open-agreements 0.2.0 → 0.2.2

package/skills/iso-27001-evidence-collection/rules/api-exports.md

@@ -0,0 +1,191 @@
+# API Export Commands by Platform
+
+Quick reference for evidence collection CLI commands. All commands output JSON or CSV for audit-ready evidence.
+
+## GitHub
+
+```bash
+# Org settings
+gh api orgs/{org} | jq '{name, two_factor_requirement_enabled, default_repository_permission, members_can_create_public_repositories}'
+
+# Members with roles
+gh api orgs/{org}/members --paginate | jq '.[] | {login, type, site_admin}'
+
+# Org admins
+gh api orgs/{org}/members?role=admin --paginate | jq '.[].login'
+
+# Branch protection
+gh api repos/{owner}/{repo}/branches/{branch}/protection
+
+# Recent merged PRs
+gh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy
+
+# Dependabot alerts (open)
+gh api repos/{owner}/{repo}/dependabot/alerts?state=open
+
+# Code scanning alerts
+gh api repos/{owner}/{repo}/code-scanning/alerts --paginate
+
+# Secret scanning alerts
+gh api orgs/{org}/secret-scanning/alerts --paginate
+
+# Audit log (enterprise/org)
+gh api orgs/{org}/audit-log?per_page=100
+
+# Repository list with visibility
+gh repo list {org} --json name,visibility,isArchived --limit 100
+
+# Team membership
+gh api orgs/{org}/teams --paginate | jq '.[].slug'
+```
+
+## GCP (Google Cloud)
+
+```bash
+# IAM policy (who has access)
+gcloud projects get-iam-policy {project} --format=json
+
+# Service accounts
+gcloud iam service-accounts list --format=json
+
+# Service account keys (key rotation evidence)
+gcloud iam service-accounts keys list --iam-account={sa_email} --format=json
+
+# Compute instances (asset inventory)
+gcloud compute instances list --format=json
+
+# Firewall rules
+gcloud compute firewall-rules list --format=json
+
+# Cloud SQL instances
+gcloud sql instances list --format=json
+
+# Cloud SQL backups
+gcloud sql backups list --instance={instance} --format=json
+
+# Log sinks (centralization)
+gcloud logging sinks list --format=json
+
+# Audit config
+gcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs'
+
+# Alerting policies
+gcloud monitoring policies list --format=json
+
+# Cloud KMS keys
+gcloud kms keys list --location=global --keyring={keyring} --format=json
+
+# VPC networks
+gcloud compute networks list --format=json
+
+# Cloud Storage buckets
+gcloud storage ls --json
+```
+
+## Azure
+
+```bash
+# Role assignments
+az role assignment list --all --output json
+
+# Users (Azure AD)
+az ad user list --output json | jq '.[] | {displayName, userPrincipalName, accountEnabled}'
+
+# Global admins (via MS Graph)
+az rest --method GET \
+  --url "https://graph.microsoft.com/v1.0/directoryRoles/$(az rest --method GET --url 'https://graph.microsoft.com/v1.0/directoryRoles' --query "value[?displayName=='Global Administrator'].id" -o tsv)/members" \
+  --query "value[].{displayName:displayName,upn:userPrincipalName}" -o json
+
+# Activity log
+az monitor activity-log list --max-events 100 --output json
+
+# Network security groups
+az network nsg list --output json
+
+# Storage account encryption
+az storage account list --query "[].{name:name, encryption:encryption}" --output json
+
+# Backup jobs
+az backup job list --resource-group {rg} --vault-name {vault} --output json
+
+# Key Vault access policies
+az keyvault show --name {vault} --query "properties.accessPolicies" --output json
+
+# Alert rules
+az monitor alert list --output json
+
+# Subscriptions (environment separation)
+az account list --output json
+```
+
+## Google Workspace (GAM)
+
+```bash
+# Users with MFA status
+gam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,creationTime,suspended
+
+# Admin roles
+gam print admins
+
+# Mobile devices
+gam print mobile fields email,deviceId,type,status,os
+
+# Groups and membership
+gam print groups fields email,name,directMembersCount
+
+# OAuth tokens (third-party app access)
+gam all users print tokens
+
+# Login activity
+gam report login user all start {date} end {date}
+
+# Admin activity
+gam report admin start {date} end {date}
+```
+
+## macOS Endpoint
+
+```bash
+# FileVault status
+fdesetup status
+
+# Hardware/software info
+system_profiler SPHardwareDataType SPSoftwareDataType
+
+# Configuration profiles (MDM policies)
+profiles show -type configuration
+
+# Firewall status
+/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+
+# SIP (System Integrity Protection) status
+csrutil status
+
+# Gatekeeper status
+spctl --status
+
+# Software updates available
+softwareupdate --list 2>&1
+
+# Installed applications
+system_profiler SPApplicationsDataType -json
+```
+
+## General / Cross-Platform
+
+```bash
+# TLS configuration check
+openssl s_client -connect {host}:443 -tls1_2 < /dev/null 2>&1 | grep -E "Protocol|Cipher"
+
+# DNS records (for domain ownership)
+dig +short {domain} ANY
+
+# SSL certificate details
+echo | openssl s_client -connect {host}:443 2>/dev/null | openssl x509 -noout -dates -subject
+
+# NTP sync status (Linux)
+timedatectl status | grep -E "NTP|synchronized"
+
+# NTP sync status (macOS)
+sntp -d time.apple.com 2>&1 | head -5
+```

package/skills/iso-27001-evidence-collection/rules/evidence-types.md

@@ -0,0 +1,107 @@
+# Evidence Types by Control Domain
+
+Map of what evidence is expected for each control domain, with format requirements.
+
+## Access Control Domain (A.5.15-A.5.18, A.8.2-A.8.5)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| User access list (all systems) | JSON/CSV export from IdP | Quarterly | A.5.15, A.5.18 |
+| Privileged user list | JSON export from IAM | Quarterly | A.8.2 |
+| Access review records | Spreadsheet with reviewer decisions | Quarterly | A.5.15, A.5.18 |
+| MFA enrollment report | CSV from IdP | Quarterly | A.5.17, A.8.5 |
+| Terminated user access revocation | Cross-reference: HR list vs. active accounts | On termination | A.5.18 |
+| Service account inventory | JSON from cloud IAM | Quarterly | A.5.16 |
+| Access control policy | PDF/markdown (versioned) | Annual review | A.5.15 |
+
+## Incident Response Domain (A.5.24-A.5.29, A.6.8)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Incident response plan | PDF/markdown (versioned) | Annual review | A.5.24 |
+| Tabletop exercise records | Meeting notes with date, scenario, participants | Annual | A.5.24 |
+| Incident log/register | Ticketing system export | Continuous | A.5.25, A.5.26 |
+| Post-incident review reports | Document per incident | Per incident | A.5.27 |
+| Incident communication records | Email/chat exports | Per incident | A.5.26 |
+| Event reporting channel config | Screenshot of Slack channel / email alias | Annual | A.6.8 |
+
+## Cryptographic Controls (A.8.24, A.8.10-A.8.12)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Encryption at rest configuration | JSON from cloud API | Quarterly | A.8.24 |
+| TLS configuration scan | `openssl` output or SSL Labs report | Quarterly | A.8.24 |
+| Key management policy | PDF/markdown | Annual | A.8.24 |
+| Certificate inventory | Export from cert manager | Quarterly | A.8.24 |
+| Data classification policy | PDF/markdown | Annual | A.8.10, A.8.12 |
+| DLP tool configuration | Screenshot or config export | Annual | A.8.12 |
+
+## Logging and Monitoring (A.8.15-A.8.17)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Audit log configuration | JSON from cloud API | Quarterly | A.8.15 |
+| Log centralization (sink config) | JSON from cloud API | Quarterly | A.8.15 |
+| Log retention settings | Screenshot or config export | Annual | A.8.15 |
+| Alert configuration | JSON from monitoring tool | Quarterly | A.8.16 |
+| Sample alert + response | Ticketing system export | Quarterly | A.8.16 |
+| NTP sync evidence | CLI output from servers | Annual | A.8.17 |
+
+## Change Management (A.8.25-A.8.34, A.8.9)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Change management policy | PDF/markdown | Annual | A.8.32 |
+| Branch protection config | JSON from GitHub API | Quarterly | A.8.32 |
+| Recent merged PRs with reviews | JSON from GitHub API | Quarterly | A.8.32 |
+| CI/CD pipeline configuration | YAML file export | Quarterly | A.8.25 |
+| Dependency scan results | JSON from Dependabot/Snyk | Monthly | A.8.8 |
+| Code scanning results | JSON from CodeQL/SAST | Monthly | A.8.28 |
+| Deployment history | JSON from deployment tool | Quarterly | A.8.32 |
+| Configuration baseline | IaC files (Terraform, etc.) | On change | A.8.9 |
+
+## Business Continuity (A.5.30, A.8.13-A.8.14)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Business continuity plan | PDF/markdown | Annual | A.5.30 |
+| Business impact analysis | Spreadsheet with RTO/RPO | Annual | A.5.30 |
+| DR test records | Document with date, results | Annual | A.5.30 |
+| Backup configuration | JSON from cloud API | Quarterly | A.8.13 |
+| Backup test/restore records | Document with restore time | Annual | A.8.13 |
+| Redundancy architecture | Diagram + cloud resource export | Annual | A.8.14 |
+
+## People Controls (A.6.1-A.6.8)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Background check records | HR system export (redacted) | Per hire | A.6.1 |
+| Employment agreements | Signed documents (sample) | Per hire | A.6.2 |
+| Training completion records | LMS export or spreadsheet | Annual | A.6.3 |
+| Disciplinary policy | PDF/markdown (in handbook) | Annual | A.6.4 |
+| Offboarding checklist records | HR system export | Per termination | A.6.5 |
+| NDA/confidentiality agreements | Signed documents (sample) | Per hire/engagement | A.6.6 |
+| Remote work policy | PDF/markdown | Annual | A.6.7 |
+
+## Supplier Management (A.5.19-A.5.23)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| Vendor inventory/register | Spreadsheet | Quarterly | A.5.19 |
+| Vendor security assessments | Per-vendor questionnaire | Annual per vendor | A.5.22 |
+| Vendor SOC 2 / ISO reports | PDF from vendor | Annual | A.5.22 |
+| Vendor contracts (security clauses) | Signed agreements (sample) | Per engagement | A.5.20 |
+| Vendor DPAs | Signed agreements | Per vendor handling PII | A.5.20 |
+
+## ISMS Management (Clauses 4-10)
+
+| Evidence | Format | Refresh | Controls |
+|----------|--------|---------|----------|
+| ISMS scope document | PDF/markdown | Annual | C.4.3 |
+| Information security policy | Signed PDF | Annual | C.5.2 |
+| Risk assessment | Spreadsheet/register | Annual | C.6.1.2, C.8.2 |
+| Statement of Applicability | Spreadsheet | Annual | C.6.1.3 |
+| Risk treatment plan | Document with status | Ongoing | C.6.1.3, C.8.3 |
+| Management review minutes | Meeting notes | Annual minimum | C.9.3 |
+| Internal audit report | Document with findings | Annual | C.9.2 |
+| Corrective action log | Spreadsheet/tracker | Ongoing | C.10.2 |

package/skills/iso-27001-evidence-collection/rules/screenshot-guide.md

@@ -0,0 +1,77 @@
+# Screenshot Evidence Guide
+
+When API exports are not available, screenshots are acceptable evidence — but they must meet specific requirements to be accepted by auditors.
+
+## When to Use Screenshots
+
+Screenshots are the evidence of LAST RESORT. Use them only when:
+
+1. The system has no API or CLI export capability
+2. You need to show a UI-specific configuration (e.g., portal settings page)
+3. The API export doesn't capture what the auditor needs to see
+4. You're documenting a process (step-by-step walkthrough)
+
+**Always prefer API exports** — they're timestamped, machine-readable, and harder to forge.
+
+## Requirements for Audit-Ready Screenshots
+
+### Mandatory
+- **System clock visible** — the macOS menu bar (top-right) or Windows taskbar (bottom-right) must show the current date and time
+- **Full context** — show the complete page/panel, not a cropped section. Auditors need to verify WHAT system the screenshot is from
+- **URL bar visible** — for web applications, the browser URL bar must be visible to confirm the system
+- **User identity visible** — the logged-in user should be visible (top-right corner in most portals)
+
+### Recommended
+- **High resolution** — at least 1920x1080 to ensure text is readable
+- **No annotations on the evidence copy** — annotated versions can be provided separately for reference
+- **Dark mode off** — light backgrounds print more clearly for auditors who print evidence
+
+## macOS Screenshot Commands
+
+```bash
+# Full screen capture (includes menu bar with clock)
+screencapture -x ~/evidence/{filename}.png
+
+# Specific window capture (add -w flag, then click the window)
+screencapture -xw ~/evidence/{filename}.png
+
+# Timed capture (10 second delay — useful for capturing dropdown menus)
+screencapture -xT 10 ~/evidence/{filename}.png
+
+# Capture specific screen region (drag to select)
+screencapture -xs ~/evidence/{filename}.png
+```
+
+**Tip**: The `-x` flag prevents the screenshot sound, which is less disruptive.
+
+## Naming Convention
+
+```
+{control_id}_{system}_{description}_{YYYY-MM-DD}.png
+```
+
+Examples:
+- `A.5.17_google-workspace_mfa-enforcement_2026-02-28.png`
+- `A.8.9_aws-console_security-group-config_2026-02-28.png`
+- `A.8.32_github_branch-protection-settings_2026-02-28.png`
+
+## Common Screenshot Evidence
+
+| Control | What to Screenshot | System |
+|---------|-------------------|--------|
+| A.5.17 | MFA enforcement settings | Google Workspace Admin / Azure AD |
+| A.8.5 | Password policy configuration | IdP settings page |
+| A.8.9 | Security group / firewall rules | Cloud console (when CLI unavailable) |
+| A.8.15 | Log retention settings | CloudWatch / Stackdriver / Azure Monitor |
+| A.8.24 | Encryption at rest configuration | Database / storage settings |
+| A.8.32 | Branch protection rules | GitHub repository settings |
+
+## Rejection Reasons
+
+Auditors commonly reject screenshots for:
+
+1. **No timestamp** — "When was this taken?" → Include system clock
+2. **Cropped too tightly** — "What system is this from?" → Show URL bar and surrounding context
+3. **Edited or annotated** — "Is this authentic?" → Provide clean + annotated versions separately
+4. **Wrong environment** — "Is this production?" → URL should show production hostname
+5. **Stale** — "This is from 6 months ago" → Re-capture within the audit window

package/skills/iso-27001-internal-audit/CONNECTORS.md

@@ -0,0 +1,23 @@
+# Connectors
+
+## How tool references work
+
+This skill uses `~~category` placeholders for optional integrations. The skill works without any connectors configured — they enhance the experience when available.
+
+## Connectors for this skill
+
+| Category | Placeholder | Recommended server | Other options |
+|----------|-------------|-------------------|---------------|
+| Compliance data | `~~compliance` | Compliance MCP server (planned — not yet available) | Local `compliance/` directory files |
+
+### Local compliance data (current default)
+
+If the `compliance/` directory exists with status and evidence files, the skill reads those directly. No MCP server needed — just ensure `compliance/status/last_refresh.yaml` is current.
+
+### Compliance MCP server (planned)
+
+A dedicated compliance MCP server with live test results, evidence freshness tracking, and real-time gap analysis is planned but not yet available. When released, it will be installable as a standard MCP server. Until then, the skill operates in local-data or reference-only mode.
+
+### Fallback: Reference only
+
+Without any connector, the skill uses embedded `rules/` files for procedural guidance, control descriptions, and evidence checklists. No organization-specific status data is available in this mode.

package/skills/iso-27001-internal-audit/SKILL.md

@@ -0,0 +1,272 @@
+---
+name: iso-27001-internal-audit
+description: >-
+  Run an ISO 27001 internal audit. Walk through controls by domain, identify
+  gaps, collect evidence, and generate findings with corrective action
+  recommendations. Uses NIST SP 800-53 (public domain) as canonical reference.
+license: MIT
+compatibility: >-
+  Works with any AI agent. Enhanced with compliance MCP server for live
+  dashboard data. Falls back to embedded reference files when no live data
+  is available.
+metadata:
+  author: open-agreements
+  version: "0.1.0"
+  frameworks:
+    - ISO 27001:2022
+    - SOC 2 Type II
+    - NIST SP 800-53 Rev 5
+---
+
+# ISO 27001 Internal Audit
+
+Run a structured internal audit against ISO 27001:2022. This skill walks you through scoping, control assessment, evidence collection, and findings generation — following the same workflow a certified auditor uses.
+
+## Security Model
+
+- **No scripts executed** — this skill is markdown-only procedural guidance
+- **No secrets required** — works with public reference data
+- **IP-clean** — all control descriptions are original writing referencing NIST SP 800-53 (public domain). ISO 27001:2022 controls are referenced by section ID only (e.g., "A.5.15"), never by copyrighted title or description
+- **Evidence stays local** — all evidence collection commands output to local filesystem
+
+## When to Use
+
+Activate this skill when:
+
+1. **Preparing for a surveillance or certification audit** — run 4-6 weeks before the external audit
+2. **Performing quarterly internal audit** — ISO 27001 requires at least annual internal audits; quarterly is best practice
+3. **Post-incident review** — assess whether controls failed and what corrective actions are needed
+4. **New framework adoption** — map existing controls to ISO 27001 requirements
+5. **Onboarding a new compliance tool** — validate that automated checks cover the right controls
+
+Do NOT use for:
+- Generating the ISO 27001 Statement of Applicability (SoA) from scratch — use `iso-27001-evidence-collection` for evidence gathering first
+- SOC 2-only audits — use `soc2-readiness` instead
+- Reading or interpreting a specific contract clause — use legal agreement skills
+
+## Core Concepts
+
+### Control Domains (ISO 27001:2022 Annex A)
+
+ISO 27001:2022 has 93 Annex A controls across 4 domains, plus ISMS clauses 4-10 (30 sub-clauses). This skill covers **48 priority Annex A controls** (of 93 total) — the most critical per domain for cloud-native startups. Remaining controls are lower-tier or typically N/A for cloud-native organizations.
+
+| Domain | Controls | Focus |
+|--------|----------|-------|
+| A.5 Organizational | 37 | Policies, roles, incident management, supplier relations |
+| A.6 People | 8 | Screening, training, termination, confidentiality |
+| A.7 Physical | 14 | Facility security, equipment, media — mostly N/A for cloud startups |
+| A.8 Technological | 34 | Access control, crypto, logging, SDLC, network security |
+| Clauses 4-10 | 30 | ISMS management system (context, leadership, planning, support, operation, performance, improvement) |
+
+### Decision Tree: Startup Scoping
+
+```
+Is the organization cloud-native (no owned data centers)?
+├── YES → Mark A.7.1-A.7.9, A.7.11-A.7.13 as "satisfied by cloud provider SOC 2"
+│         Focus evidence on: laptops, home offices, mobile devices
+├── NO  → Full A.7 assessment required
+│
+Does the organization develop software?
+├── YES → A.8.25-A.8.34 (SDLC controls) are in scope
+├── NO  → A.8.25-A.8.34 can be scoped out with justification
+│
+Does the organization handle PII?
+├── YES → A.5.34 (privacy) is critical, cross-reference with GDPR/CCPA
+├── NO  → A.5.34 is checkbox tier
+```
+
+### Control Tiering
+
+Not all 93 controls fail equally. Prioritize by audit failure frequency:
+
+| Tier | Count | Treatment |
+|------|-------|-----------|
+| **Critical** | ~30 | Full assessment: evidence, interviews, observation |
+| **Relevant** | ~30 | Standard check: evidence review, spot-check |
+| **Checkbox** | ~33 | Verify policy exists or cloud provider covers it |
+
+For detailed per-control guidance, load `rules/<domain>.md`.
+
+## Step-by-Step Workflow
+
+### Step 1: Scope and Context
+
+1. **Identify the ISMS scope** — What systems, processes, locations, and people are in scope?
+2. **Gather the Statement of Applicability (SoA)** — Which of the 93 Annex A controls apply?
+3. **Review previous audit findings** — What was flagged last time? Are corrective actions closed?
+4. **Check data freshness** — If using a monitoring dashboard or automated testing system, verify data is < 7 days old
+
+```
+# If compliance MCP is available:
+check_compliance_status(framework="iso27001_2022")
+
+# If reading local files:
+# Check compliance/status/last_refresh.yaml for staleness
+```
+
+### Step 2: ISMS Clause Assessment (Clauses 4-10)
+
+Most startups fail here — they treat ISMS as documentation, not a functioning management system.
+
+1. **Clause 5 (Leadership)** — Is there a signed security policy? Who is the ISMS owner? Is there evidence of management review?
+2. **Clause 6 (Planning)** — Is there a risk assessment? Is it current (< 12 months)? Does it reference the SoA?
+3. **Clause 7 (Support)** — Is there a competence matrix? Are training records current?
+4. **Clause 8 (Operation)** — Is the risk treatment plan being executed?
+5. **Clause 9 (Performance)** — Are there metrics? Has an internal audit been done? Is there a management review record?
+6. **Clause 10 (Improvement)** — Are nonconformities tracked? Are corrective actions implemented?
+
+**Auditor hint**: Auditors look for a CONNECTED chain — risk assessment → SoA → risk treatment plan → evidence of implementation → monitoring → management review → improvement. Any break in the chain is a nonconformity.
+
+### Step 3: Annex A Control Assessment
+
+Work through controls by domain, prioritizing Critical tier:
+
+1. **For each Critical control**:
+   - Check: Is there a documented policy/procedure?
+   - Check: Is there evidence of implementation?
+   - Check: Is there evidence of monitoring/review?
+   - Record finding: Conformity / Minor nonconformity / Major nonconformity / Observation
+
+2. **For each Relevant control**:
+   - Check: Is there evidence of implementation?
+   - Spot-check one or two items
+   - Record finding
+
+3. **For each Checkbox control**:
+   - Verify policy exists or cloud provider SOC 2 covers it
+   - Record as conforming or note exception
+
+```
+# If compliance MCP is available:
+get_domain_overview(domain="organizational")
+get_control_guidance(control_id="A.5.15")
+list_evidence_gaps(framework="iso27001_2022", tier="critical")
+```
+
+### Step 4: Evidence Collection
+
+For each finding, collect supporting evidence:
+
+1. **API exports** (preferred) — timestamped JSON/CSV from source systems
+2. **Screenshots** (when API unavailable) — must include visible system clock
+3. **Interview notes** — summarize who said what, when
+4. **Document review** — note document name, version, date reviewed
+
+**Evidence naming convention**: `{control_id}_{evidence_type}_{date}.{ext}`
+Example: `A.5.15_user-access-list_2026-02-28.json`
+
+For detailed collection commands, load `rules/` files or use the `iso-27001-evidence-collection` skill.
+
+### Step 5: Generate Findings
+
+For each nonconformity:
+
+```markdown
+## Finding: [Short title]
+
+- **Control**: A.x.x
+- **NIST Reference**: [NIST control ID]
+- **Severity**: Major / Minor / Observation
+- **Description**: [What was found]
+- **Evidence**: [What evidence supports the finding]
+- **Root Cause**: [Why the control failed]
+- **Corrective Action**: [Specific remediation steps]
+- **Due Date**: [Agreed timeline]
+- **Owner**: [Person responsible]
+```
+
+**Severity definitions**:
+- **Major nonconformity**: Control is missing or completely ineffective. Audit failure risk.
+- **Minor nonconformity**: Control exists but has gaps. Must fix before next surveillance audit.
+- **Observation**: Potential improvement. Not required but recommended.
+
+### Step 6: Audit Report
+
+Generate a structured audit report:
+
+1. **Executive summary** — overall ISMS maturity, key findings, recommendation
+2. **Scope** — what was audited, what was excluded
+3. **Methodology** — controls assessed, evidence reviewed, people interviewed
+4. **Findings** — grouped by domain, with severity and corrective actions
+5. **Positive observations** — what's working well (auditors do note these)
+6. **Conclusion** — readiness for external audit, recommended timeline
+
+## Quick Reference: Top 10 Controls That Fail Most Often
+
+| # | Control | Common Failure | Fix |
+|---|---------|---------------|-----|
+| 1 | A.5.15 | No periodic access review | Schedule quarterly reviews, export user lists |
+| 2 | A.8.8 | No vulnerability scanning | Deploy Dependabot/Snyk, schedule infra scans |
+| 3 | A.5.24 | Incident response plan untested | Run tabletop exercise, document results |
+| 4 | A.8.5 | MFA not enforced everywhere | Enable MFA on all production + admin accounts |
+| 5 | A.5.30 | No business continuity test | Run DR failover test, document RTO/RPO results |
+| 6 | A.8.15 | Audit logs not centralized | Ship logs to SIEM/CloudWatch/Stackdriver |
+| 7 | A.8.9 | No baseline configuration | Document server/container base images |
+| 8 | A.6.1 | Background checks incomplete | Verify all employees have completed screening |
+| 9 | A.8.32 | No change management process | Require PR reviews, document deployment process |
+| 10 | A.5.9 | Asset inventory incomplete | Export from cloud provider + endpoint management |
+
+## DO / DON'T
+
+### DO
+- Collect evidence via API exports with ISO 8601 timestamps — always preferred over screenshots
+- Test controls, don't just review documentation — auditors check implementation, not just policies
+- Interview people at different levels — manager says one thing, engineer may say another
+- Document positive findings — shows the audit is balanced and thorough
+- Keep the SoA aligned with actual controls — gaps between SoA and implementation are major findings
+- Use `screencapture -x ~/evidence/{filename}.png` on macOS when screenshots are necessary
+
+### DON'T
+- Screenshot portals without visible system clock — auditors will reject undated evidence
+- Accept "we have a policy" without checking implementation — "show me" > "tell me"
+- Audit your own work — independence requirement (Clause 9.2) means auditors can't audit their own area
+- Treat checkbox controls as zero-effort — even N/A controls need justification in the SoA
+- Skip ISMS clauses to focus only on Annex A — most first-time failures are in clauses 4-10
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| Data is stale (> 7 days old) | Refresh from monitoring dashboard or re-export from source systems |
+| Can't determine which controls apply | Start with the SoA; if no SoA exists, use the decision tree above |
+| Too many findings to address before audit | Prioritize: fix all Major nonconformities first, then Critical-tier Minors |
+| Evidence timestamps don't match audit period | Re-collect evidence within the audit window (typically 12 months) |
+| Cloud provider controls not documented | Request SOC 2 Type II report from provider; map their controls to your SoA |
+| Internal audit has never been done | This IS the first internal audit — document that in the report and plan for regular cadence |
+
+## Rules
+
+For detailed per-control guidance, load the appropriate rules file:
+
+| File | Coverage |
+|------|----------|
+| `rules/access-control.md` | A.5.15-A.5.18, A.8.2-A.8.5 — identity, authentication, authorization |
+| `rules/incident-response.md` | A.5.24-A.5.29, A.6.8 — incident lifecycle |
+| `rules/encryption.md` | A.8.24, A.8.10-A.8.12 — cryptographic controls |
+| `rules/change-management.md` | A.8.25-A.8.34, A.8.9, A.8.32 — SDLC and configuration |
+| `rules/logging-monitoring.md` | A.8.15-A.8.17 — audit trails and monitoring |
+| `rules/business-continuity.md` | A.5.30, A.8.13-A.8.14 — backup, DR, BCP |
+| `rules/people-controls.md` | A.6.1-A.6.8 — HR security lifecycle |
+| `rules/supplier-management.md` | A.5.19-A.5.23 — third-party risk |
+| `rules/isms-management.md` | Clauses 4-10 — management system operation |
+
+## Attribution
+
+Audit procedures and control guidance developed with [Internal ISO Audit](https://internalisoaudit.com) (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).
+
+## Runtime Detection
+
+This skill operates in three modes, detected automatically:
+
+1. **Compliance MCP server available** (best) — Live dashboard data, automated test results, real-time gap analysis
+   - Detected by: `check_compliance_status()` returns data
+   - Benefits: Current test pass/fail status, evidence freshness, SLA tracking
+
+2. **Local compliance data available** (good) — Reads `compliance/` directory directly
+   - Detected by: `compliance/status/last_refresh.yaml` exists
+   - Benefits: Historical test data, evidence status, control mappings
+
+3. **Reference only** (baseline) — Uses embedded `rules/` files, no live data
+   - Always available
+   - Benefits: Procedural guidance, control descriptions, evidence checklists
+   - Limitation: No organization-specific status data