@open-agreements/open-agreements 0.2.0 → 0.2.2

package/skills/iso-27001-evidence-collection/SKILL.md

@@ -0,0 +1,300 @@
+---
+name: iso-27001-evidence-collection
+description: >-
+  Collect, organize, and validate evidence for ISO 27001 and SOC 2 audits.
+  API-first approach with CLI commands for major cloud platforms. Produces
+  timestamped, auditor-ready evidence packages.
+license: MIT
+compatibility: >-
+  Works with any AI agent. Enhanced with compliance MCP server for automated
+  gap detection. Falls back to embedded checklists when no live data available.
+metadata:
+  author: open-agreements
+  version: "0.1.0"
+  frameworks:
+    - ISO 27001:2022
+    - SOC 2 Type II
+    - NIST SP 800-53 Rev 5
+---
+
+# ISO 27001 Evidence Collection
+
+Systematically collect audit evidence for ISO 27001:2022 and SOC 2. This skill provides API-first evidence collection commands, organizes evidence by control, and validates completeness before auditor review.
+
+## Security Model
+
+- **No scripts executed** — this skill is markdown-only procedural guidance
+- **No secrets required** — works with reference checklists; CLI commands use existing local credentials
+- **Evidence stays local** — all outputs go to the local filesystem
+- **IP-clean** — references NIST SP 800-53 (public domain); ISO controls cited by section ID only
+
+## When to Use
+
+Activate this skill when:
+
+1. **Preparing evidence package for external audit** — 2-4 weeks before auditor arrives
+2. **Quarterly evidence refresh** — update evidence that has aged beyond the audit window
+3. **After remediation** — collect evidence proving a finding has been fixed
+4. **New system onboarding** — establish baseline evidence for a newly in-scope system
+5. **Evidence gap analysis** — identify what's missing before the audit
+
+Do NOT use for:
+- Running the internal audit itself — use `iso-27001-internal-audit`
+- SOC 2-only readiness assessment — use `soc2-readiness`
+- Interpreting audit findings — use the internal audit skill
+
+## Core Concepts
+
+### Evidence Hierarchy (Best to Worst)
+
+| Rank | Type | Example | Why Better |
+|------|------|---------|------------|
+| 1 | **API export (JSON/CSV)** | `gcloud iam service-accounts list --format=json` | Timestamped, tamper-evident, reproducible |
+| 2 | **System-generated report** | SOC 2 report from vendor, SIEM export | Authoritative source, includes metadata |
+| 3 | **Configuration export** | Terraform state, policy JSON | Shows intended state, version-controlled |
+| 4 | **Screenshot with system clock** | `screencapture -x ~/evidence/...` | Visual proof, but harder to validate |
+| 5 | **Manual attestation** | Signed statement by responsible person | Last resort, requires corroboration |
+
+### Evidence Freshness Requirements
+
+| Evidence Type | Max Age | Refresh Cadence |
+|---------------|---------|-----------------|
+| Access lists | 90 days | Quarterly |
+| Vulnerability scans | 30 days | Monthly |
+| Configuration exports | 90 days | Quarterly |
+| Training records | 12 months | Annual |
+| Penetration test | 12 months | Annual |
+| Policy documents | 12 months | Annual review |
+| Incident records | Audit period | Continuous |
+| Risk assessment | 12 months | Annual + on change |
+
+### Evidence Naming Convention
+
+```
+{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext}
+```
+
+Examples:
+- `A.5.15_user-access-list_2026-02-28.json`
+- `A.8.8_vulnerability-scan_2026-02-28.csv`
+- `A.8.13_backup-test-results_2026-02-28.pdf`
+
+## Step-by-Step Workflow
+
+### Step 1: Identify Evidence Gaps
+
+Determine what evidence is missing or stale.
+
+```
+# If compliance MCP is available:
+list_evidence_gaps(framework="iso27001_2022", tier="critical")
+
+# If reading local compliance data:
+# Check compliance/evidence/*.md files for upload_status != "OK"
+# Check renewal_next dates for upcoming expirations
+```
+
+### Step 2: Prioritize Collection
+
+Order evidence collection by:
+1. **Missing evidence for Critical-tier controls** — audit blockers
+2. **Stale evidence past renewal date** — auditor will reject
+3. **Evidence for Relevant-tier controls** — expected but not blocking
+4. **Checkbox-tier evidence** — policies and attestations
+
+### Step 3: Collect by Platform
+
+Run evidence collection commands grouped by platform to minimize context-switching.
+
+#### GitHub Evidence
+```bash
+# Org settings: MFA requirement, default permissions
+gh api orgs/{org} | jq '{
+  two_factor_requirement_enabled,
+  default_repository_permission,
+  members_can_create_public_repositories
+}' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json
+
+# Branch protection on production repos
+for repo in $(gh repo list {org} --json name -q '.[].name'); do
+  gh api repos/{org}/$repo/branches/main/protection 2>/dev/null | \
+    jq '{repo: "'$repo'", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json
+done
+
+# Recent merged PRs (change management evidence)
+gh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \
+  > evidence/A.8.32_change-records_$(date +%Y-%m-%d).json
+
+# Dependabot alerts (vulnerability management)
+gh api repos/{org}/{repo}/dependabot/alerts?state=open \
+  > evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json
+
+# Secret scanning alerts
+gh api orgs/{org}/secret-scanning/alerts --paginate \
+  > evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json
+
+# Audit log
+gh api orgs/{org}/audit-log?per_page=100 \
+  > evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json
+```
+
+#### GCP Evidence
+```bash
+# IAM policy (access control)
+gcloud projects get-iam-policy {project} --format=json \
+  > evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json
+
+# Service accounts
+gcloud iam service-accounts list --format=json \
+  > evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json
+
+# Audit logging config
+gcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \
+  > evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json
+
+# Log sinks (centralization)
+gcloud logging sinks list --format=json \
+  > evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json
+
+# Compute instances (asset inventory)
+gcloud compute instances list --format=json \
+  > evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json
+
+# Cloud SQL backup config
+gcloud sql backups list --instance={instance} --format=json \
+  > evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json
+
+# Firewall rules
+gcloud compute firewall-rules list --format=json \
+  > evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json
+```
+
+#### Azure Evidence
+```bash
+# Role assignments (access control)
+az role assignment list --all --output json \
+  > evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json
+
+# Activity log (audit trail)
+az monitor activity-log list --max-events 100 --output json \
+  > evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json
+
+# Network security groups
+az network nsg list --output json \
+  > evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json
+
+# Backup jobs
+az backup job list --resource-group {rg} --vault-name {vault} --output json \
+  > evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json
+
+# Storage encryption
+az storage account list --query "[].{name:name, encryption:encryption}" --output json \
+  > evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json
+```
+
+#### Google Workspace Evidence
+```bash
+# User list with MFA status
+gam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \
+  > evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv
+
+# Admin roles
+gam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv
+
+# Mobile devices
+gam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv
+```
+
+#### macOS Endpoint Evidence
+```bash
+# FileVault encryption
+fdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt
+
+# System configuration
+system_profiler SPHardwareDataType SPSoftwareDataType \
+  > evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt
+
+# Screen lock settings
+profiles show -type configuration 2>/dev/null | grep -A10 -i "lock\|idle\|screensaver" \
+  > evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt
+```
+
+### Step 4: Validate Evidence Package
+
+Check completeness before submitting to auditor:
+
+1. **Completeness**: Do you have evidence for every applicable control in the SoA?
+2. **Freshness**: Is every piece of evidence within the required age?
+3. **Format**: Are API exports in JSON/CSV with timestamps? Screenshots have system clock visible?
+4. **Naming**: Files follow the naming convention?
+5. **Coverage**: Critical-tier controls have at least 2 forms of evidence?
+
+```
+# If compliance MCP is available:
+list_evidence_gaps(framework="iso27001_2022")  # Should return empty for complete package
+```
+
+### Step 5: Generate Evidence Index
+
+Create an index file listing all evidence, mapped to controls:
+
+```markdown
+# Evidence Package Index
+Generated: {date}
+Audit period: {start} to {end}
+
+| Control | Evidence File | Type | Collected | Status |
+|---------|--------------|------|-----------|--------|
+| A.5.15 | gcp-iam-policy_2026-02-28.json | API export | 2026-02-28 | Current |
+| A.5.17 | workspace-users-mfa_2026-02-28.csv | API export | 2026-02-28 | Current |
+| ... | ... | ... | ... | ... |
+```
+
+## DO / DON'T
+
+### DO
+- Use API exports with ISO 8601 timestamps over screenshots whenever possible
+- Collect evidence from the SOURCE system (IdP, not a secondary report)
+- Include metadata: collection date, system version, user who collected
+- Store evidence in version-controlled directory with clear naming
+- Collect evidence for the AUDIT PERIOD (usually past 12 months), not just current state
+- Use `screencapture -x ~/evidence/{filename}.png` for screenshots (captures without shadow/border)
+
+### DON'T
+- Take screenshots without visible system clock (menu bar on macOS, taskbar on Windows)
+- Collect evidence from sandbox/staging instead of production
+- Manually edit evidence after collection (auditors may verify against source)
+- Wait until the week before the audit to collect everything
+- Assume stale evidence is acceptable — check freshness requirements above
+- Mix evidence from different audit periods in the same file
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| API command requires auth | Use existing local credentials: `gcloud auth login`, `az login`, `gh auth login` |
+| Tool not installed | Install: `brew install gh`, `brew install --cask google-cloud-sdk`, `brew install azure-cli` |
+| Insufficient permissions | Request read-only access to the relevant service; document the access request as evidence |
+| Evidence too large | Use `--limit` or `--max-events` flags; collect summary statistics instead of full export |
+| Vendor won't provide SOC 2 report | Request via their trust center; if unavailable, document the request and use their security page |
+| Screenshot doesn't include clock | On macOS: use full-screen capture, or `screencapture -x` which includes menu bar |
+
+## Rules
+
+For detailed evidence collection guidance by topic:
+
+| File | Coverage |
+|------|----------|
+| `rules/api-exports.md` | CLI commands by cloud provider (GCP, Azure, AWS, GitHub, Google Workspace) |
+| `rules/screenshot-guide.md` | When and how to take audit-ready screenshots |
+| `rules/evidence-types.md` | Evidence type requirements per control domain |
+
+## Attribution
+
+Evidence collection procedures and control guidance developed with [Internal ISO Audit](https://internalisoaudit.com) (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).
+
+## Runtime Detection
+
+1. **Compliance MCP server available** (best) — Automated gap detection, evidence freshness tracking
+2. **Local compliance data available** (good) — Reads evidence status from `compliance/evidence/*.md`
+3. **Reference only** (baseline) — Uses embedded checklists and command reference

package/skills/iso-27001-evidence-collection/rules/api-exports.md

@@ -0,0 +1,191 @@
+# API Export Commands by Platform
+
+Quick reference for evidence collection CLI commands. All commands output JSON or CSV for audit-ready evidence.
+
+## GitHub
+
+```bash
+# Org settings
+gh api orgs/{org} | jq '{name, two_factor_requirement_enabled, default_repository_permission, members_can_create_public_repositories}'
+
+# Members with roles
+gh api orgs/{org}/members --paginate | jq '.[] | {login, type, site_admin}'
+
+# Org admins
+gh api orgs/{org}/members?role=admin --paginate | jq '.[].login'
+
+# Branch protection
+gh api repos/{owner}/{repo}/branches/{branch}/protection
+
+# Recent merged PRs
+gh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy
+
+# Dependabot alerts (open)
+gh api repos/{owner}/{repo}/dependabot/alerts?state=open
+
+# Code scanning alerts
+gh api repos/{owner}/{repo}/code-scanning/alerts --paginate
+
+# Secret scanning alerts
+gh api orgs/{org}/secret-scanning/alerts --paginate
+
+# Audit log (enterprise/org)
+gh api orgs/{org}/audit-log?per_page=100
+
+# Repository list with visibility
+gh repo list {org} --json name,visibility,isArchived --limit 100
+
+# Team membership
+gh api orgs/{org}/teams --paginate | jq '.[].slug'
+```
+
+## GCP (Google Cloud)
+
+```bash
+# IAM policy (who has access)
+gcloud projects get-iam-policy {project} --format=json
+
+# Service accounts
+gcloud iam service-accounts list --format=json
+
+# Service account keys (key rotation evidence)
+gcloud iam service-accounts keys list --iam-account={sa_email} --format=json
+
+# Compute instances (asset inventory)
+gcloud compute instances list --format=json
+
+# Firewall rules
+gcloud compute firewall-rules list --format=json
+
+# Cloud SQL instances
+gcloud sql instances list --format=json
+
+# Cloud SQL backups
+gcloud sql backups list --instance={instance} --format=json
+
+# Log sinks (centralization)
+gcloud logging sinks list --format=json
+
+# Audit config
+gcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs'
+
+# Alerting policies
+gcloud monitoring policies list --format=json
+
+# Cloud KMS keys
+gcloud kms keys list --location=global --keyring={keyring} --format=json
+
+# VPC networks
+gcloud compute networks list --format=json
+
+# Cloud Storage buckets
+gcloud storage ls --json
+```
+
+## Azure
+
+```bash
+# Role assignments
+az role assignment list --all --output json
+
+# Users (Azure AD)
+az ad user list --output json | jq '.[] | {displayName, userPrincipalName, accountEnabled}'
+
+# Global admins (via MS Graph)
+az rest --method GET \
+  --url "https://graph.microsoft.com/v1.0/directoryRoles/$(az rest --method GET --url 'https://graph.microsoft.com/v1.0/directoryRoles' --query "value[?displayName=='Global Administrator'].id" -o tsv)/members" \
+  --query "value[].{displayName:displayName,upn:userPrincipalName}" -o json
+
+# Activity log
+az monitor activity-log list --max-events 100 --output json
+
+# Network security groups
+az network nsg list --output json
+
+# Storage account encryption
+az storage account list --query "[].{name:name, encryption:encryption}" --output json
+
+# Backup jobs
+az backup job list --resource-group {rg} --vault-name {vault} --output json
+
+# Key Vault access policies
+az keyvault show --name {vault} --query "properties.accessPolicies" --output json
+
+# Alert rules
+az monitor alert list --output json
+
+# Subscriptions (environment separation)
+az account list --output json
+```
+
+## Google Workspace (GAM)
+
+```bash
+# Users with MFA status
+gam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,creationTime,suspended
+
+# Admin roles
+gam print admins
+
+# Mobile devices
+gam print mobile fields email,deviceId,type,status,os
+
+# Groups and membership
+gam print groups fields email,name,directMembersCount
+
+# OAuth tokens (third-party app access)
+gam all users print tokens
+
+# Login activity
+gam report login user all start {date} end {date}
+
+# Admin activity
+gam report admin start {date} end {date}
+```
+
+## macOS Endpoint
+
+```bash
+# FileVault status
+fdesetup status
+
+# Hardware/software info
+system_profiler SPHardwareDataType SPSoftwareDataType
+
+# Configuration profiles (MDM policies)
+profiles show -type configuration
+
+# Firewall status
+/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+
+# SIP (System Integrity Protection) status
+csrutil status
+
+# Gatekeeper status
+spctl --status
+
+# Software updates available
+softwareupdate --list 2>&1
+
+# Installed applications
+system_profiler SPApplicationsDataType -json
+```
+
+## General / Cross-Platform
+
+```bash
+# TLS configuration check
+openssl s_client -connect {host}:443 -tls1_2 < /dev/null 2>&1 | grep -E "Protocol|Cipher"
+
+# DNS records (for domain ownership)
+dig +short {domain} ANY
+
+# SSL certificate details
+echo | openssl s_client -connect {host}:443 2>/dev/null | openssl x509 -noout -dates -subject
+
+# NTP sync status (Linux)
+timedatectl status | grep -E "NTP|synchronized"
+
+# NTP sync status (macOS)
+sntp -d time.apple.com 2>&1 | head -5
+```

package/skills/iso-27001-evidence-collection/rules/evidence-types.md

@@ -0,0 +1,107 @@
+# Evidence Types by Control Domain
+
+Map of what evidence is expected for each control domain, with format requirements.
+
+## Access Control Domain (A.5.15-A.5.18, A.8.2-A.8.5)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| User access list (all systems) | JSON/CSV export from IdP | Quarterly | A.5.15, A.5.18 |
+| Privileged user list | JSON export from IAM | Quarterly | A.8.2 |
+| Access review records | Spreadsheet with reviewer decisions | Quarterly | A.5.15, A.5.18 |
+| MFA enrollment report | CSV from IdP | Quarterly | A.5.17, A.8.5 |
+| Terminated user access revocation | Cross-reference: HR list vs. active accounts | On termination | A.5.18 |
+| Service account inventory | JSON from cloud IAM | Quarterly | A.5.16 |
+| Access control policy | PDF/markdown (versioned) | Annual review | A.5.15 |
+
+## Incident Response Domain (A.5.24-A.5.29, A.6.8)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Incident response plan | PDF/markdown (versioned) | Annual review | A.5.24 |
+| Tabletop exercise records | Meeting notes with date, scenario, participants | Annual | A.5.24 |
+| Incident log/register | Ticketing system export | Continuous | A.5.25, A.5.26 |
+| Post-incident review reports | Document per incident | Per incident | A.5.27 |
+| Incident communication records | Email/chat exports | Per incident | A.5.26 |
+| Event reporting channel config | Screenshot of Slack channel / email alias | Annual | A.6.8 |
+
+## Cryptographic Controls (A.8.24, A.8.10-A.8.12)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Encryption at rest configuration | JSON from cloud API | Quarterly | A.8.24 |
+| TLS configuration scan | `openssl` output or SSL Labs report | Quarterly | A.8.24 |
+| Key management policy | PDF/markdown | Annual | A.8.24 |
+| Certificate inventory | Export from cert manager | Quarterly | A.8.24 |
+| Data classification policy | PDF/markdown | Annual | A.8.10, A.8.12 |
+| DLP tool configuration | Screenshot or config export | Annual | A.8.12 |
+
+## Logging and Monitoring (A.8.15-A.8.17)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Audit log configuration | JSON from cloud API | Quarterly | A.8.15 |
+| Log centralization (sink config) | JSON from cloud API | Quarterly | A.8.15 |
+| Log retention settings | Screenshot or config export | Annual | A.8.15 |
+| Alert configuration | JSON from monitoring tool | Quarterly | A.8.16 |
+| Sample alert + response | Ticketing system export | Quarterly | A.8.16 |
+| NTP sync evidence | CLI output from servers | Annual | A.8.17 |
+
+## Change Management (A.8.25-A.8.34, A.8.9)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Change management policy | PDF/markdown | Annual | A.8.32 |
+| Branch protection config | JSON from GitHub API | Quarterly | A.8.32 |
+| Recent merged PRs with reviews | JSON from GitHub API | Quarterly | A.8.32 |
+| CI/CD pipeline configuration | YAML file export | Quarterly | A.8.25 |
+| Dependency scan results | JSON from Dependabot/Snyk | Monthly | A.8.8 |
+| Code scanning results | JSON from CodeQL/SAST | Monthly | A.8.28 |
+| Deployment history | JSON from deployment tool | Quarterly | A.8.32 |
+| Configuration baseline | IaC files (Terraform, etc.) | On change | A.8.9 |
+
+## Business Continuity (A.5.30, A.8.13-A.8.14)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Business continuity plan | PDF/markdown | Annual | A.5.30 |
+| Business impact analysis | Spreadsheet with RTO/RPO | Annual | A.5.30 |
+| DR test records | Document with date, results | Annual | A.5.30 |
+| Backup configuration | JSON from cloud API | Quarterly | A.8.13 |
+| Backup test/restore records | Document with restore time | Annual | A.8.13 |
+| Redundancy architecture | Diagram + cloud resource export | Annual | A.8.14 |
+
+## People Controls (A.6.1-A.6.8)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Background check records | HR system export (redacted) | Per hire | A.6.1 |
+| Employment agreements | Signed documents (sample) | Per hire | A.6.2 |
+| Training completion records | LMS export or spreadsheet | Annual | A.6.3 |
+| Disciplinary policy | PDF/markdown (in handbook) | Annual | A.6.4 |
+| Offboarding checklist records | HR system export | Per termination | A.6.5 |
+| NDA/confidentiality agreements | Signed documents (sample) | Per hire/engagement | A.6.6 |
+| Remote work policy | PDF/markdown | Annual | A.6.7 |
+
+## Supplier Management (A.5.19-A.5.23)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Vendor inventory/register | Spreadsheet | Quarterly | A.5.19 |
+| Vendor security assessments | Per-vendor questionnaire | Annual per vendor | A.5.22 |
+| Vendor SOC 2 / ISO reports | PDF from vendor | Annual | A.5.22 |
+| Vendor contracts (security clauses) | Signed agreements (sample) | Per engagement | A.5.20 |
+| Vendor DPAs | Signed agreements | Per vendor handling PII | A.5.20 |
+
+## ISMS Management (Clauses 4-10)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| ISMS scope document | PDF/markdown | Annual | C.4.3 |
+| Information security policy | Signed PDF | Annual | C.5.2 |
+| Risk assessment | Spreadsheet/register | Annual | C.6.1.2, C.8.2 |
+| Statement of Applicability | Spreadsheet | Annual | C.6.1.3 |
+| Risk treatment plan | Document with status | Ongoing | C.6.1.3, C.8.3 |
+| Management review minutes | Meeting notes | Annual minimum | C.9.3 |
+| Internal audit report | Document with findings | Annual | C.9.2 |
+| Corrective action log | Spreadsheet/tracker | Ongoing | C.10.2 |

package/skills/iso-27001-evidence-collection/rules/screenshot-guide.md

@@ -0,0 +1,77 @@
+# Screenshot Evidence Guide
+
+When API exports are not available, screenshots are acceptable evidence — but they must meet specific requirements to be accepted by auditors.
+
+## When to Use Screenshots
+
+Screenshots are the evidence of LAST RESORT. Use them only when:
+
+1. The system has no API or CLI export capability
+2. You need to show a UI-specific configuration (e.g., portal settings page)
+3. The API export doesn't capture what the auditor needs to see
+4. You're documenting a process (step-by-step walkthrough)
+
+**Always prefer API exports** — they're timestamped, machine-readable, and harder to forge.
+
+## Requirements for Audit-Ready Screenshots
+
+### Mandatory
+- **System clock visible** — the macOS menu bar (top-right) or Windows taskbar (bottom-right) must show the current date and time
+- **Full context** — show the complete page/panel, not a cropped section. Auditors need to verify WHAT system the screenshot is from
+- **URL bar visible** — for web applications, the browser URL bar must be visible to confirm the system
+- **User identity visible** — the logged-in user should be visible (top-right corner in most portals)
+
+### Recommended
+- **High resolution** — at least 1920x1080 to ensure text is readable
+- **No annotations on the evidence copy** — annotated versions can be provided separately for reference
+- **Dark mode off** — light backgrounds print more clearly for auditors who print evidence
+
+## macOS Screenshot Commands
+
+```bash
+# Full screen capture (includes menu bar with clock)
+screencapture -x ~/evidence/{filename}.png
+
+# Specific window capture (add -w flag, then click the window)
+screencapture -xw ~/evidence/{filename}.png
+
+# Timed capture (10 second delay — useful for capturing dropdown menus)
+screencapture -xT 10 ~/evidence/{filename}.png
+
+# Capture specific screen region (drag to select)
+screencapture -xs ~/evidence/{filename}.png
+```
+
+**Tip**: The `-x` flag prevents the screenshot sound, which is less disruptive.
+
+## Naming Convention
+
+```
+{control_id}_{system}_{description}_{YYYY-MM-DD}.png
+```
+
+Examples:
+- `A.5.17_google-workspace_mfa-enforcement_2026-02-28.png`
+- `A.8.9_aws-console_security-group-config_2026-02-28.png`
+- `A.8.32_github_branch-protection-settings_2026-02-28.png`
+
+## Common Screenshot Evidence
+
+| Control | What to Screenshot | System |
+|---------|-------------------|--------|
+| A.5.17 | MFA enforcement settings | Google Workspace Admin / Azure AD |
+| A.8.5 | Password policy configuration | IdP settings page |
+| A.8.9 | Security group / firewall rules | Cloud console (when CLI unavailable) |
+| A.8.15 | Log retention settings | CloudWatch / Stackdriver / Azure Monitor |
+| A.8.24 | Encryption at rest configuration | Database / storage settings |
+| A.8.32 | Branch protection rules | GitHub repository settings |
+
+## Rejection Reasons
+
+Auditors commonly reject screenshots for:
+
+1. **No timestamp** — "When was this taken?" → Include system clock
+2. **Cropped too tightly** — "What system is this from?" → Show URL bar and surrounding context
+3. **Edited or annotated** — "Is this authentic?" → Provide clean + annotated versions separately
+4. **Wrong environment** — "Is this production?" → URL should show production hostname
+5. **Stale** — "This is from 6 months ago" → Re-capture within the audit window