{"id":"647ffcbe-e87b-4937-ab18-7f062965d909","shortId":"kByA5u","kind":"skill","title":"iso-27001-evidence-collection","tagline":">-","description":"# ISO 27001 Evidence Collection\n\nSystematically collect audit evidence for ISO 27001:2022 and SOC 2. This skill provides API-first evidence collection commands, organizes evidence by control, and validates completeness before auditor review.\n\n## Security Model\n\n- **No scripts executed** — this skill is markdown-only procedural guidance\n- **No secrets required** — works with reference checklists; CLI commands use existing local credentials\n- **Evidence stays local** — all outputs go to the local filesystem\n- **IP-clean** — references NIST SP 800-53 (public domain); ISO controls cited by section ID only\n\n## When to Use\n\nActivate this skill when:\n\n1. **Preparing evidence package for external audit** — 2-4 weeks before auditor arrives\n2. **Quarterly evidence refresh** — update evidence that has aged beyond the audit window\n3. **After remediation** — collect evidence proving a finding has been fixed\n4. **New system onboarding** — establish baseline evidence for a newly in-scope system\n5. **Evidence gap analysis** — identify what's missing before the audit\n\nDo NOT use for:\n- Running the internal audit itself — use `iso-27001-internal-audit`\n- SOC 2-only readiness assessment — use `soc2-readiness`\n- Interpreting audit findings — use the internal audit skill\n\n## Core Concepts\n\n### Evidence Hierarchy (Best to Worst)\n\n| Rank | Type | Example | Why Better |\n|------|------|---------|------------|\n| 1 | **API export (JSON/CSV)** | `gcloud iam service-accounts list --format=json` | Timestamped, tamper-evident, reproducible |\n| 2 | **System-generated report** | SOC 2 report from vendor, SIEM export | Authoritative source, includes metadata |\n| 3 | **Configuration export** | Terraform state, policy JSON | Shows intended state, version-controlled |\n| 4 | **Screenshot with system clock** | `screencapture -x ~/evidence/...` | Visual proof, but harder to validate |\n| 5 | **Manual attestation** | Signed statement by responsible person | Last resort, requires corroboration |\n\n### Evidence Freshness Requirements\n\n| Evidence Type | Max Age | Refresh Cadence |\n|---------------|---------|-----------------|\n| Access lists | 90 days | Quarterly |\n| Vulnerability scans | 30 days | Monthly |\n| Configuration exports | 90 days | Quarterly |\n| Training records | 12 months | Annual |\n| Penetration test | 12 months | Annual |\n| Policy documents | 12 months | Annual review |\n| Incident records | Audit period | Continuous |\n| Risk assessment | 12 months | Annual + on change |\n\n### Evidence Naming Convention\n\n```\n{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext}\n```\n\nExamples:\n- `A.5.15_user-access-list_2026-02-28.json`\n- `A.8.8_vulnerability-scan_2026-02-28.csv`\n- `A.8.13_backup-test-results_2026-02-28.pdf`\n\n## Step-by-Step Workflow\n\n### Step 1: Identify Evidence Gaps\n\nDetermine what evidence is missing or stale.\n\n```\n# If Internal ISO Audit MCP server is available:\nsearch_guidance(query=\"evidence\", domain=\"organizational\")  # Find controls needing evidence\nlist_controls(domain=\"technological\")                       # List all tech controls to assess gaps\nget_control_guidance(control_id=\"A.5.15\")                   # Get evidence requirements for a specific control\n\n# If reading local compliance data:\n# Check compliance/evidence/*.md files for upload_status != \"OK\"\n# Check renewal_next dates for upcoming expirations\n```\n\n### Step 2: Prioritize Collection\n\nOrder evidence collection by:\n1. **Missing evidence for Critical-tier controls** — audit blockers\n2. **Stale evidence past renewal date** — auditor will reject\n3. **Evidence for Relevant-tier controls** — expected but not blocking\n4. **Checkbox-tier evidence** — policies and attestations\n\n### Step 3: Collect by Platform\n\nRun evidence collection commands grouped by platform to minimize context-switching.\n\n#### GitHub Evidence\n```bash\n# Org settings: MFA requirement, default permissions\ngh api orgs/{org} | jq '{\n  two_factor_requirement_enabled,\n  default_repository_permission,\n  members_can_create_public_repositories\n}' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json\n\n# Branch protection on production repos\nfor repo in $(gh repo list {org} --json name -q '.[].name'); do\n  gh api repos/{org}/$repo/branches/main/protection 2>/dev/null | \\\n    jq '{repo: \"'$repo'\", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json\ndone\n\n# Recent merged PRs (change management evidence)\ngh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \\\n  > evidence/A.8.32_change-records_$(date +%Y-%m-%d).json\n\n# Dependabot alerts (vulnerability management)\ngh api repos/{org}/{repo}/dependabot/alerts?state=open \\\n  > evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json\n\n# Secret scanning alerts\ngh api orgs/{org}/secret-scanning/alerts --paginate \\\n  > evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json\n\n# Audit log\ngh api orgs/{org}/audit-log?per_page=100 \\\n  > evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json\n```\n\n#### GCP Evidence\n```bash\n# IAM policy (access control)\ngcloud projects get-iam-policy {project} --format=json \\\n  > evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json\n\n# Service accounts\ngcloud iam service-accounts list --format=json \\\n  > evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json\n\n# Audit logging config\ngcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \\\n  > evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json\n\n# Log sinks (centralization)\ngcloud logging sinks list --format=json \\\n  > evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json\n\n# Compute instances (asset inventory)\ngcloud compute instances list --format=json \\\n  > evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json\n\n# Cloud SQL backup config\ngcloud sql backups list --instance={instance} --format=json \\\n  > evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json\n\n# Firewall rules\ngcloud compute firewall-rules list --format=json \\\n  > evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json\n```\n\n#### Azure Evidence\n```bash\n# Role assignments (access control)\naz role assignment list --all --output json \\\n  > evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json\n\n# Activity log (audit trail)\naz monitor activity-log list --max-events 100 --output json \\\n  > evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json\n\n# Network security groups\naz network nsg list --output json \\\n  > evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json\n\n# Backup jobs\naz backup job list --resource-group {rg} --vault-name {vault} --output json \\\n  > evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json\n\n# Storage encryption\naz storage account list --query \"[].{name:name, encryption:encryption}\" --output json \\\n  > evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json\n```\n\n#### Google Workspace Evidence\n```bash\n# User list with MFA status\ngam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \\\n  > evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv\n\n# Admin roles\ngam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv\n\n# Mobile devices\ngam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv\n```\n\n#### macOS Endpoint Evidence\n```bash\n# FileVault encryption\nfdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt\n\n# System configuration\nsystem_profiler SPHardwareDataType SPSoftwareDataType \\\n  > evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt\n\n# Screen lock settings\nprofiles show -type configuration 2>/dev/null | grep -A10 -i \"lock\\|idle\\|screensaver\" \\\n  > evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt\n```\n\n### Step 4: Validate Evidence Package\n\nCheck completeness before submitting to auditor:\n\n1. **Completeness**: Do you have evidence for every applicable control in the SoA?\n2. **Freshness**: Is every piece of evidence within the required age?\n3. **Format**: Are API exports in JSON/CSV with timestamps? Screenshots have system clock visible?\n4. **Naming**: Files follow the naming convention?\n5. **Coverage**: Critical-tier controls have at least 2 forms of evidence?\n\n```\n# If Internal ISO Audit MCP server is available:\nlist_controls()                                             # Get all controls to verify evidence coverage\nget_control_guidance(control_id=\"A.8.8\")                    # Check specific control's evidence expectations\nsearch_guidance(query=\"vulnerability scanning evidence\")    # Find controls related to specific evidence types\n```\n\n### Step 5: Generate Evidence Index\n\nCreate an index file listing all evidence, mapped to controls:\n\n```markdown\n# Evidence Package Index\nGenerated: {date}\nAudit period: {start} to {end}\n\n| Control | Evidence File | Type | Collected | Status |\n|---------|--------------|------|-----------|--------|\n| A.5.15 | gcp-iam-policy_2026-02-28.json | API export | 2026-02-28 | Current |\n| A.5.17 | workspace-users-mfa_2026-02-28.csv | API export | 2026-02-28 | Current |\n| ... | ... | ... | ... | ... |\n```\n\n## DO / DON'T\n\n### DO\n- Use API exports with ISO 8601 timestamps over screenshots whenever possible\n- Collect evidence from the SOURCE system (IdP, not a secondary report)\n- Include metadata: collection date, system version, user who collected\n- Store evidence in version-controlled directory with clear naming\n- Collect evidence for the AUDIT PERIOD (usually past 12 months), not just current state\n- Use `screencapture -x ~/evidence/{filename}.png` for screenshots (captures without shadow/border)\n\n### DON'T\n- Take screenshots without visible system clock (menu bar on macOS, taskbar on Windows)\n- Collect evidence from sandbox/staging instead of production\n- Manually edit evidence after collection (auditors may verify against source)\n- Wait until the week before the audit to collect everything\n- Assume stale evidence is acceptable — check freshness requirements above\n- Mix evidence from different audit periods in the same file\n\n## Troubleshooting\n\n| Problem | Solution |\n|---------|----------|\n| API command requires auth | Use existing local credentials: `gcloud auth login`, `az login`, `gh auth login` |\n| Tool not installed | Install: `brew install gh`, `brew install --cask google-cloud-sdk`, `brew install azure-cli` |\n| Insufficient permissions | Request read-only access to the relevant service; document the access request as evidence |\n| Evidence too large | Use `--limit` or `--max-events` flags; collect summary statistics instead of full export |\n| Vendor won't provide SOC 2 report | Request via their trust center; if unavailable, document the request and use their security page |\n| Screenshot doesn't include clock | On macOS: use full-screen capture, or `screencapture -x` which includes menu bar |\n\n## Rules\n\nFor detailed evidence collection guidance by topic:\n\n| File | Coverage |\n|------|----------|\n| `rules/api-exports.md` | CLI commands by cloud provider (GCP, Azure, AWS, GitHub, Google Workspace) |\n| `rules/screenshot-guide.md` | When and how to take audit-ready screenshots |\n| `rules/evidence-types.md` | Evidence type requirements per control domain |\n\n## Attribution\n\nEvidence collection procedures and control guidance developed with [Internal ISO Audit](https://internalisoaudit.com) (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).\n\n## Runtime Detection\n\n1. **Internal ISO Audit MCP server available** (best) — Live control guidance lookup, NIST cross-reference, full-text search across all control evidence expectations. Server: `internalisoaudit.com/api/mcp`\n2. **Local compliance data available** (good) — Reads evidence status from `compliance/evidence/*.md`\n3. **Reference only** (baseline) — Uses embedded checklists and command reference in `rules/`\n\n## Connectors\n\nFor Internal ISO Audit MCP server setup, see [CONNECTORS.md](./CONNECTORS.md).","tags":["iso","27001","evidence","collection","open","agreements","open-agreements","agent-skills","anthropic","claude","claude-code","claude-code-cli"],"capabilities":["skill","source-open-agreements","skill-iso-27001-evidence-collection","topic-agent-skills","topic-anthropic","topic-claude","topic-claude-code","topic-claude-code-cli","topic-claude-code-commands","topic-claude-code-plugin","topic-claude-code-plugins","topic-claude-code-skills","topic-claude-code-subagents","topic-claude-skills","topic-contract-automation"],"categories":["open-agreements"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/open-agreements/open-agreements/iso-27001-evidence-collection","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add open-agreements/open-agreements","source_repo":"https://github.com/open-agreements/open-agreements","install_from":"skills.sh"}},"qualityScore":"0.465","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 31 github stars · SKILL.md body (11,815 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T06:57:03.031Z","embedding":null,"createdAt":"2026-04-18T22:22:44.170Z","updatedAt":"2026-05-01T06:57:03.031Z","lastSeenAt":"2026-05-01T06:57:03.031Z","tsv":"'-02':1093,1101 '-27001':2,173 '-28':1094,1102 '-4':108 '-53':83 '/api/mcp':1440 '/audit-log':620 '/connectors.md':1475 '/dependabot/alerts':590 '/dev/null':543,932 '/evidence':259,1166 '/secret-scanning/alerts':606 '1':100,206,352,433,956,1412 '100':623,786,1408 '12':304,309,314,325,1157 '14':1406 '2':20,107,113,178,223,229,426,443,542,931,969,1010,1312,1441 '2022':17 '2026':1092,1100 '27001':7,16,1403 '3':126,239,452,472,980,1453 '30':294 '4':137,252,463,946,994 '5':151,266,1001,1057 '50':567 '800':82 '8601':1113 '90':289,299 'a.5.15':397,1088 'a.5.15_user-access-list_2026-02-28.json':343 'a.5.17':1096 'a.8.13_backup-test-results_2026-02-28.pdf':345 'a.8.8':1036 'a.8.8_vulnerability-scan_2026-02-28.csv':344 'a10':934 'accept':1220 'access':287,635,758,1279,1286 'account':214,653,658,836 'across':1432 'activ':96,773,780 'activity-log':779 'admin':876,880 'age':121,284,979 'alert':582,601 'analysi':154 'annual':306,311,316,327 'api':25,207,498,538,586,603,617,983,1090,1098,1109,1238 'api-first':24 'applic':964 'arriv':112 'assess':181,324,390 'asset':705 'assign':757,762 'assum':1216 'attest':268,470 'attribut':1387 'audit':12,106,124,161,169,176,187,192,320,366,441,614,668,775,1017,1077,1153,1212,1229,1377,1398,1409,1415,1469 'audit-readi':1376 'auditconfig':681 'auditor':38,111,449,955,1201,1405 'auth':1241,1247,1252 'author':571 'authorit':235 'avail':370,1021,1418,1445 'aw':1366 'az':760,777,798,812,834,1249 'azur':753,1271,1365 'azure-c':1270 'backup':721,725,810,813 'bar':1183,1347 'baselin':142,1456 'bash':490,632,755,854,901 'best':198,1419 'better':205 'beyond':122 'block':462 'blocker':442 'branch':520 'brew':1258,1261,1268 'cadenc':286 'captur':1171,1340 'cask':1263 'castro':1401 'center':1318 'central':690 'chang':329,558 'check':410,418,950,1037,1221 'checkbox':465 'checkbox-ti':464 'checklist':59,1459 'cite':88 'clean':78 'clear':1147 'cli':60,1272,1359 'clock':256,992,1181,1333 'cloud':719,1266,1362 'collect':5,9,11,28,129,428,431,473,478,1086,1119,1132,1138,1149,1189,1200,1214,1300,1352,1389 'command':29,61,479,1239,1360,1461 'complet':36,951,957 'complianc':408,1443 'compliance/evidence':411,1451 'comput':703,708,740 'concept':195 'config':670,722 'configur':240,297,913,930 'connector':1465 'connectors.md':1474 'context':486 'context-switch':485 'continu':322 'control':33,87,251,333,378,382,388,393,395,404,440,458,636,759,965,1006,1023,1026,1032,1034,1039,1050,1070,1082,1144,1385,1392,1421,1434 'convent':332,1000 'core':194 'corrobor':277 'coverag':1002,1030,1357 'creat':511,1061 'credenti':65,1245 'critic':438,1004 'critical-ti':437,1003 'cross':1426 'cross-refer':1425 'csv':875,886,897 'current':1095,1103,1161 'd':518,552,579,597,612,628,650,666,686,701,717,735,751,771,793,808,830,849,874,885,896,910,922,943 'data':409,1444 'date':421,448,515,549,576,594,609,625,647,663,683,698,714,732,748,768,790,805,827,846,871,882,893,907,919,940,1076,1133 'day':290,295,300 'dd':340 'default':495,506 'dependabot':581 'detail':1350 'detect':1411 'determin':356 'develop':1394 'devic':888 'differ':1228 'directori':1145 'document':313,1284,1321 'doesn':1330 'domain':85,375,383,1386 'done':554 'edit':1197 'embed':1458 'enabl':505 'encrypt':833,841,842,903 'end':1081 'endpoint':899 'establish':141 'event':785,1298 'everi':963,972 'everyth':1215 'evid':4,8,13,27,31,66,102,115,118,130,143,152,196,221,278,281,330,335,354,358,374,380,399,430,435,445,453,467,477,489,560,631,754,853,900,948,961,975,1013,1029,1041,1048,1054,1059,1067,1072,1083,1120,1140,1150,1190,1198,1218,1226,1289,1290,1351,1381,1388,1435,1448 'evidence-collect':3 'evidence/a.5.15_azure-role-assignments_':767 'evidence/a.5.15_gcp-iam-policy_':646 'evidence/a.5.16_gcp-service-accounts_':662 'evidence/a.5.17_github-org-mfa_':514 'evidence/a.5.17_workspace-users-mfa_':870 'evidence/a.5.9_gcp-compute-inventory_':713 'evidence/a.6.7_screenlock-config_':939 'evidence/a.8.13_azure-backup-jobs_':826 'evidence/a.8.13_gcp-sql-backups_':731 'evidence/a.8.15_azure-activity-log_':789 'evidence/a.8.15_gcp-audit-config_':682 'evidence/a.8.15_gcp-log-sinks_':697 'evidence/a.8.15_github-audit-log_':624 'evidence/a.8.1_endpoint-config_':918 'evidence/a.8.1_workspace-mobile-devices_':892 'evidence/a.8.20_azure-nsgs_':804 'evidence/a.8.20_gcp-firewall-rules_':747 'evidence/a.8.24_azure-storage-encryption_':845 'evidence/a.8.24_filevault-status_':906 'evidence/a.8.24_secret-scanning_':608 'evidence/a.8.2_workspace-admins_':881 'evidence/a.8.32_branch-protection_':548 'evidence/a.8.32_change-records_':575 'evidence/a.8.8_dependabot-alerts_':593 'exampl':203,342 'execut':44 'exist':63,1243 'expect':459,1042,1436 'expir':424 'export':208,234,241,298,984,1091,1099,1110,1306 'ext':341 'extern':105 'factor':503 'fdesetup':904 'field':863 'file':413,996,1064,1084,1234,1356 'filenam':1167 'filesystem':75 'filevault':902 'find':133,188,377,1049 'firewal':737,742 'firewall-rul':741 'first':26 'fix':136 'flag':1299 'follow':997 'form':1011 'format':216,644,660,678,695,711,729,745,981 'fresh':279,970,1222 'full':1305,1338,1429 'full-screen':1337 'full-text':1428 'gam':860,878,889 'gap':153,355,391 'gcloud':210,637,654,671,691,707,723,739,1246 'gcp':630,1364 'gcp-iam-policy_2026-02-28.json':1089 'generat':226,1058,1075 'get':392,398,640,674,1024,1031 'get-iam-polici':639,673 'gh':497,528,537,561,585,602,616,1251,1260 'github':488,1367 'go':71 'good':1446 'googl':851,1265,1368 'google-cloud-sdk':1264 'grep':933 'group':480,797,818 'guidanc':52,372,394,1033,1044,1353,1393,1422 'harder':263 'hazel':1400 'hierarchi':197 'iam':211,633,641,655,675 'id':91,334,396,1035 'identifi':155,353 'idl':937 'idp':1125 'in-scop':147 'incid':318 'includ':237,1130,1332,1345 'index':1060,1063,1074 'instal':1256,1257,1259,1262,1269 'instanc':704,709,727,728 'instead':1193,1303 'insuffici':1273 'intend':247 'intern':168,175,191,364,1015,1396,1413,1467 'internal-audit':174 'internalisoaudit.com':1399,1439 'internalisoaudit.com/api/mcp':1438 'interpret':186 'inventori':706 'ip':77 'ip-clean':76 'isenforcedin2sv':867 'isenrolledin2sv':866 'iso':1,6,15,86,172,365,1016,1112,1397,1402,1414,1468 'job':811,814 'jq':501,544,680 'json':217,245,519,532,553,568,580,598,613,629,645,651,661,667,679,687,696,702,712,718,730,736,746,752,766,772,788,794,803,809,825,831,844,850 'json/csv':209,986 'larg':1292 'last':274 'lastlogintim':868 'lead':1404 'least':1009 'limit':566,1294 'list':215,288,381,385,530,563,659,694,710,726,744,763,782,801,815,837,856,1022,1065 'live':1420 'local':64,68,74,407,1244,1442 'lock':925,936 'log':615,669,688,692,774,781 'login':1248,1250,1253 'lookup':1423 'm':517,551,578,596,611,627,649,665,685,700,716,734,750,770,792,807,829,848,873,884,895,909,921,942 'maco':898,1185,1335 'manag':559,584 'manual':267,1196 'map':1068 'markdown':49,1071 'markdown-on':48 'max':283,784,1297 'max-ev':783,1296 'may':1202 'mcp':367,1018,1416,1470 'md':412,1452 'member':509 'menu':1182,1346 'merg':556,565 'mergedat':573 'mergedbi':574 'metadata':238,1131 'mfa':493,858 'minim':484 'miss':158,360,434 'mix':1225 'mm':339 'mobil':887,891 'model':41 'monitor':778 'month':296,305,310,315,326,1158 'name':331,533,535,822,839,840,865,995,999,1148 'need':379 'network':795,799 'new':138 'newli':146 'next':420 'nist':80,1424 'nsg':800 'number':569 'ok':417 'onboard':140 'open':592 'order':429 'org':491,499,500,531,540,588,604,605,618,619 'organ':30 'organiz':376 'output':70,765,787,802,824,843 'packag':103,949,1073 'page':622,1328 'pagin':607 'past':446,1156 'penetr':307 'per':621,1384 'period':321,1078,1154,1230 'permiss':496,508,1274 'person':273 'piec':973 'platform':475,482 'png':1168 'polici':244,312,468,634,642,676 'possibl':1118 'pr':562 'prepar':101 'primaryemail':864 'print':861,879,890 'priorit':427 'problem':1236 'procedur':51,1390 'product':523,1195 'profil':915,927 'project':638,643,672,677 'proof':261 'protect':521,547 'prove':131 'provid':23,1310,1363 'prs':557 'public':84,512 'q':534 'quarter':114,291,301 'queri':373,838,1045 'rank':201 'read':406,1277,1447 'read-on':1276 'readi':180,185,1378 'recent':555 'record':303,319 'refer':58,79,1427,1454,1462 'refresh':116,285 'reject':451 'relat':1051 'relev':456,1282 'relevant-ti':455 'remedi':128 'renew':419,447 'repo':524,526,529,539,545,546,587,589 'repo/branches/main/protection':541 'report':227,230,1129,1313 'repositori':507,513 'reproduc':222 'request':1275,1287,1314,1323 'requir':55,276,280,400,494,504,978,1223,1240,1383 'resort':275 'resourc':817 'resource-group':816 'respons':272 'review':39,317 'reviewdecis':572 'rg':819 'risk':323 'role':756,761,877 'rule':738,743,1348,1464 'rules/api-exports.md':1358 'rules/evidence-types.md':1380 'rules/screenshot-guide.md':1370 'run':166,476 'runtim':1410 'sandbox/staging':1192 'scan':293,600,1047 'scope':149 'screen':924,1339 'screencaptur':257,1164,1342 'screensav':938 'screenshot':253,989,1116,1170,1177,1329,1379 'script':43 'sdk':1267 'search':371,1043,1431 'secondari':1128 'secret':54,599 'section':90 'secur':40,796,1327 'see':1473 'server':368,1019,1417,1437,1471 'servic':213,652,657,1283 'service-account':212,656 'set':492,926 'setup':1472 'shadow/border':1173 'show':246,928 'siem':233 'sign':269 'sink':689,693 'skill':22,46,98,193 'skill-iso-27001-evidence-collection' 'soa':968 'soc':19,177,228,1311 'soc2':184 'soc2-readiness':183 'solut':1237 'sourc':236,1123,1205 'source-open-agreements' 'sp':81 'specif':403,1038,1053 'sphardwaredatatyp':916 'spsoftwaredatatyp':917 'sql':720,724 'stale':362,444,1217 'start':1079 'state':243,248,564,591,1162 'statement':270 'statist':1302 'status':416,859,905,1087,1449 'stay':67 'step':347,349,351,425,471,945,1056 'step-by-step':346 'storag':832,835 'store':1139 'submit':953 'summari':1301 'suspend':869 'switch':487 'system':139,150,225,255,912,914,991,1124,1134,1180 'system-gener':224 'systemat':10 'take':1176,1375 'tamper':220 'tamper-evid':219 'taskbar':1186 'tech':387 'technolog':384 'terraform':242 'test':308 'text':1430 'tier':439,457,466,1005 'timestamp':218,988,1114 'titl':570 'tool':1254 'topic':1355 'topic-agent-skills' 'topic-anthropic' 'topic-claude' 'topic-claude-code' 'topic-claude-code-cli' 'topic-claude-code-commands' 'topic-claude-code-plugin' 'topic-claude-code-plugins' 'topic-claude-code-skills' 'topic-claude-code-subagents' 'topic-claude-skills' 'topic-contract-automation' 'trail':776 'train':302 'troubleshoot':1235 'trust':1317 'two':502 'txt':911,923,944 'type':202,282,336,929,1055,1085,1382 'unavail':1320 'upcom':423 'updat':117 'upload':415 'use':62,95,164,171,182,189,1108,1163,1242,1293,1325,1336,1457 'user':855,862,1136 'usual':1155 'valid':35,265,947 'vault':821,823 'vault-nam':820 'vendor':232,1307 'verifi':1028,1203 'version':250,1135,1143 'version-control':249,1142 'via':1315 'visibl':993,1179 'visual':260 'vulner':292,583,1046 'wait':1206 'week':109,1209 'whenev':1117 'window':125,1188 'within':976 'without':1172,1178 'won':1308 'work':56 'workflow':350 'workspac':852,1369 'workspace-users-mfa_2026-02-28.csv':1097 'worst':200 'x':258,1165,1343 'y':516,550,577,595,610,626,648,664,684,699,715,733,749,769,791,806,828,847,872,883,894,908,920,941 'year':1407 'yyyi':338 'yyyy-mm-dd':337","prices":[{"id":"195efeb2-18d4-4271-b683-c85c7ecc99a3","listingId":"647ffcbe-e87b-4937-ab18-7f062965d909","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"open-agreements","category":"open-agreements","install_from":"skills.sh"},"createdAt":"2026-04-18T22:22:44.170Z"}],"sources":[{"listingId":"647ffcbe-e87b-4937-ab18-7f062965d909","source":"github","sourceId":"open-agreements/open-agreements/iso-27001-evidence-collection","sourceUrl":"https://github.com/open-agreements/open-agreements/tree/main/skills/iso-27001-evidence-collection","isPrimary":false,"firstSeenAt":"2026-04-18T22:22:44.170Z","lastSeenAt":"2026-05-01T06:57:03.031Z"}],"details":{"listingId":"647ffcbe-e87b-4937-ab18-7f062965d909","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"open-agreements","slug":"iso-27001-evidence-collection","github":{"repo":"open-agreements/open-agreements","stars":31,"topics":["agent-skills","anthropic","claude","claude-code","claude-code-cli","claude-code-commands","claude-code-plugin","claude-code-plugins","claude-code-skills","claude-code-subagents","claude-skills","contract-automation","docx","gemini-cli-extension","legal-tech","legal-templates","nda-template","open-source-legal","safe-template"],"license":"mit","html_url":"https://github.com/open-agreements/open-agreements","pushed_at":"2026-04-30T21:31:08Z","description":"Fill standard legal agreement templates and produce signable DOCX files. 25 templates covering NDAs, cloud terms, SAFEs, and NVCA financing documents.","skill_md_sha":"802962c4e070b31e04a410c5009a154f0a818056","skill_md_path":"skills/iso-27001-evidence-collection/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/open-agreements/open-agreements/tree/main/skills/iso-27001-evidence-collection"},"layout":"multi","source":"github","category":"open-agreements","frontmatter":{"name":"iso-27001-evidence-collection","license":"MIT","description":">-","compatibility":">-"},"skills_sh_url":"https://skills.sh/open-agreements/open-agreements/iso-27001-evidence-collection"},"updatedAt":"2026-05-01T06:57:03.031Z"}}