diff --git a/.codex/skills-index.json b/.codex/skills-index.json index f5510b0..1ef46a1 100644 --- a/.codex/skills-index.json +++ b/.codex/skills-index.json @@ -213,7 +213,7 @@ "name": "isms-audit-expert", "source": "../../ra-qm-team/isms-audit-expert", "category": "ra-qm", - "description": "Senior ISMS Audit Expert for internal and external information security management system auditing. Provides ISO 27001 audit expertise, security audit program management, security control assessment, and compliance verification. Use for ISMS internal auditing, external audit preparation, security control testing, and ISO 27001 certification support." + "description": "Information Security Management System auditing for ISO 27001 compliance, security control assessment, and certification support" }, { "name": "mdr-745-specialist", diff --git a/ra-qm-team/isms-audit-expert/SKILL.md b/ra-qm-team/isms-audit-expert/SKILL.md index 7e6af6a..8747e47 100644 --- a/ra-qm-team/isms-audit-expert/SKILL.md +++ b/ra-qm-team/isms-audit-expert/SKILL.md @@ -1,279 +1,288 @@ --- name: isms-audit-expert -description: Senior ISMS Audit Expert for internal and external information security management system auditing. Provides ISO 27001 audit expertise, security audit program management, security control assessment, and compliance verification. Use for ISMS internal auditing, external audit preparation, security control testing, and ISO 27001 certification support. +description: Information Security Management System auditing for ISO 27001 compliance, security control assessment, and certification support +triggers: + - ISMS audit + - ISO 27001 audit + - security audit + - internal audit ISO 27001 + - security control assessment + - certification audit + - surveillance audit + - audit finding + - nonconformity --- -# Senior ISMS Audit Expert +# ISMS Audit Expert -Expert-level Information Security Management System (ISMS) auditing with comprehensive knowledge of ISO 27001, security audit methodologies, security control assessment, and cybersecurity compliance verification. +Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support. -## Core ISMS Auditing Competencies +## Table of Contents -### 1. ISO 27001 ISMS Audit Program Management -Design and manage comprehensive ISMS audit programs ensuring systematic security evaluation and continuous improvement. +- [Audit Program Management](#audit-program-management) +- [Audit Execution](#audit-execution) +- [Control Assessment](#control-assessment) +- [Finding Management](#finding-management) +- [Certification Support](#certification-support) +- [Tools](#tools) +- [References](#references) + +--- + +## Audit Program Management + +### Risk-Based Audit Schedule + +| Risk Level | Audit Frequency | Examples | +|------------|-----------------|----------| +| Critical | Quarterly | Privileged access, vulnerability management, logging | +| High | Semi-annual | Access control, incident response, encryption | +| Medium | Annual | Policies, awareness training, physical security | +| Low | Annual | Documentation, asset inventory | + +### Annual Audit Planning Workflow + +1. Review previous audit findings and risk assessment results +2. Identify high-risk controls and recent security incidents +3. Determine audit scope based on ISMS boundaries +4. Assign auditors ensuring independence from audited areas +5. Create audit schedule with resource allocation +6. Obtain management approval for audit plan +7. **Validation:** Audit plan covers all Annex A controls within certification cycle + +### Auditor Competency Requirements + +- ISO 27001 Lead Auditor certification (preferred) +- No operational responsibility for audited processes +- Understanding of technical security controls +- Knowledge of applicable regulations (GDPR, HIPAA) + +--- + +## Audit Execution + +### Pre-Audit Preparation + +1. Review ISMS documentation (policies, SoA, risk assessment) +2. Analyze previous audit reports and open findings +3. Prepare audit plan with interview schedule +4. Notify auditees of audit scope and timing +5. Prepare checklists for controls in scope +6. **Validation:** All documentation received and reviewed before opening meeting + +### Audit Conduct Steps + +1. **Opening Meeting** + - Confirm audit scope and objectives + - Introduce audit team and methodology + - Agree on communication channels and logistics + +2. **Evidence Collection** + - Interview control owners and operators + - Review documentation and records + - Observe processes in operation + - Inspect technical configurations + +3. **Control Verification** + - Test control design (does it address the risk?) + - Test control operation (is it working as intended?) + - Sample transactions and records + - Document all evidence collected + +4. **Closing Meeting** + - Present preliminary findings + - Clarify any factual inaccuracies + - Agree on finding classification + - Confirm corrective action timelines + +5. **Validation:** All controls in scope assessed with documented evidence + +### Evidence Collection Methods + +| Method | Use Case | Example | +|--------|----------|---------| +| Inquiry | Process understanding | Interview Security Manager about incident response | +| Observation | Operational verification | Watch visitor sign-in process | +| Inspection | Documentation review | Check access approval records | +| Re-performance | Control testing | Attempt login with weak password | + +--- + +## Control Assessment + +### ISO 27002 Control Categories + +**Organizational Controls (A.5):** +- Information security policies +- Roles and responsibilities +- Segregation of duties +- Contact with authorities +- Threat intelligence +- Information security in projects + +**People Controls (A.6):** +- Screening and background checks +- Employment terms and conditions +- Security awareness and training +- Disciplinary process +- Remote working security + +**Physical Controls (A.7):** +- Physical security perimeters +- Physical entry controls +- Securing offices and facilities +- Physical security monitoring +- Equipment protection + +**Technological Controls (A.8):** +- User endpoint devices +- Privileged access rights +- Access restriction +- Secure authentication +- Malware protection +- Vulnerability management +- Backup and recovery +- Logging and monitoring +- Network security +- Cryptography + +### Control Testing Approach + +1. Identify control objective from ISO 27002 +2. Determine testing method (inquiry, observation, inspection, re-performance) +3. Define sample size based on population and risk +4. Execute test and document results +5. Evaluate control effectiveness +6. **Validation:** Evidence supports conclusion about control status + +--- + +## Finding Management + +### Finding Classification + +| Severity | Definition | Response Time | +|----------|------------|---------------| +| Major Nonconformity | Control failure creating significant risk | 30 days | +| Minor Nonconformity | Isolated deviation with limited impact | 90 days | +| Observation | Improvement opportunity | Next audit cycle | + +### Finding Documentation Template -**ISMS Audit Program Framework:** ``` -ISMS AUDIT PROGRAM MANAGEMENT -├── Security Audit Planning -│ ├── Risk-based audit scheduling -│ ├── Security domain scope definition -│ ├── Technical auditor competency -│ └── Security testing resource allocation -├── Audit Execution Coordination -│ ├── Technical security assessment -│ ├── Administrative control evaluation -│ ├── Physical security verification -│ └── Security documentation review -├── Security Finding Management -│ ├── Security gap identification -│ ├── Vulnerability assessment integration -│ ├── Risk-based finding prioritization -│ └── Security improvement recommendations -└── ISMS Audit Performance - ├── Security audit effectiveness - ├── Technical auditor development - ├── Security methodology enhancement - └── Industry best practice adoption +Finding ID: ISMS-[YEAR]-[NUMBER] +Control Reference: A.X.X - [Control Name] +Severity: [Major/Minor/Observation] + +Evidence: +- [Specific evidence observed] +- [Records reviewed] +- [Interview statements] + +Risk Impact: +- [Potential consequences if not addressed] + +Root Cause: +- [Why the nonconformity occurred] + +Recommendation: +- [Specific corrective action steps] ``` -### 2. Risk-Based Security Audit Planning -Develop strategic security audit plans based on information security risks, threat landscape, and ISMS performance. +### Corrective Action Workflow -**Security Audit Risk Assessment:** -1. **Information Security Risk Evaluation** - - Asset criticality and threat exposure analysis - - Security control effectiveness assessment - - Previous security incident and audit analysis - - **Decision Point**: Determine audit priority and frequency based on security risk +1. Auditee acknowledges finding and severity +2. Root cause analysis completed within 10 days +3. Corrective action plan submitted with target dates +4. Actions implemented by responsible parties +5. Auditor verifies effectiveness of corrections +6. Finding closed with evidence of resolution +7. **Validation:** Root cause addressed, recurrence prevented -2. **Security Audit Scope Definition** - - **High-Risk Assets**: Quarterly technical security assessments - - **Critical Security Controls**: Semi-annual control effectiveness testing - - **Standard Security Processes**: Annual compliance verification - - **Emerging Threats**: Event-driven security evaluations +--- -3. **Technical Security Testing Integration** - - Vulnerability assessment and penetration testing coordination - - Security control technical verification - - Threat simulation and red team exercises - - Compliance scanning and automated testing +## Certification Support -### 3. ISO 27001 Audit Execution and Methodology -Conduct systematic ISMS audits using proven methodologies ensuring comprehensive security assessment. +### Stage 1 Audit Preparation -**ISMS Audit Execution Process:** -1. **Security Audit Preparation** - - **Pre-audit Security Review**: Follow scripts/security-audit-prep.py - - **Technical Assessment Planning**: Security testing scope and methods - - **Security Auditor Assignment**: Technical competency and independence - - **ISMS Documentation Review**: Policy, procedure, and control documentation +Ensure documentation is complete: +- [ ] ISMS scope statement +- [ ] Information security policy (management signed) +- [ ] Statement of Applicability +- [ ] Risk assessment methodology and results +- [ ] Risk treatment plan +- [ ] Internal audit results (past 12 months) +- [ ] Management review minutes -2. **Security Audit Conduct** - - **ISMS Process Assessment**: Security management process evaluation - - **Security Control Testing**: Technical and administrative control verification - - **Security Compliance Verification**: Regulatory and standard compliance - - **Security Culture Assessment**: Security awareness and training effectiveness +### Stage 2 Audit Preparation -3. **Security Audit Documentation** - - **Security Finding Documentation**: Technical and administrative findings - - **Risk Assessment Integration**: Security risk impact and likelihood - - **Security Improvement Recommendations**: Control enhancement and optimization - - **Compliance Status Reporting**: ISO 27001 and regulatory compliance +Verify operational readiness: +- [ ] All Stage 1 findings addressed +- [ ] ISMS operational for minimum 3 months +- [ ] Evidence of control implementation +- [ ] Security awareness training records +- [ ] Incident response evidence (if applicable) +- [ ] Access review documentation -### 4. Security Control Assessment and Testing -Conduct comprehensive security control assessments ensuring effective security implementation and operation. +### Surveillance Audit Cycle -**Security Control Assessment Framework:** -``` -ISO 27002 CONTROL ASSESSMENT -├── Organizational Security Controls -│ ├── Information security policies -│ ├── Information security organization -│ ├── Human resource security -│ └── Asset management -├── Technical Security Controls -│ ├── Access control systems -│ ├── Cryptography implementation -│ ├── Systems security configuration -│ ├── Network security controls -│ ├── Application security measures -│ └── Secure development practices -├── Physical Security Controls -│ ├── Physical security perimeters -│ ├── Physical entry controls -│ ├── Equipment protection -│ └── Secure disposal procedures -└── Operational Security Controls - ├── Operational procedures - ├── Change management - ├── Capacity management - ├── System segregation - ├── Malware protection - └── Backup and recovery -``` +| Period | Focus | +|--------|-------| +| Year 1, Q2 | High-risk controls, Stage 2 findings follow-up | +| Year 1, Q4 | Continual improvement, control sample | +| Year 2, Q2 | Full surveillance | +| Year 2, Q4 | Re-certification preparation | -## Advanced ISMS Audit Applications +**Validation:** No major nonconformities at surveillance audits. -### Technical Security Testing Integration -Integrate technical security assessments with ISMS auditing ensuring comprehensive security verification. +--- -**Technical Security Assessment:** -1. **Vulnerability Assessment Integration** - - Network vulnerability scanning and analysis - - Application security testing and code review - - Configuration assessment and hardening verification - - **Decision Point**: Determine technical testing scope based on risk and compliance - -2. **Penetration Testing Coordination** - - **For External Networks**: Follow references/external-pentest-guide.md - - **For Internal Systems**: Follow references/internal-pentest-guide.md - - **For Web Applications**: Follow references/webapp-security-testing.md - - Social engineering and phishing simulation - -3. **Security Control Verification** - - Access control effectiveness testing - - Encryption implementation verification - - Monitoring and logging system assessment - - Incident response procedure validation - -### Cybersecurity Compliance Auditing -Conduct specialized cybersecurity compliance audits addressing regulatory and industry requirements. - -**Cybersecurity Compliance Framework:** -- **Healthcare Cybersecurity**: HIPAA Security Rule and healthcare-specific requirements -- **Medical Device Cybersecurity**: FDA cybersecurity guidance and IEC 62304 integration -- **Financial Services**: PCI DSS and financial industry security standards -- **Critical Infrastructure**: NIST Cybersecurity Framework and sector-specific guidelines - -### Cloud Security Auditing -Assess cloud security implementations ensuring comprehensive cloud service security verification. - -**Cloud Security Audit Approach:** -1. **Cloud Service Provider Assessment** - - CSP security certification and compliance verification - - Shared responsibility model implementation review - - Data residency and sovereignty compliance - - Cloud access and identity management assessment - -2. **Cloud Configuration Assessment** - - Cloud resource configuration and hardening - - Network security and segmentation verification - - Data encryption and key management assessment - - Cloud monitoring and logging evaluation - -## Security Auditor Competency and Development - -### Security Auditor Technical Competency -Develop and maintain security auditor technical competency ensuring effective security assessment capabilities. - -**Security Auditor Competency Framework:** -``` -SECURITY AUDITOR COMPETENCY -├── Technical Security Knowledge -│ ├── Network security and protocols -│ ├── System security and hardening -│ ├── Application security and testing -│ ├── Cryptography and key management -│ └── Security architecture and design -├── Security Assessment Skills -│ ├── Vulnerability assessment techniques -│ ├── Penetration testing methodologies -│ ├── Security control testing -│ └── Risk assessment and analysis -├── Compliance and Standards -│ ├── ISO 27001/27002 expertise -│ ├── Regulatory requirement knowledge -│ ├── Industry standard familiarity -│ └── Audit methodology proficiency -└── Communication and Reporting - ├── Technical finding documentation - ├── Risk communication skills - ├── Executive reporting capabilities - └── Stakeholder engagement -``` - -### Security Audit Tool Proficiency -Maintain proficiency with security audit tools and technologies ensuring effective technical assessment. - -**Security Audit Tool Categories:** -- **Vulnerability Scanners**: Network, web application, and database vulnerability assessment -- **Penetration Testing Tools**: Exploitation frameworks and security testing utilities -- **Configuration Assessment**: System and application configuration analysis -- **Compliance Scanning**: Automated compliance verification and reporting - -## External Security Audit Coordination - -### ISO 27001 Certification Audit Support -Prepare organization for ISO 27001 certification audits ensuring successful certification and maintenance. - -**Certification Audit Preparation:** -1. **Pre-certification Readiness** - - Internal ISMS audit completion and closure - - Security control implementation verification - - ISMS documentation review and compliance - - **Mock Certification Audit**: Full-scale external audit simulation - -2. **Certification Audit Coordination** - - **Stage 1 Audit Support**: Documentation review and ISMS assessment - - **Stage 2 Audit Coordination**: Implementation testing and verification - - **Surveillance Audit Preparation**: Ongoing compliance and improvement - - Certification body relationship management - -### Regulatory Security Inspection Preparation -Prepare organization for regulatory security inspections and compliance assessments. - -**Regulatory Inspection Coordination:** -- **Healthcare Inspections**: OCR HIPAA security audits and assessments -- **Financial Services**: Regulatory cybersecurity examinations -- **Critical Infrastructure**: Sector-specific security assessments -- **International Compliance**: Multi-jurisdictional security requirements - -## ISMS Audit Performance and Improvement - -### Security Audit Performance Metrics -Monitor ISMS audit program effectiveness ensuring continuous security improvement and compliance. - -**Security Audit KPIs:** -- **Security Control Effectiveness**: Control implementation and operation success -- **Security Finding Resolution**: Finding closure rates and timelines -- **Security Risk Mitigation**: Risk reduction and residual risk management -- **Compliance Achievement**: ISO 27001 and regulatory compliance rates -- **Security Incident Prevention**: Audit-driven security improvement effectiveness - -### ISMS Audit Program Optimization -Continuously improve ISMS audit program through methodology enhancement and technology integration. - -**Audit Program Enhancement:** -1. **Security Audit Technology Integration** - - Automated security scanning and assessment - - Continuous security monitoring integration - - Security information and event management (SIEM) correlation - - **Decision Point**: Determine automation opportunities and tool integration - -2. **Security Audit Methodology Evolution** - - Threat intelligence integration and analysis - - Security framework alignment and optimization - - Industry best practice adoption and customization - - Regulatory requirement evolution and adaptation - -## Resources +## Tools ### scripts/ -- `isms-audit-scheduler.py`: Risk-based ISMS audit planning and scheduling -- `security-audit-prep.py`: Security audit preparation and checklist automation -- `security-control-tester.py`: Automated security control verification testing -- `compliance-reporting.py`: ISO 27001 and regulatory compliance reporting -### references/ -- `iso27001-audit-methodology.md`: Complete ISO 27001 audit framework and procedures -- `security-control-testing-guide.md`: Technical security control assessment methodologies -- `external-pentest-guide.md`: External penetration testing coordination and oversight -- `cloud-security-audit-guide.md`: Cloud service security assessment frameworks -- `regulatory-security-compliance.md`: Multi-jurisdictional security compliance requirements +| Script | Purpose | Usage | +|--------|---------|-------| +| `isms_audit_scheduler.py` | Generate risk-based audit plans | `python scripts/isms_audit_scheduler.py --year 2025 --format markdown` | -### assets/ -- `isms-audit-templates/`: ISMS audit plan, checklist, and report templates -- `security-testing-tools/`: Security assessment and testing automation scripts -- `compliance-checklists/`: ISO 27001 and regulatory compliance verification checklists -- `training-materials/`: Security auditor training and competency development programs +### Audit Planning Example + +```bash +# Generate annual audit plan +python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json + +# With custom control risk ratings +python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown +``` + +--- + +## References + +| File | Content | +|------|---------| +| [iso27001-audit-methodology.md](references/iso27001-audit-methodology.md) | Audit program structure, pre-audit phase, certification support | +| [security-control-testing.md](references/security-control-testing.md) | Technical verification procedures for ISO 27002 controls | +| [cloud-security-audit.md](references/cloud-security-audit.md) | Cloud provider assessment, configuration security, IAM review | + +--- + +## Audit Performance Metrics + +| KPI | Target | Measurement | +|-----|--------|-------------| +| Audit plan completion | 100% | Audits completed vs. planned | +| Finding closure rate | >90% within SLA | Closed on time vs. total | +| Major nonconformities | 0 at certification | Count per certification cycle | +| Audit effectiveness | Incidents prevented | Security improvements implemented | + +--- + +## Compliance Framework Integration + +| Framework | ISMS Audit Relevance | +|-----------|---------------------| +| GDPR | A.5.34 Privacy, A.8.10 Information deletion | +| HIPAA | Access controls, audit logging, encryption | +| PCI DSS | Network security, access control, monitoring | +| SOC 2 | Trust Services Criteria mapped to ISO 27002 | diff --git a/ra-qm-team/isms-audit-expert/assets/example_asset.txt b/ra-qm-team/isms-audit-expert/assets/example_asset.txt deleted file mode 100644 index d0ac204..0000000 --- a/ra-qm-team/isms-audit-expert/assets/example_asset.txt +++ /dev/null @@ -1,24 +0,0 @@ -# Example Asset File - -This placeholder represents where asset files would be stored. -Replace with actual asset files (templates, images, fonts, etc.) or delete if not needed. - -Asset files are NOT intended to be loaded into context, but rather used within -the output Claude produces. - -Example asset files from other skills: -- Brand guidelines: logo.png, slides_template.pptx -- Frontend builder: hello-world/ directory with HTML/React boilerplate -- Typography: custom-font.ttf, font-family.woff2 -- Data: sample_data.csv, test_dataset.json - -## Common Asset Types - -- Templates: .pptx, .docx, boilerplate directories -- Images: .png, .jpg, .svg, .gif -- Fonts: .ttf, .otf, .woff, .woff2 -- Boilerplate code: Project directories, starter files -- Icons: .ico, .svg -- Data files: .csv, .json, .xml, .yaml - -Note: This is a text placeholder. Actual assets can be any file type. diff --git a/ra-qm-team/isms-audit-expert/references/api_reference.md b/ra-qm-team/isms-audit-expert/references/api_reference.md deleted file mode 100644 index 326e6f3..0000000 --- a/ra-qm-team/isms-audit-expert/references/api_reference.md +++ /dev/null @@ -1,34 +0,0 @@ -# Reference Documentation for Isms Audit Expert - -This is a placeholder for detailed reference documentation. -Replace with actual reference content or delete if not needed. - -Example real reference docs from other skills: -- product-management/references/communication.md - Comprehensive guide for status updates -- product-management/references/context_building.md - Deep-dive on gathering context -- bigquery/references/ - API references and query examples - -## When Reference Docs Are Useful - -Reference docs are ideal for: -- Comprehensive API documentation -- Detailed workflow guides -- Complex multi-step processes -- Information too lengthy for main SKILL.md -- Content that's only needed for specific use cases - -## Structure Suggestions - -### API Reference Example -- Overview -- Authentication -- Endpoints with examples -- Error codes -- Rate limits - -### Workflow Guide Example -- Prerequisites -- Step-by-step instructions -- Common patterns -- Troubleshooting -- Best practices diff --git a/ra-qm-team/isms-audit-expert/references/cloud-security-audit.md b/ra-qm-team/isms-audit-expert/references/cloud-security-audit.md new file mode 100644 index 0000000..5fde981 --- /dev/null +++ b/ra-qm-team/isms-audit-expert/references/cloud-security-audit.md @@ -0,0 +1,226 @@ +# Cloud Security Audit Guide + +Assessment framework for cloud service security verification. + +--- + +## Table of Contents + +- [Shared Responsibility Model](#shared-responsibility-model) +- [Cloud Provider Assessment](#cloud-provider-assessment) +- [Configuration Security](#configuration-security) +- [Data Protection](#data-protection) +- [Identity and Access Management](#identity-and-access-management) + +--- + +## Shared Responsibility Model + +### Responsibility Matrix + +| Layer | IaaS | PaaS | SaaS | +|-------|------|------|------| +| Data classification | Customer | Customer | Customer | +| Identity management | Customer | Customer | Shared | +| Application security | Customer | Shared | Provider | +| Network controls | Shared | Provider | Provider | +| Host infrastructure | Provider | Provider | Provider | +| Physical security | Provider | Provider | Provider | + +### Audit Focus by Model + +**IaaS (AWS EC2, Azure VMs):** +- Virtual network configuration +- OS hardening and patching +- Application deployment security +- Data encryption implementation + +**PaaS (Azure App Service, AWS Lambda):** +- Application code security +- Data handling and encryption +- Identity integration +- Logging configuration + +**SaaS (Microsoft 365, Salesforce):** +- User access management +- Data classification and handling +- Security configuration settings +- Integration security + +--- + +## Cloud Provider Assessment + +### Certification Verification + +Check for current certifications: +- [ ] ISO 27001 (Information Security) +- [ ] ISO 27017 (Cloud Security) +- [ ] ISO 27018 (Cloud Privacy) +- [ ] SOC 2 Type II +- [ ] CSA STAR certification + +**Verification Steps:** +1. Request current certificates from provider +2. Verify certificate scope includes services used +3. Check certification expiration dates +4. Review SOC 2 report for relevant controls +5. Document any scope exclusions + +### Data Residency Compliance + +| Requirement | Verification | +|-------------|--------------| +| GDPR (EU data) | Confirm EU region availability | +| Data sovereignty | Verify no cross-border transfer | +| Backup location | Confirm backup region | +| Disaster recovery | Document DR site location | + +### Provider Security Documentation + +Request and review: +- Shared responsibility documentation +- Security whitepapers +- Incident notification procedures +- SLA for security incidents +- Vulnerability disclosure policy + +--- + +## Configuration Security + +### AWS Security Assessment + +**Identity and Access (IAM):** +- [ ] Root account has MFA enabled +- [ ] No access keys for root account +- [ ] IAM policies follow least privilege +- [ ] No wildcard (*) permissions on sensitive resources +- [ ] Password policy meets requirements + +**Network Configuration (VPC):** +- [ ] Default VPCs removed or secured +- [ ] Security groups follow least privilege +- [ ] No 0.0.0.0/0 ingress on management ports +- [ ] VPC flow logs enabled +- [ ] Network ACLs configured appropriately + +**Storage (S3):** +- [ ] No public buckets (unless intended) +- [ ] Bucket policies restrict access +- [ ] Encryption at rest enabled +- [ ] Versioning enabled for critical data +- [ ] Access logging enabled + +**Logging (CloudTrail):** +- [ ] CloudTrail enabled in all regions +- [ ] Log file validation enabled +- [ ] Logs encrypted with KMS +- [ ] S3 bucket for logs is secured +- [ ] CloudWatch alarms configured + +### Azure Security Assessment + +**Identity (Azure AD):** +- [ ] MFA enabled for all users +- [ ] Privileged Identity Management (PIM) configured +- [ ] Conditional Access policies defined +- [ ] Guest access restricted +- [ ] Password protection enabled + +**Network (Virtual Networks):** +- [ ] NSG rules follow least privilege +- [ ] No open management ports to internet +- [ ] Network Watcher enabled +- [ ] DDoS protection configured +- [ ] Private endpoints for PaaS services + +**Storage:** +- [ ] No anonymous access to blob storage +- [ ] Encryption at rest enabled +- [ ] Shared access signatures time-limited +- [ ] Storage analytics logging enabled +- [ ] Soft delete enabled + +**Monitoring:** +- [ ] Azure Monitor enabled +- [ ] Activity log exported to SIEM +- [ ] Alerts configured for security events +- [ ] Azure Security Center enabled +- [ ] Diagnostic settings configured + +--- + +## Data Protection + +### Encryption Verification + +**At Rest:** +| Service | Encryption Check | +|---------|------------------| +| Block storage | Verify CMK or provider-managed key | +| Object storage | Check default encryption settings | +| Databases | Confirm TDE or column encryption | +| Backups | Verify backup encryption | + +**In Transit:** +| Connection | Requirement | +|------------|-------------| +| User to application | TLS 1.2+ required | +| Service to service | Internal TLS or VPN | +| API communications | HTTPS only, no HTTP | +| Database connections | TLS required | + +### Key Management Assessment + +- [ ] Customer-managed keys used for sensitive data +- [ ] Key rotation policy defined and implemented +- [ ] Key access restricted to authorized services +- [ ] Key usage logged and monitored +- [ ] Disaster recovery for keys documented + +### Data Classification in Cloud + +| Classification | Cloud Requirements | +|----------------|-------------------| +| Confidential | CMK encryption, access logging, no public access | +| Internal | Encryption enabled, network restrictions | +| Public | Integrity protection, CDN appropriate | + +--- + +## Identity and Access Management + +### Privileged Access Review + +1. Identify all administrative roles +2. Verify role assignment justification +3. Check for standing vs. just-in-time access +4. Review privileged activity logs +5. Confirm MFA required for elevation + +### Service Account Assessment + +| Check | Verification | +|-------|--------------| +| Inventory | All service accounts documented | +| Permissions | Least privilege applied | +| Credentials | Keys rotated per policy | +| Monitoring | Activity logged and reviewed | +| Ownership | Clear owner assigned | + +### Federation and SSO + +- [ ] SSO configured for cloud console access +- [ ] Conditional Access/MFA policies applied +- [ ] Session timeout configured +- [ ] Failed login monitoring enabled +- [ ] Emergency access accounts documented + +### API Security + +- [ ] API keys not embedded in code +- [ ] Secrets management service used +- [ ] API access logged +- [ ] Rate limiting configured +- [ ] API permissions follow least privilege diff --git a/ra-qm-team/isms-audit-expert/references/iso27001-audit-methodology.md b/ra-qm-team/isms-audit-expert/references/iso27001-audit-methodology.md new file mode 100644 index 0000000..7096f63 --- /dev/null +++ b/ra-qm-team/isms-audit-expert/references/iso27001-audit-methodology.md @@ -0,0 +1,260 @@ +# ISO 27001 ISMS Audit Methodology + +Complete audit framework and procedures for Information Security Management System assessments. + +--- + +## Table of Contents + +- [Audit Program Structure](#audit-program-structure) +- [Pre-Audit Phase](#pre-audit-phase) +- [Audit Execution](#audit-execution) +- [Finding Classification](#finding-classification) +- [Certification Audit Support](#certification-audit-support) + +--- + +## Audit Program Structure + +### Annual Audit Schedule + +| Quarter | Focus Area | Audit Type | +|---------|------------|------------| +| Q1 | Access Control, Cryptography | Internal | +| Q2 | Operations Security, Communications | Internal | +| Q3 | System Acquisition, Supplier Relations | Internal | +| Q4 | Full ISMS Review | Pre-certification | + +### Risk-Based Scheduling + +Prioritize audit frequency based on: +- Asset criticality and data classification +- Previous finding history +- Regulatory requirements +- Recent security incidents +- Organizational changes + +**High Risk Areas (Quarterly):** +- Access management systems +- Cryptographic key management +- Incident response processes +- Third-party access controls + +**Medium Risk Areas (Semi-Annual):** +- Change management +- Backup and recovery +- Physical security +- Security awareness training + +**Lower Risk Areas (Annual):** +- Documentation management +- Asset inventory +- Business continuity planning + +--- + +## Pre-Audit Phase + +### Documentation Review Checklist + +- [ ] ISMS scope statement and boundaries +- [ ] Information security policy (signed, current) +- [ ] Statement of Applicability (SoA) +- [ ] Risk assessment methodology and results +- [ ] Risk treatment plan +- [ ] Security objectives and metrics +- [ ] Previous audit reports and corrective actions + +### Audit Plan Template + +``` +ISMS Audit Plan + +Audit ID: ISMS-[YEAR]-[NUMBER] +Scope: [ISMS scope or specific controls] +Date: [Start] to [End] +Lead Auditor: [Name] +Audit Team: [Names] + +Day 1: + 09:00 - Opening meeting + 10:00 - Document review (policies, SoA) + 14:00 - Interview: Information Security Manager + +Day 2: + 09:00 - Technical control verification + 14:00 - Process observation + +Day 3: + 09:00 - Remaining interviews + 14:00 - Finding consolidation + 16:00 - Closing meeting +``` + +### Auditor Independence + +Verify before audit assignment: +- No operational responsibility for audited area +- No recent (12 months) involvement in audited processes +- No conflict of interest with auditees +- Required competencies documented + +--- + +## Audit Execution + +### Evidence Collection Methods + +| Method | Use Case | Evidence Type | +|--------|----------|---------------| +| Document review | Policy verification | Screenshots, copies | +| Interviews | Process understanding | Notes, recordings | +| Observation | Operational checks | Photos, timestamps | +| Technical testing | Control effectiveness | System logs, reports | + +### Interview Protocol + +1. Introduce audit purpose and confidentiality +2. Explain interview will be documented +3. Ask open-ended questions about processes +4. Request evidence to support statements +5. Clarify any inconsistencies +6. Summarize key points before closing + +### Sample Interview Questions + +**For Security Managers:** +- Describe the risk assessment process +- How are security incidents reported and managed? +- What metrics track ISMS effectiveness? + +**For System Administrators:** +- How is privileged access managed? +- Walk through the change management process +- Show backup verification records + +**For End Users:** +- What security training have you received? +- How do you report suspicious activity? +- Describe the password policy requirements + +### Control Testing Procedures + +**Access Control (A.9):** +1. Request user access list for critical system +2. Verify access rights match job roles +3. Check for terminated user accounts +4. Test password policy enforcement +5. Verify MFA configuration + +**Logging (A.12.4):** +1. Confirm logging enabled on systems in scope +2. Verify log retention meets policy +3. Check log protection from tampering +4. Review sample security event alerts + +--- + +## Finding Classification + +### Severity Levels + +| Level | Definition | Response Time | +|-------|------------|---------------| +| Major Nonconformity | Failure of control, significant risk | 30 days corrective action | +| Minor Nonconformity | Isolated deviation, limited impact | 90 days corrective action | +| Observation | Improvement opportunity | Next audit cycle | +| Good Practice | Exceeds requirements | Document and share | + +### Finding Documentation + +``` +Finding ID: ISMS-2025-001 +Control Reference: A.9.2.3 - Management of privileged access +Severity: Major Nonconformity + +Evidence: +- 15 shared admin accounts identified +- No approval records for privileged access +- Last access review: 18 months ago + +Risk Impact: +- Unauthorized access to critical systems +- No accountability for admin actions +- Regulatory non-compliance + +Root Cause: +- No defined process for privileged access management +- Insufficient tooling for access tracking + +Recommendation: +- Implement PAM solution within 30 days +- Document and enforce privileged access process +- Conduct immediate access review +``` + +### Corrective Action Tracking + +| Field | Content | +|-------|---------| +| Finding ID | Link to original finding | +| Root Cause | Why the nonconformity occurred | +| Corrective Action | Specific steps to address | +| Responsible Person | Named accountable party | +| Target Date | Completion deadline | +| Verification Method | How closure will be confirmed | +| Status | Open / In Progress / Closed | + +--- + +## Certification Audit Support + +### Stage 1 Audit Preparation + +Ensure availability of: +- [ ] ISMS documentation (scope, policy, SoA) +- [ ] Risk assessment records +- [ ] Internal audit results from past 12 months +- [ ] Management review minutes +- [ ] Corrective action evidence + +### Stage 2 Audit Preparation + +- [ ] All Stage 1 findings addressed +- [ ] ISMS operational for minimum 3 months +- [ ] Evidence of control effectiveness +- [ ] Training and awareness records +- [ ] Incident response records (if any) + +### Surveillance Audit Cycle + +| Year | Quarter | Focus | +|------|---------|-------| +| Year 1 | Q2 | High-risk controls, Stage 2 findings | +| Year 1 | Q4 | Remaining controls sample | +| Year 2 | Q2 | Full surveillance | +| Year 2 | Q4 | Continual improvement evidence | +| Year 3 | Q2 | Re-certification preparation | + +### Audit Findings Response Template + +``` +Subject: Response to Finding ISMS-2025-001 + +Finding: Major Nonconformity - Privileged Access Management + +Root Cause Analysis: +[5 Whys or fishbone analysis results] + +Corrective Action Plan: +1. [Action] - [Owner] - [Date] +2. [Action] - [Owner] - [Date] + +Evidence of Correction: +- [Document/screenshot reference] + +Preventive Measures: +- [Steps to prevent recurrence] + +Verification Request: [Date auditor can verify] +``` diff --git a/ra-qm-team/isms-audit-expert/references/security-control-testing.md b/ra-qm-team/isms-audit-expert/references/security-control-testing.md new file mode 100644 index 0000000..3af2d3f --- /dev/null +++ b/ra-qm-team/isms-audit-expert/references/security-control-testing.md @@ -0,0 +1,276 @@ +# Security Control Testing Guide + +Technical verification procedures for ISO 27002 control assessment. + +--- + +## Table of Contents + +- [Control Testing Approach](#control-testing-approach) +- [Organizational Controls (A.5)](#organizational-controls-a5) +- [People Controls (A.6)](#people-controls-a6) +- [Physical Controls (A.7)](#physical-controls-a7) +- [Technological Controls (A.8)](#technological-controls-a8) + +--- + +## Control Testing Approach + +### Testing Methods + +| Method | Description | When to Use | +|--------|-------------|-------------| +| Inquiry | Interview control owners | All controls | +| Observation | Watch process execution | Operational controls | +| Inspection | Review documentation/config | Policy controls | +| Re-performance | Execute control procedure | Critical controls | + +### Sampling Guidelines + +| Population Size | Sample Size | +|-----------------|-------------| +| 1-10 | All items | +| 11-50 | 10 items | +| 51-250 | 15 items | +| 251+ | 25 items | + +--- + +## Organizational Controls (A.5) + +### A.5.1 - Policies for Information Security + +**Test Procedure:** +1. Obtain current information security policy +2. Verify management signature and approval date +3. Check policy is accessible to all employees +4. Confirm review within past 12 months +5. Sample 5 employees: verify awareness of policy location + +**Evidence Required:** +- Signed policy document +- Intranet/portal screenshot showing policy access +- Policy review meeting minutes +- Employee acknowledgment records + +### A.5.15 - Access Control + +**Test Procedure:** +1. Obtain access control policy +2. Select sample of 10 user accounts +3. Verify access rights match job descriptions +4. Check for segregation of duties violations +5. Verify access provisioning follows documented process + +**Evidence Required:** +- Access control policy +- User access matrix +- Access request forms with approvals +- Role definitions + +### A.5.24 - Information Security Incident Management + +**Test Procedure:** +1. Review incident management procedure +2. Select 3 recent incidents from log +3. Verify incidents followed documented process +4. Check escalation thresholds were respected +5. Confirm lessons learned were documented + +**Evidence Required:** +- Incident response procedure +- Incident tickets with timeline +- Escalation records +- Post-incident review reports + +--- + +## People Controls (A.6) + +### A.6.1 - Screening + +**Test Procedure:** +1. Review background check policy +2. Select 10 recent hires +3. Verify background checks completed before start +4. Check checks match role sensitivity level +5. Confirm records are securely stored + +**Evidence Required:** +- Screening policy +- Background check completion records +- Role risk classification matrix + +### A.6.3 - Information Security Awareness + +**Test Procedure:** +1. Obtain training program documentation +2. Select sample of 15 employees +3. Verify training completion records +4. Review training content for currency +5. Check phishing simulation results + +**Evidence Required:** +- Training materials and schedule +- LMS completion reports +- Phishing test results +- Training effectiveness metrics + +### A.6.7 - Remote Working + +**Test Procedure:** +1. Review remote working policy +2. Verify VPN is required for remote access +3. Sample 5 remote worker devices for compliance +4. Check endpoint protection is active +5. Verify secure data handling requirements + +**Evidence Required:** +- Remote working policy +- VPN connection logs +- Endpoint compliance reports +- Remote access agreement signatures + +--- + +## Physical Controls (A.7) + +### A.7.1 - Physical Security Perimeters + +**Test Procedure:** +1. Walk perimeter of secure areas +2. Verify access controls at all entry points +3. Check visitor management process +4. Review after-hours access logs +5. Confirm emergency exits are secure + +**Evidence Required:** +- Site security plan +- Access control system configuration +- Visitor logs +- Guard tour records + +### A.7.4 - Physical Security Monitoring + +**Test Procedure:** +1. Verify CCTV coverage of critical areas +2. Check recording retention period +3. Review sample of recent alert responses +4. Confirm monitoring is 24/7 or as required +5. Verify footage protection and access controls + +**Evidence Required:** +- CCTV coverage map +- Retention policy and settings +- Alert response records +- Access logs for footage viewing + +--- + +## Technological Controls (A.8) + +### A.8.2 - Privileged Access Rights + +**Test Procedure:** +1. Obtain list of privileged accounts +2. Verify each has documented justification +3. Check separation of admin and user accounts +4. Confirm MFA is required for privileged access +5. Review privileged activity logs + +**Evidence Required:** +- Privileged account inventory +- Access justification records +- PAM solution configuration +- Activity audit logs + +### A.8.5 - Secure Authentication + +**Test Procedure:** +1. Review password policy configuration +2. Verify MFA enrollment rates +3. Test account lockout after failed attempts +4. Check authentication logging +5. Verify secure authentication protocols (no plaintext) + +**Evidence Required:** +- Password policy settings screenshot +- MFA enrollment report +- Account lockout configuration +- Authentication audit logs + +### A.8.7 - Protection Against Malware + +**Test Procedure:** +1. Verify endpoint protection coverage +2. Check definition update frequency +3. Review quarantine/detection logs +4. Confirm central management console +5. Test sample detection (EICAR) + +**Evidence Required:** +- Endpoint protection deployment report +- Update status dashboard +- Detection/quarantine logs +- EICAR test results + +### A.8.8 - Management of Technical Vulnerabilities + +**Test Procedure:** +1. Obtain vulnerability scanning schedule +2. Review recent scan results +3. Verify critical vulnerabilities patched within SLA +4. Check vulnerability tracking system +5. Sample 5 critical findings for remediation evidence + +**Evidence Required:** +- Scanning schedule and scope +- Scan reports with severity breakdown +- Patch deployment records +- Remediation tracking tickets + +### A.8.13 - Information Backup + +**Test Procedure:** +1. Review backup policy and schedule +2. Verify backup completion logs +3. Check encryption of backup data +4. Request recent restoration test results +5. Verify offsite/cloud backup location + +**Evidence Required:** +- Backup policy +- Backup job completion logs +- Encryption configuration +- Restoration test records + +### A.8.15 - Logging + +**Test Procedure:** +1. Identify systems requiring logging +2. Verify logging is enabled and configured +3. Check log retention meets requirements +4. Confirm log integrity protection +5. Verify SIEM integration and alerting + +**Evidence Required:** +- Logging requirements matrix +- Log configuration screenshots +- Retention settings +- SIEM alert rules + +### A.8.24 - Use of Cryptography + +**Test Procedure:** +1. Review cryptography policy +2. Verify encryption at rest configuration +3. Check TLS configuration (version, ciphers) +4. Review key management procedures +5. Verify certificate inventory and expiration tracking + +**Evidence Required:** +- Cryptography policy +- Encryption configuration settings +- SSL/TLS scan results +- Key management procedures +- Certificate inventory diff --git a/ra-qm-team/isms-audit-expert/scripts/example.py b/ra-qm-team/isms-audit-expert/scripts/example.py deleted file mode 100755 index 53176c0..0000000 --- a/ra-qm-team/isms-audit-expert/scripts/example.py +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env python3 -""" -Example helper script for isms-audit-expert - -This is a placeholder script that can be executed directly. -Replace with actual implementation or delete if not needed. - -Example real scripts from other skills: -- pdf/scripts/fill_fillable_fields.py - Fills PDF form fields -- pdf/scripts/convert_pdf_to_images.py - Converts PDF pages to images -""" - -def main(): - print("This is an example script for isms-audit-expert") - # TODO: Add actual script logic here - # This could be data processing, file conversion, API calls, etc. - -if __name__ == "__main__": - main() diff --git a/ra-qm-team/isms-audit-expert/scripts/isms_audit_scheduler.py b/ra-qm-team/isms-audit-expert/scripts/isms_audit_scheduler.py new file mode 100644 index 0000000..e8445b6 --- /dev/null +++ b/ra-qm-team/isms-audit-expert/scripts/isms_audit_scheduler.py @@ -0,0 +1,279 @@ +#!/usr/bin/env python3 +""" +ISMS Audit Scheduler + +Risk-based audit planning and scheduling for ISO 27001 compliance. +Generates annual audit plans based on control risk ratings. + +Usage: + python isms_audit_scheduler.py --year 2025 --output audit_plan.json + python isms_audit_scheduler.py --controls controls.csv --format markdown +""" + +import argparse +import csv +import json +import sys +from datetime import datetime, timedelta +from typing import Dict, List, Any, Optional + + +# ISO 27001:2022 Annex A control domains +CONTROL_DOMAINS = { + "A.5": {"name": "Organizational Controls", "count": 37}, + "A.6": {"name": "People Controls", "count": 8}, + "A.7": {"name": "Physical Controls", "count": 14}, + "A.8": {"name": "Technological Controls", "count": 34}, +} + +# Default risk ratings for control areas +DEFAULT_RISK_RATINGS = { + "A.5.1": {"name": "Policies for information security", "risk": "medium"}, + "A.5.2": {"name": "Information security roles", "risk": "medium"}, + "A.5.15": {"name": "Access control", "risk": "high"}, + "A.5.24": {"name": "Incident management planning", "risk": "high"}, + "A.5.25": {"name": "Assessment of security events", "risk": "high"}, + "A.6.1": {"name": "Screening", "risk": "medium"}, + "A.6.3": {"name": "Information security awareness", "risk": "medium"}, + "A.6.7": {"name": "Remote working", "risk": "high"}, + "A.7.1": {"name": "Physical security perimeters", "risk": "medium"}, + "A.7.4": {"name": "Physical security monitoring", "risk": "medium"}, + "A.8.2": {"name": "Privileged access rights", "risk": "critical"}, + "A.8.5": {"name": "Secure authentication", "risk": "critical"}, + "A.8.7": {"name": "Protection against malware", "risk": "high"}, + "A.8.8": {"name": "Management of vulnerabilities", "risk": "critical"}, + "A.8.13": {"name": "Information backup", "risk": "high"}, + "A.8.15": {"name": "Logging", "risk": "critical"}, + "A.8.20": {"name": "Networks security", "risk": "high"}, + "A.8.24": {"name": "Use of cryptography", "risk": "high"}, +} + +# Audit frequency based on risk level +AUDIT_FREQUENCY = { + "critical": 4, # Quarterly + "high": 2, # Semi-annual + "medium": 1, # Annual + "low": 1, # Annual +} + + +def load_controls_from_csv(filepath: str) -> Dict[str, Dict]: + """Load control risk ratings from CSV file.""" + controls = {} + try: + with open(filepath, "r", encoding="utf-8") as f: + reader = csv.DictReader(f) + for row in reader: + control_id = row.get("control_id", row.get("id", "")) + if control_id: + controls[control_id] = { + "name": row.get("name", "Unknown"), + "risk": row.get("risk", "medium").lower(), + } + except FileNotFoundError: + print(f"Error: File not found: {filepath}", file=sys.stderr) + sys.exit(1) + return controls + + +def calculate_audit_dates( + year: int, + frequency: int +) -> List[str]: + """Calculate audit dates based on frequency.""" + dates = [] + interval = 12 // frequency + for i in range(frequency): + month = (i * interval) + 2 # Start in February + if month > 12: + month = month - 12 + date = datetime(year, month, 15) + dates.append(date.strftime("%Y-%m-%d")) + return dates + + +def generate_audit_plan( + year: int, + controls: Optional[Dict[str, Dict]] = None +) -> Dict[str, Any]: + """Generate risk-based annual audit plan.""" + if controls is None: + controls = DEFAULT_RISK_RATINGS + + plan = { + "metadata": { + "year": year, + "generated": datetime.now().isoformat(), + "methodology": "ISO 27001 Risk-Based Internal Auditing", + "total_controls": len(controls), + }, + "schedule": { + "Q1": {"month": "February-March", "audits": []}, + "Q2": {"month": "May-June", "audits": []}, + "Q3": {"month": "August-September", "audits": []}, + "Q4": {"month": "November", "audits": []}, + }, + "controls": {}, + } + + # Assign controls to quarters based on risk + for control_id, control_data in controls.items(): + risk = control_data.get("risk", "medium") + frequency = AUDIT_FREQUENCY.get(risk, 1) + audit_dates = calculate_audit_dates(year, frequency) + + plan["controls"][control_id] = { + "name": control_data.get("name", "Unknown"), + "risk": risk, + "frequency": frequency, + "scheduled_audits": audit_dates, + } + + # Add to quarterly schedule + for i, date in enumerate(audit_dates): + month = int(date.split("-")[1]) + if month <= 3: + quarter = "Q1" + elif month <= 6: + quarter = "Q2" + elif month <= 9: + quarter = "Q3" + else: + quarter = "Q4" + + plan["schedule"][quarter]["audits"].append({ + "control_id": control_id, + "control_name": control_data.get("name", "Unknown"), + "risk_level": risk, + "target_date": date, + }) + + # Sort audits within each quarter + for quarter in plan["schedule"]: + plan["schedule"][quarter]["audits"].sort( + key=lambda x: ( + {"critical": 0, "high": 1, "medium": 2, "low": 3}.get(x["risk_level"], 4), + x["target_date"] + ) + ) + + # Calculate summary statistics + risk_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0} + total_audits = 0 + for control_data in plan["controls"].values(): + risk_counts[control_data["risk"]] += 1 + total_audits += control_data["frequency"] + + plan["summary"] = { + "total_controls_in_scope": len(controls), + "total_audits_planned": total_audits, + "risk_distribution": risk_counts, + "audits_per_quarter": { + q: len(plan["schedule"][q]["audits"]) + for q in plan["schedule"] + }, + } + + return plan + + +def format_markdown(plan: Dict[str, Any]) -> str: + """Format audit plan as markdown.""" + lines = [ + f"# ISMS Audit Plan {plan['metadata']['year']}", + f"", + f"**Generated:** {plan['metadata']['generated'][:10]}", + f"**Methodology:** {plan['metadata']['methodology']}", + f"", + f"## Summary", + f"", + f"| Metric | Value |", + f"|--------|-------|", + f"| Controls in Scope | {plan['summary']['total_controls_in_scope']} |", + f"| Total Audits Planned | {plan['summary']['total_audits_planned']} |", + f"| Critical Risk Controls | {plan['summary']['risk_distribution']['critical']} |", + f"| High Risk Controls | {plan['summary']['risk_distribution']['high']} |", + f"| Medium Risk Controls | {plan['summary']['risk_distribution']['medium']} |", + f"", + ] + + for quarter, data in plan["schedule"].items(): + lines.extend([ + f"## {quarter}: {data['month']}", + f"", + f"| Control | Name | Risk | Target Date |", + f"|---------|------|------|-------------|", + ]) + for audit in data["audits"]: + lines.append( + f"| {audit['control_id']} | {audit['control_name']} | " + f"{audit['risk_level'].capitalize()} | {audit['target_date']} |" + ) + lines.append("") + + lines.extend([ + f"## Risk-Based Audit Frequency", + f"", + f"| Risk Level | Audit Frequency |", + f"|------------|-----------------|", + f"| Critical | Quarterly (4x/year) |", + f"| High | Semi-Annual (2x/year) |", + f"| Medium | Annual (1x/year) |", + f"| Low | Annual (1x/year) |", + ]) + + return "\n".join(lines) + + +def main(): + parser = argparse.ArgumentParser( + description="ISMS Audit Scheduler - Risk-based audit planning" + ) + parser.add_argument( + "--year", "-y", + type=int, + default=datetime.now().year, + help="Audit plan year (default: current year)" + ) + parser.add_argument( + "--controls", "-c", + help="CSV file with control risk ratings" + ) + parser.add_argument( + "--output", "-o", + help="Output file path" + ) + parser.add_argument( + "--format", "-f", + choices=["json", "markdown"], + default="json", + help="Output format (default: json)" + ) + + args = parser.parse_args() + + # Load controls + controls = None + if args.controls: + controls = load_controls_from_csv(args.controls) + + # Generate plan + plan = generate_audit_plan(args.year, controls) + + # Format output + if args.format == "markdown": + output = format_markdown(plan) + else: + output = json.dumps(plan, indent=2) + + # Write output + if args.output: + with open(args.output, "w", encoding="utf-8") as f: + f.write(output) + print(f"Audit plan saved to: {args.output}", file=sys.stderr) + else: + print(output) + + +if __name__ == "__main__": + main()