iso27001-audit-prep
by alirezarezvaniiso27001-audit-prep is a focused ISO 27001 ISMS audit readiness skill. It uses six forcing questions to pressure-test scope, risk register freshness, Annex A linkage, management review, corrective actions, and sample-ready evidence before internal, certification, or surveillance audits.
This skill scores 66/100, which means it is acceptable for directory listing but should be presented as a lightweight ISO 27001 audit-readiness questioning aid rather than a complete audit prep system. Directory users can understand when to invoke it and what pressure-test questions it applies, but adoption value is limited by missing support files and some reliance on external references not included with the skill.
- Clear trigger and use cases: the frontmatter and body specify `/cs:iso27001-audit-prep <scope>` and list when to run it, including Clause 9.2 internal audits, certification readiness, surveillance audits, scope changes, and post-incident reviews.
- Provides concrete ISO 27001 readiness prompts, including 3-year audit coverage, risk register refresh, Annex A control linkage, residual risk acceptance, and auditor independence.
- The skill has substantive SKILL.md content with no placeholder or experimental markers, giving agents more structure than a generic ISO 27001 prompt.
- No supporting scripts, references, or resources are included, despite the skill directing users to run an external `isms_audit_scheduler.py` in another path.
- It appears to be a focused audit-readiness interrogation/checklist rather than a full ISO 27001 audit preparation workflow with templates, evidence trackers, or sample outputs.
Overview of iso27001-audit-prep skill
What iso27001-audit-prep does
iso27001-audit-prep is a compliance review skill for pressure-testing ISO 27001 ISMS audit readiness before an internal audit, certification audit, surveillance audit, or major scope change. It is designed around a six-question forcing workflow rather than a broad checklist, so the agent focuses on the evidence auditors usually challenge: audit scope, rolling control coverage, risk register freshness, treatment linkage, management review, corrective actions, and sample-ready documentation.
Best-fit users and audit moments
This skill is most useful for compliance leads, security managers, GRC owners, internal auditors, and startup operators preparing for ISO 27001 Clause 9.2 internal audit or external certification review. Use iso27001-audit-prep for Compliance Review when you already have some ISMS material and need a structured readiness interrogation, not when you are trying to learn ISO 27001 from zero.
Strong fit cases include:
- annual internal audit planning
- stage 1 or stage 2 certification readiness
- year 2 or year 3 surveillance audit preparation
- post-incident ISMS review
- new product, business unit, SaaS platform, or geography added to scope
What makes it different from a generic prompt
A generic “prepare me for ISO 27001” prompt often produces a long checklist with weak prioritization. The iso27001-audit-prep skill narrows the review into audit-facing questions and asks for sample-driven proof. That makes it better for finding missing evidence, stale risk records, weak Annex A mappings, unsigned residual risk acceptance, and audit programme gaps before an auditor does.
Important limitations before installing
The repository evidence shows a single SKILL.md file and no bundled scripts, references, resources, or metadata files. The skill mentions an isms_audit_scheduler.py in another path, but this skill folder itself does not include that helper. Treat iso27001-audit-prep as a focused prompting workflow, not a full audit automation package or legal certification service.
How to Use iso27001-audit-prep skill
iso27001-audit-prep install context
For iso27001-audit-prep install, add the skill from the GitHub repository path used by your AI skill runner or Claude skills environment:
https://github.com/alirezarezvani/claude-skills/tree/main/compliance-os/skills/iso27001-audit-prep
If your installer supports GitHub skill imports, point it at the repository and skill path, then verify that SKILL.md is available. Because there are no support folders in this skill directory, read SKILL.md first; there is no hidden ruleset or script library to inspect inside this folder.
Inputs the skill needs for useful output
The command format is:
/cs:iso27001-audit-prep <scope>
Do not pass only “our ISMS” as the scope. Better scope inputs include the legal entity, locations, products, systems, teams, exclusions, audit type, and target date.
Weak prompt:
/cs:iso27001-audit-prep SaaS company
Stronger prompt:
/cs:iso27001-audit-prep Stage 1 readiness for Acme Ltd ISMS covering UK HQ, remote engineering, production AWS SaaS platform, customer support operations, and excluded corporate finance systems; audit in 6 weeks.
The stronger version helps the skill test whether audit coverage, Annex A applicability, risk treatment, and evidence samples match the actual certification boundary.
Practical iso27001-audit-prep usage workflow
Use this sequence for better iso27001-audit-prep usage results:
- Define the audit event: internal Clause 9.2, stage 1, stage 2, surveillance, post-incident, or scope-change review.
- Provide the ISMS scope and major exclusions.
- Add current evidence status: risk register date, Statement of Applicability version, internal audit plan, management review date, corrective action log, and control ownership.
- Ask the skill to interrogate gaps using the six ISMS questions.
- Convert the output into an evidence request list, owner list, and pre-audit remediation plan.
A high-quality prompt can include:
Use iso27001-audit-prep to challenge our ISO 27001 surveillance audit readiness. Scope: EU SaaS platform, AWS production, product engineering, SRE, support, HR onboarding, and vendor management. Risk register last updated 5 months ago. SoA version 2024-03. Last management review 9 months ago. Internal audit covered access control and incident management, but not supplier security. Return likely findings, missing samples, urgent fixes, and questions an auditor may ask.
Files to read before relying on it
Read SKILL.md completely before first use. Pay attention to the “When to Run” section and the six ISMS questions. Also note the dependency-style reference to an audit scheduler outside this skill folder; if your environment does not include that other skill path, ask the agent to create a manual 3-year audit coverage table instead of assuming a script is available.
iso27001-audit-prep skill FAQ
Is iso27001-audit-prep enough for ISO 27001 certification?
No. iso27001-audit-prep helps prepare for audit conversations and evidence checks, but it does not certify an organization, replace an accredited auditor, or generate a complete ISMS. It is best used to expose readiness gaps before formal review.
How is it better than asking ChatGPT for an ISO 27001 checklist?
The value is focus. The skill frames the review around pressure-test questions an auditor can use against your ISMS: scope discipline, rolling three-year coverage, risk-to-control linkage, residual risk acceptance, independence, and evidence readiness. That produces more actionable gaps than a generic checklist.
Can beginners use the iso27001-audit-prep guide?
Yes, but beginners should provide more context and ask for explanations of any ISO terms. If you do not already know your ISMS scope, risk register status, SoA status, or internal audit plan, the skill can help identify missing basics, but its strongest use is audit readiness rather than introductory training.
When should I not use this skill?
Do not use it as your only source for legal, regulatory, or certification decisions. It is also a poor fit if you have no ISMS artifacts yet; in that case, start with scope definition, asset inventory, risk assessment, SoA drafting, and policy development before running an audit-prep interrogation.
How to Improve iso27001-audit-prep skill
Make iso27001-audit-prep inputs evidence-rich
The biggest output improvement comes from giving the agent concrete evidence status. Include dates, document names, owners, unresolved findings, control families not yet audited, and known weak areas. For example, “risk register refreshed quarterly” is less useful than “risk register last approved 2024-11-15; 4 high risks; 2 residual acceptances unsigned; supplier risk treatment not mapped to Annex A.”
Ask for sample-driven audit challenges
ISO 27001 audits depend on samples. Improve the skill output by asking for sample requests, not just gaps:
For each weakness, list the sample evidence an auditor may request, the likely ISO 27001 clause or Annex A area, the owner who should prepare it, and what would make the sample defensible.
This turns the iso27001-audit-prep guide into an actionable preparation plan.
Watch for common failure modes
Common weak outputs come from vague scope, missing audit type, or assuming evidence exists. If the first response sounds too positive, ask the agent to be adversarial: “Challenge our readiness as an external auditor and identify likely minor or major nonconformities.” If the response is too broad, narrow it to the next audit event and top five evidence risks.
Iterate into a remediation plan
After the first iso27001-audit-prep pass, ask for a 30-day plan with severity, owners, evidence to collect, and decision points. Good follow-up prompts include: “Separate must-fix before audit from nice-to-have,” “Map each issue to ISO 27001 clause or Annex A control where possible,” and “Create management review questions for unresolved residual risks.”
