isms-audit-expert

1. ISO 27001 ISMS Audit Program Management

Design and manage comprehensive ISMS audit programs ensuring systematic security evaluation and continuous improvement.

ISMS Audit Program Framework:

```

ISMS AUDIT PROGRAM MANAGEMENT

├── Security Audit Planning

│ ├── Risk-based audit scheduling

│ ├── Security domain scope definition

│ ├── Technical auditor competency

│ └── Security testing resource allocation

├── Audit Execution Coordination

│ ├── Technical security assessment

│ ├── Administrative control evaluation

│ ├── Physical security verification

│ └── Security documentation review

├── Security Finding Management

│ ├── Security gap identification

│ ├── Vulnerability assessment integration

│ ├── Risk-based finding prioritization

│ └── Security improvement recommendations

└── ISMS Audit Performance

├── Security audit effectiveness

├── Technical auditor development

├── Security methodology enhancement

└── Industry best practice adoption

```

2. Risk-Based Security Audit Planning

Develop strategic security audit plans based on information security risks, threat landscape, and ISMS performance.

Security Audit Risk Assessment:

1. Information Security Risk Evaluation

- Asset criticality and threat exposure analysis

- Security control effectiveness assessment

- Previous security incident and audit analysis

- Decision Point: Determine audit priority and frequency based on security risk

1. Security Audit Scope Definition

- High-Risk Assets: Quarterly technical security assessments

- Critical Security Controls: Semi-annual control effectiveness testing

- Standard Security Processes: Annual compliance verification

- Emerging Threats: Event-driven security evaluations

1. Technical Security Testing Integration

- Vulnerability assessment and penetration testing coordination

- Security control technical verification

- Threat simulation and red team exercises

- Compliance scanning and automated testing

3. ISO 27001 Audit Execution and Methodology

Conduct systematic ISMS audits using proven methodologies ensuring comprehensive security assessment.

ISMS Audit Execution Process:

1. Security Audit Preparation

- Pre-audit Security Review: Follow scripts/security-audit-prep.py

- Technical Assessment Planning: Security testing scope and methods

- Security Auditor Assignment: Technical competency and independence

- ISMS Documentation Review: Policy, procedure, and control documentation

1. Security Audit Conduct

- ISMS Process Assessment: Security management process evaluation

- Security Control Testing: Technical and administrative control verification

- Security Compliance Verification: Regulatory and standard compliance

- Security Culture Assessment: Security awareness and training effectiveness

1. Security Audit Documentation

- Security Finding Documentation: Technical and administrative findings

- Risk Assessment Integration: Security risk impact and likelihood

- Security Improvement Recommendations: Control enhancement and optimization

- Compliance Status Reporting: ISO 27001 and regulatory compliance

4. Security Control Assessment and Testing

Conduct comprehensive security control assessments ensuring effective security implementation and operation.

Security Control Assessment Framework:

```

ISO 27002 CONTROL ASSESSMENT

├── Organizational Security Controls

│ ├── Information security policies

│ ├── Information security organization

│ ├── Human resource security

│ └── Asset management

├── Technical Security Controls

│ ├── Access control systems

│ ├── Cryptography implementation

│ ├── Systems security configuration

│ ├── Network security controls

│ ├── Application security measures

│ └── Secure development practices

├── Physical Security Controls

│ ├── Physical security perimeters

│ ├── Physical entry controls

│ ├── Equipment protection

│ └── Secure disposal procedures

└── Operational Security Controls

├── Operational procedures

├── Change management

├── Capacity management

├── System segregation

├── Malware protection

└── Backup and recovery

```

Technical Security Testing Integration

Integrate technical security assessments with ISMS auditing ensuring comprehensive security verification.

Technical Security Assessment:

1. Vulnerability Assessment Integration

- Network vulnerability scanning and analysis

- Application security testing and code review

- Configuration assessment and hardening verification

- Decision Point: Determine technical testing scope based on risk and compliance

1. Penetration Testing Coordination

- For External Networks: Follow references/external-pentest-guide.md

- For Internal Systems: Follow references/internal-pentest-guide.md

- For Web Applications: Follow references/webapp-security-testing.md

- Social engineering and phishing simulation

1. Security Control Verification

- Access control effectiveness testing

- Encryption implementation verification

- Monitoring and logging system assessment

- Incident response procedure validation

Cybersecurity Compliance Auditing

Conduct specialized cybersecurity compliance audits addressing regulatory and industry requirements.

Cybersecurity Compliance Framework:

• Healthcare Cybersecurity: HIPAA Security Rule and healthcare-specific requirements
• Medical Device Cybersecurity: FDA cybersecurity guidance and IEC 62304 integration
• Financial Services: PCI DSS and financial industry security standards
• Critical Infrastructure: NIST Cybersecurity Framework and sector-specific guidelines

Cloud Security Auditing

Assess cloud security implementations ensuring comprehensive cloud service security verification.

Cloud Security Audit Approach:

1. Cloud Service Provider Assessment

- CSP security certification and compliance verification

- Shared responsibility model implementation review

- Data residency and sovereignty compliance

- Cloud access and identity management assessment

1. Cloud Configuration Assessment

- Cloud resource configuration and hardening

- Network security and segmentation verification

- Data encryption and key management assessment

- Cloud monitoring and logging evaluation

Security Auditor Technical Competency

Develop and maintain security auditor technical competency ensuring effective security assessment capabilities.

Security Auditor Competency Framework:

```

SECURITY AUDITOR COMPETENCY

├── Technical Security Knowledge

│ ├── Network security and protocols

│ ├── System security and hardening

│ ├── Application security and testing

│ ├── Cryptography and key management

│ └── Security architecture and design

├── Security Assessment Skills

│ ├── Vulnerability assessment techniques

│ ├── Penetration testing methodologies

│ ├── Security control testing

│ └── Risk assessment and analysis

├── Compliance and Standards

│ ├── ISO 27001/27002 expertise

│ ├── Regulatory requirement knowledge

│ ├── Industry standard familiarity

│ └── Audit methodology proficiency

└── Communication and Reporting

├── Technical finding documentation

├── Risk communication skills

├── Executive reporting capabilities

└── Stakeholder engagement

```

Security Audit Tool Proficiency

Maintain proficiency with security audit tools and technologies ensuring effective technical assessment.

Security Audit Tool Categories:

• Vulnerability Scanners: Network, web application, and database vulnerability assessment
• Penetration Testing Tools: Exploitation frameworks and security testing utilities
• Configuration Assessment: System and application configuration analysis
• Compliance Scanning: Automated compliance verification and reporting

ISO 27001 Certification Audit Support

Prepare organization for ISO 27001 certification audits ensuring successful certification and maintenance.

Certification Audit Preparation:

1. Pre-certification Readiness

- Internal ISMS audit completion and closure

- Security control implementation verification

- ISMS documentation review and compliance

- Mock Certification Audit: Full-scale external audit simulation

1. Certification Audit Coordination

- Stage 1 Audit Support: Documentation review and ISMS assessment

- Stage 2 Audit Coordination: Implementation testing and verification

- Surveillance Audit Preparation: Ongoing compliance and improvement

- Certification body relationship management

Regulatory Security Inspection Preparation

Prepare organization for regulatory security inspections and compliance assessments.

Regulatory Inspection Coordination:

• Healthcare Inspections: OCR HIPAA security audits and assessments
• Financial Services: Regulatory cybersecurity examinations
• Critical Infrastructure: Sector-specific security assessments
• International Compliance: Multi-jurisdictional security requirements

Security Audit Performance Metrics

Monitor ISMS audit program effectiveness ensuring continuous security improvement and compliance.

Security Audit KPIs:

• Security Control Effectiveness: Control implementation and operation success
• Security Finding Resolution: Finding closure rates and timelines
• Security Risk Mitigation: Risk reduction and residual risk management
• Compliance Achievement: ISO 27001 and regulatory compliance rates
• Security Incident Prevention: Audit-driven security improvement effectiveness

ISMS Audit Program Optimization

Continuously improve ISMS audit program through methodology enhancement and technology integration.

Audit Program Enhancement:

1. Security Audit Technology Integration

- Automated security scanning and assessment

- Continuous security monitoring integration

- Security information and event management (SIEM) correlation

- Decision Point: Determine automation opportunities and tool integration

1. Security Audit Methodology Evolution

- Threat intelligence integration and analysis

- Security framework alignment and optimization

- Industry best practice adoption and customization

- Regulatory requirement evolution and adaptation

scripts/

• isms-audit-scheduler.py: Risk-based ISMS audit planning and scheduling
• security-audit-prep.py: Security audit preparation and checklist automation
• security-control-tester.py: Automated security control verification testing
• compliance-reporting.py: ISO 27001 and regulatory compliance reporting

references/

• iso27001-audit-methodology.md: Complete ISO 27001 audit framework and procedures
• security-control-testing-guide.md: Technical security control assessment methodologies
• external-pentest-guide.md: External penetration testing coordination and oversight
• cloud-security-audit-guide.md: Cloud service security assessment frameworks
• regulatory-security-compliance.md: Multi-jurisdictional security compliance requirements

assets/

• isms-audit-templates/: ISMS audit plan, checklist, and report templates
• security-testing-tools/: Security assessment and testing automation scripts
• compliance-checklists/: ISO 27001 and regulatory compliance verification checklists
• training-materials/: Security auditor training and competency development programs