy':1124,1206 'descript':66,94,970,1675 'detail':470,933,1492 'detect':1580,1587,1613,1646 'determin':1396 'develop':390,1563 'devic':381 'differ':1252 'direct':1645 'directori':1644 'document':602,754,913,916,1138,1163,1181,1205,1242,1262,1453,1480 'domain':76,233,249,274,294,741,827,834,854,1069 'done':684,1473 'dr':1160,1537 'due':991 'e.g':87 'effort':1346 'embed':1663 'employe':1192 'enabl':1146 'endpoint':1217 'enforc':1144 'engin':1258 'equal':434 'equip':318 'even':1347 'everywher':1145 'evid':27,95,99,204,207,375,447,454,625,716,759,765,784,848,877,884,921,926,945,974,976,1061,1224,1311,1431,1441,1654,1676 'evidence-collect':203,944 'exampl':930 'except':816 'exclud':1056 'execut':44,671,1041 'exercis':1137 'exist':166,463,803,1014,1407,1649 'export':887,1116,1213,1227,1390 'ext':929 'extern':127,1090 'facil':316 'fail':154,433,596,985,1100 'failov':1161 'failur':438,1009,1105,1368 'file':581,938,1501,1502,1665 'filenam':1291 'filesystem':105 'find':30,521,769,795,856,881,951,956,979,1047,1066,1264,1286,1415 'first':209,1366,1425,1477 'first-tim':1365 'fix':1019,1106,1421 'flag':524 'focus':296,374,1359 'follow':32 'found':973 'framework':163 'frequenc':439 'fresh':534 'full':383,445,843,1610 'full-text':1609 'function':605 'gap':1017,1279 'gather':208,503 'gdpr/ccpa':421 'generat':31,190,950,1035 'get':560,566,837,861,1622,1627 'good':1641 'group':1067 'guidanc':52,474,568,839,844,850,1496,1562,1599,1624,1631,1673 'handl':410 'hazel':1569 'hint':703,846,1603 'histor':1651 'home':378 'hr':1541 'id':85,570,841,865,925,965 'ident':1507 'identifi':489 'ii':1458 'imag':1184 'implement':701,718,761,786,1245,1283,1319 'improv':348,694,722,1026 'incid':149,302,1131,1513 'includ':900 'incomplet':1189,1212 'independ':1328 'ineffect':1007 'infra':1127 'instead':218 'intern':4,8,13,132,140,551,681,818,1468,1478,1565,1590,1687 'internal-audit':3 'internalisoaudit':1615 'internalisoaudit.com':1568,1634 'internalisoaudit.com/api/mcp':1633 'interpret':221 'interview':448,905,1064,1249 'inventori':1211 'ip':62 'ip-clean':61 'ism':251,339,491,575,588,600,621,1044,1356 'iso':1,6,16,77,134,169,192,201,234,239,552,819,942,1229,1566,1571,1591,1688 'item':793 'json/csv':890 'justif':406,1351 'keep':1272 'key':1046 'keyword':860 'laptop':377 'last':525 'lead':1573 'leadership':343,611 'least':138 'legal':227 'level':1253 'lifecycl':1514,1543 'limit':1678 'list':558,825,829,1118,1625 'live':1597,1667 'load':475,936,1497 'local':97,104,580,1637 'locat':496 'log':331,1169,1173 'look':705 'lookup':1600 'lower':284 'lower-ti':283 'maco':1294 'major':773,967,1000,1285,1423 'manag':303,340,606,627,688,720,1200,1218,1254,1554 'mani':1414 'map':165,863,1462,1629,1657 'mark':364 'markdown':49,955 'markdown-on':48 'match':1435 'matrix':656 'matur':1045 'may':1259 'mcp':554,821,1593,1616,1690 'md':477 'mean':1332 'media':319 'methodolog':1058 'metric':678 'mfa':1142,1147 'minor':771,968,1011,1430 'miss':1004 'mobil':380 'mode':1586 'model':41 'monitor':538,719,1385,1532 'monitoring/review':767 'month':642,1448 'most':320 'must':899,1018 'n/a':288,321,1348 'name':917,922 'nativ':278,292,358 'necessari':1298 'need':160,1350 'network':333 'never':89,1471 'new':162,175 'next':1021 'nist':71,862,871,961,963,1604,1628 'nonconform':696,730,772,774,954,1001,1012,1424 'note':815,906,915,1084 'observ':449,775,969,1024,1077 'offic':379 'often':1102 'old':549,1382 'onboard':173 'one':790,1256 'oper':346,664,1556,1583 'organ':293,355,389,409,1681 'organiz':298,828,855 'organization-specif':1680 'origin':68 'output':102 'overal':1043 'own':360 'owner':622,995 'parti':1548 'peopl':307,498,1063,1250 'per':273,472,1494 'per-control':471,1493 'perform':130,347,675 'period':1110,1437 'person':996 'physic':314 'pii':411 'pitfal':847 'plan':344,632,669,715,1133,1486 'plus':250 'png':1292 'polici':300,462,617,802,1248,1316 'policy/procedure':755 'portal':1302 'posit':1076,1263 'post':148 'post-incid':147 'potenti':1025 'pr':1203 'practic':145 'prefer':888,1233 'prepar':114 'previous':519 'priorit':435,742,1420 'prioriti':263 'privaci':414 'problem':1375 'procedur':51,1559,1672 'process':495,1201,1207 'product':1150 'provid':371,466,806,1216,1450,1461 'public':58,75 'quarter':131,142,1114 'queri':851 'quick':1094 're':1389,1439 're-collect':1438 're-export':1388 'read':219,579,1642 'readi':217,1088 'recommend':1030,1048,1092 'record':659,690,768,794,811 'refer':59,419,645,869,962,1095,1607,1659 'referenc':70,82 'refresh':1383 'regular':1488 'reject':1309 'relat':305,857 'relev':450,779 'remain':280 'remedi':989 'report':1034,1039,1459,1484 'request':1454 'requir':55,136,171,386,577,1028,1202,1329 'respons':997,1132 'result':1139,1165 'review':150,455,518,628,689,721,853,914,920,1062,1112,1115,1204,1241 'right':184 'risk':636,667,710,713,1010,1549 'role':301 'root':980 'rto/rpo':1164 'rule':476,937,1490,1500,1664 'rules/access-control.md':1504 'rules/business-continuity.md':1533 'rules/change-management.md':1520 'rules/encryption.md':1515 'rules/incident-response.md':1510 'rules/isms-management.md':1550 'rules/logging-monitoring.md':1527 'rules/people-controls.md':1539 'rules/supplier-management.md':1544 'run':10,121,1135,1159 'runtim':1579 'said':909 'satisfi':368 'say':1255,1260 'scan':1123,1128 'schedul':1113,1126 'scope':24,352,398,403,485,492,501,1050 'scratch':199 'screen':309,1195 'screencaptur':1288 'screenshot':895,1235,1296,1301 'script':43 'sdlc':332,394,1524 'search':849,1612,1630 'secret':54 'section':84 'secur':40,317,334,616,1542 'see':1693 'server':555,822,1594,1617,1632,1691 'server/container':1182 'setup':1692 'sever':966,998,1071 'ship':1172 'short':957 'show':1265,1320 'siem/cloudwatch/stackdriver':1175 'sign':615 'skill':20,46,111,229,260,947,1582 'skill-iso-27001-internal-audit' 'skip':1355 'soa':197,508,647,712,1274,1281,1354,1403,1406,1467 'soc':210,372,807,1455 'soc2':216 'soc2-readiness':215 'softwar':391 'solut':1376 'sourc':892,1392 'source-open-agreements' 'sp':72,872 'specif':223,574,988,1682 'spot':457,788 'spot-check':456,787 'stale':585,1379 'standard':452 'start':1400 'startup':279,324,351,595 'statement':194,505 'status':1655,1683 'stay':96 'step':479,481,483,586,731,875,948,990,1031 'step-by-step':478 'structur':12,1037 'sub':257 'sub-claus':256 'summar':907 'summari':1042 'supplier':304 'support':345,651,883,977 'surveil':117,1022 'system':341,494,543,607,893,902,1305,1393,1555 'tabletop':1136 'technolog':326 'tell':1322 'termin':311 'test':542,1158,1162,1236,1652 'text':1611 'thing':1257 'third':1547 'third-parti':1546 'thorough':1271 'three':1585 'tier':285,426,428,440,564,744,836,1429 'time':526,1367 'timelin':994,1093 'timestamp':889,1231,1432 'titl':92,958 'tool':177,1621 'top':1096 'topic-agent-skills' 'topic-anthropic' 'topic-claude' 'topic-claude-code' 'topic-claude-code-cli' 'topic-claude-code-commands' 'topic-claude-code-plugin' 'topic-claude-code-plugins' 'topic-claude-code-skills' 'topic-claude-code-subagents' 'topic-claude-skills' 'topic-contract-automation' 'total':269 'track':697 'trail':1530 'train':310,658 'treat':599,1340 'treatment':442,668,714 'tree':350,1411 'troubleshoot':1374 'two':792 'type':927,1457 'typic':287,1446 'unavail':898 'undat':1310 'untest':1134 'use':39,108,188,200,214,226,536,940,1287,1408,1662 'user':1117 'valid':178 'verifi':461,544,801,1190 'version':918 'via':1225 'visibl':901,1304 'vulner':1122 'walk':21 'week':124 'well':1081 'whether':152 'window':1445 'within':1442 'without':1303,1317 'work':56,737,1080,1327 'workflow':35,482 'write':69 'x':1289 'year':1576 'yes':363,392,412 'zero':1345 'zero-effort':1344","prices":[{"id":"986afb33-54cd-4880-a17d-fff719ddedd5","listingId":"1fc560ab-5888-4989-be46-8f15161c80ac","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"open-agreements","category":"open-agreements","install_from":"skills.sh"},"createdAt":"2026-04-18T22:22:44.934Z"}],"sources":[{"listingId":"1fc560ab-5888-4989-be46-8f15161c80ac","source":"github","sourceId":"open-agreements/open-agreements/iso-27001-internal-audit","sourceUrl":"https://github.com/open-agreements/open-agreements/tree/main/skills/iso-27001-internal-audit","isPrimary":false,"firstSeenAt":"2026-04-18T22:22:44.934Z","lastSeenAt":"2026-05-01T06:57:03.096Z"}],"details":{"listingId":"1fc560ab-5888-4989-be46-8f15161c80ac","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"open-agreements","slug":"iso-27001-internal-audit","github":{"repo":"open-agreements/open-agreements","stars":31,"topics":["agent-skills","anthropic","claude","claude-code","claude-code-cli","claude-code-commands","claude-code-plugin","claude-code-plugins","claude-code-skills","claude-code-subagents","claude-skills","contract-automation","docx","gemini-cli-extension","legal-tech","legal-templates","nda-template","open-source-legal","safe-template"],"license":"mit","html_url":"https://github.com/open-agreements/open-agreements","pushed_at":"2026-04-30T21:31:08Z","description":"Fill standard legal agreement templates and produce signable DOCX files. 25 templates covering NDAs, cloud terms, SAFEs, and NVCA financing documents.","skill_md_sha":"239f3add9b7449d3ae0b5320b326d47cb56e93b2","skill_md_path":"skills/iso-27001-internal-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/open-agreements/open-agreements/tree/main/skills/iso-27001-internal-audit"},"layout":"multi","source":"github","category":"open-agreements","frontmatter":{"name":"iso-27001-internal-audit","license":"MIT","description":">-","compatibility":">-"},"skills_sh_url":"https://skills.sh/open-agreements/open-agreements/iso-27001-internal-audit"},"updatedAt":"2026-05-01T06:57:03.096Z"}}