iso-27001-internal-auditlisted

# ISO 27001 Internal Audit Run a structured internal audit against ISO 27001:2022. This skill walks you through scoping, control assessment, evidence collection, and findings generation — following the same workflow a certified auditor uses. ## Security Model - **No scripts executed** — this skill is markdown-only procedural guidance - **No secrets required** — works with public reference data - **IP-clean** — all control descriptions are original writing referencing NIST SP 800-53 (public domain). ISO 27001:2022 controls are referenced by section ID only (e.g., "A.5.15"), never by copyrighted title or description - **Evidence stays local** — all evidence collection commands output to local filesystem ## When to Use Activate this skill when: 1. **Preparing for a surveillance or certification audit** — run 4-6 weeks before the external audit 2. **Performing quarterly internal audit** — ISO 27001 requires at least annual internal audits; quarterly is best practice 3. **Post-incident review** — assess whether controls failed and what corrective actions are needed 4. **New framework adoption** — map existing controls to ISO 27001 requirements 5. **Onboarding a new compliance tool** — validate that automated checks cover the right controls Do NOT use for: - Generating the ISO 27001 Statement of Applicability (SoA) from scratch — use `iso-27001-evidence-collection` for evidence gathering first - SOC 2-only audits — use `soc2-readiness` instead - Reading or interpreting a spe