isms-audit-expert

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

ISMS Audit Expert

ISMS审计专家

Internal and external ISMS audit management for ISO 27001 compliance verification, security control assessment, and certification support.

用于ISO 27001合规性验证、安全控制评估及认证支持的内部与外部ISMS审计管理。

Audit Program Management

审计计划管理

Risk-Based Audit Schedule

基于风险的审计计划

Risk Level	Audit Frequency	Examples
Critical	Quarterly	Privileged access, vulnerability management, logging
High	Semi-annual	Access control, incident response, encryption
Medium	Annual	Policies, awareness training, physical security
Low	Annual	Documentation, asset inventory

风险等级	审计频率	示例
关键	季度	特权访问、漏洞管理、日志记录
高	半年	访问控制、事件响应、加密
中	年度	政策、意识培训、物理安全
低	年度	文档、资产清单

Annual Audit Planning Workflow

年度审计规划流程

Review previous audit findings and risk assessment results
Identify high-risk controls and recent security incidents
Determine audit scope based on ISMS boundaries
Assign auditors ensuring independence from audited areas
Create audit schedule with resource allocation
Obtain management approval for audit plan
Validation: Audit plan covers all Annex A controls within certification cycle

回顾以往审计发现和风险评估结果
识别高风险控制措施和近期安全事件
根据ISMS边界确定审计范围
分配审计人员，确保其与被审计领域独立
创建包含资源分配的审计计划
获取管理层对审计计划的批准
验证： 审计计划覆盖认证周期内的所有Annex A控制措施

Auditor Competency Requirements

审计人员能力要求

ISO 27001 Lead Auditor certification (preferred)
No operational responsibility for audited processes
Understanding of technical security controls
Knowledge of applicable regulations (GDPR, HIPAA)

具备ISO 27001主任审计师认证（优先）
对被审计流程无运营职责
了解技术安全控制措施
熟悉适用法规（GDPR、HIPAA）

Audit Execution

审计执行

Pre-Audit Preparation

审计前准备

Review ISMS documentation (policies, SoA, risk assessment)
Analyze previous audit reports and open findings
Prepare audit plan with interview schedule
Notify auditees of audit scope and timing
Prepare checklists for controls in scope
Validation: All documentation received and reviewed before opening meeting

审阅ISMS文档（政策、SoA、风险评估报告）
分析以往审计报告和未闭环的问题
制定包含访谈日程的审计计划
通知被审计方审计范围和时间安排
为范围内的控制措施准备检查清单
验证： 首次会议前已接收并审阅所有文档

Audit Conduct Steps

审计执行步骤

Opening Meeting
- Confirm audit scope and objectives
- Introduce audit team and methodology
- Agree on communication channels and logistics
Evidence Collection
- Interview control owners and operators
- Review documentation and records
- Observe processes in operation
- Inspect technical configurations
Control Verification
- Test control design (does it address the risk?)
- Test control operation (is it working as intended?)
- Sample transactions and records
- Document all evidence collected
Closing Meeting
- Present preliminary findings
- Clarify any factual inaccuracies
- Agree on finding classification
- Confirm corrective action timelines
Validation: All controls in scope assessed with documented evidence

首次会议
- 确认审计范围和目标
- 介绍审计团队和方法
- 商定沟通渠道和后勤安排
证据收集
- 访谈控制措施负责人和操作人员
- 审阅文档和记录
- 观察流程运行情况
- 检查技术配置
控制措施验证
- 测试控制设计（是否能应对风险？）
- 测试控制运行（是否按预期工作？）
- 抽样检查交易和记录
- 记录所有收集到的证据
末次会议
- 展示初步审计发现
- 澄清任何事实不准确之处
- 商定问题分类
- 确认纠正措施时间线
验证： 范围内的所有控制措施均已通过记录的证据进行评估

Evidence Collection Methods

证据收集方法

Method	Use Case	Example
Inquiry	Process understanding	Interview Security Manager about incident response
Observation	Operational verification	Watch visitor sign-in process
Inspection	Documentation review	Check access approval records
Re-performance	Control testing	Attempt login with weak password

方法	使用场景	示例
询问	流程理解	访谈安全经理了解事件响应流程
观察	运行验证	查看访客登记流程
检查	文档审阅	检查访问审批记录
重新执行	控制测试	尝试使用弱密码登录

Control Assessment

控制评估

ISO 27002 Control Categories

ISO 27002控制类别

Organizational Controls (A.5):

Information security policies
Roles and responsibilities
Segregation of duties
Contact with authorities
Threat intelligence
Information security in projects

People Controls (A.6):

Screening and background checks
Employment terms and conditions
Security awareness and training
Disciplinary process
Remote working security

Physical Controls (A.7):

Physical security perimeters
Physical entry controls
Securing offices and facilities
Physical security monitoring
Equipment protection

Technological Controls (A.8):

User endpoint devices
Privileged access rights
Access restriction
Secure authentication
Malware protection
Vulnerability management
Backup and recovery
Logging and monitoring
Network security
Cryptography

组织控制（A.5）：

信息安全政策
角色与职责
职责分离
与主管部门的联系
威胁情报
项目中的信息安全

人员控制（A.6）：

筛选与背景调查
雇佣条款与条件
安全意识与培训
纪律流程
远程办公安全

物理控制（A.7）：

物理安全边界
物理进入控制
办公场所与设施安全
物理安全监控
设备保护

技术控制（A.8）：

用户终端设备
特权访问权限
访问限制
安全认证
恶意软件防护
漏洞管理
备份与恢复
日志与监控
网络安全
加密技术

Control Testing Approach

控制测试方法

Identify control objective from ISO 27002
Determine testing method (inquiry, observation, inspection, re-performance)
Define sample size based on population and risk
Execute test and document results
Evaluate control effectiveness
Validation: Evidence supports conclusion about control status

从ISO 27002中识别控制目标
确定测试方法（询问、观察、检查、重新执行）
根据总体数量和风险定义样本量
执行测试并记录结果
评估控制措施有效性
验证： 证据支持关于控制状态的结论

Finding Management

问题管理

Finding Classification

问题分类

Severity	Definition	Response Time
Major Nonconformity	Control failure creating significant risk	30 days
Minor Nonconformity	Isolated deviation with limited impact	90 days
Observation	Improvement opportunity	Next audit cycle

严重程度	定义	响应时间
重大不符合项	控制措施失效，带来重大风险	30天
轻微不符合项	孤立偏差，影响有限	90天
观察项	改进机会	下一审计周期

Finding Documentation Template

问题文档模板

Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]

Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]

Risk Impact:
- [Potential consequences if not addressed]

Root Cause:
- [Why the nonconformity occurred]

Recommendation:
- [Specific corrective action steps]

Finding ID: ISMS-[YEAR]-[NUMBER]
Control Reference: A.X.X - [Control Name]
Severity: [Major/Minor/Observation]

Evidence:
- [Specific evidence observed]
- [Records reviewed]
- [Interview statements]

Risk Impact:
- [Potential consequences if not addressed]

Root Cause:
- [Why the nonconformity occurred]

Recommendation:
- [Specific corrective action steps]

Corrective Action Workflow

纠正措施流程

Auditee acknowledges finding and severity
Root cause analysis completed within 10 days
Corrective action plan submitted with target dates
Actions implemented by responsible parties
Auditor verifies effectiveness of corrections
Finding closed with evidence of resolution
Validation: Root cause addressed, recurrence prevented

被审计方确认问题及其严重程度
10天内完成根本原因分析
提交包含目标日期的纠正行动计划
责任方实施措施
审计人员验证纠正措施的有效性
问题通过解决证据闭环
验证： 根本原因已解决，防止复发

Certification Support

认证支持

Stage 1 Audit Preparation

第一阶段审计准备

Stage 2 Audit Preparation

第二阶段审计准备

Surveillance Audit Cycle

监督审计周期

Period	Focus
Year 1, Q2	High-risk controls, Stage 2 findings follow-up
Year 1, Q4	Continual improvement, control sample
Year 2, Q2	Full surveillance
Year 2, Q4	Re-certification preparation

Validation: No major nonconformities at surveillance audits.

周期	重点
第1年第2季度	高风险控制措施、第二阶段问题跟进
第1年第4季度	持续改进、控制措施抽样
第2年第2季度	全面监督审计
第2年第4季度	重新认证准备

验证： 监督审计中无重大不符合项。

Tools

工具

scripts/

Script	Purpose	Usage
`isms_audit_scheduler.py`	Generate risk-based audit plans	`python scripts/isms_audit_scheduler.py --year 2025 --format markdown`

脚本	用途	使用方法
`isms_audit_scheduler.py`	生成基于风险的审计计划	`python scripts/isms_audit_scheduler.py --year 2025 --format markdown`

Audit Planning Example

审计计划示例

bash

undefined

bash

undefined

Generate annual audit plan

python scripts/isms_audit_scheduler.py --year 2025 --output audit_plan.json

With custom control risk ratings

python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown

---

python scripts/isms_audit_scheduler.py --controls controls.csv --format markdown

---

References

参考资料

File	Content
iso27001-audit-methodology.md	Audit program structure, pre-audit phase, certification support
security-control-testing.md	Technical verification procedures for ISO 27002 controls
cloud-security-audit.md	Cloud provider assessment, configuration security, IAM review

文件	内容
iso27001-audit-methodology.md	审计计划结构、审计前阶段、认证支持
security-control-testing.md	ISO 27002控制措施的技术验证流程
cloud-security-audit.md	云服务商评估、配置安全、IAM审阅

Audit Performance Metrics

审计绩效指标

KPI	Target	Measurement
Audit plan completion	100%	Audits completed vs. planned
Finding closure rate	>90% within SLA	Closed on time vs. total
Major nonconformities	0 at certification	Count per certification cycle
Audit effectiveness	Incidents prevented	Security improvements implemented

KPI	目标	衡量方式
审计计划完成率	100%	已完成审计数 vs 计划审计数
问题闭环率	SLA内>90%	按时闭环数 vs 总数
重大不符合项数	认证时为0	每认证周期的数量
审计有效性	预防事件发生	已实施的安全改进措施

Compliance Framework Integration

合规框架整合

Framework	ISMS Audit Relevance
GDPR	A.5.34 Privacy, A.8.10 Information deletion
HIPAA	Access controls, audit logging, encryption
PCI DSS	Network security, access control, monitoring
SOC 2	Trust Services Criteria mapped to ISO 27002

框架	ISMS审计相关性
GDPR	A.5.34隐私、A.8.10信息删除
HIPAA	访问控制、审计日志、加密
PCI DSS	网络安全、访问控制、监控
SOC 2	映射至ISO 27002的信任服务准则

isms-audit-expert

Original

Translation

ISMS Audit Expert

ISMS审计专家

Table of Contents

目录

Audit Program Management

审计计划管理

Risk-Based Audit Schedule

基于风险的审计计划

Annual Audit Planning Workflow

年度审计规划流程

Auditor Competency Requirements

审计人员能力要求

Audit Execution

审计执行

Pre-Audit Preparation

审计前准备

Audit Conduct Steps

审计执行步骤

Evidence Collection Methods

证据收集方法

Control Assessment

控制评估

ISO 27002 Control Categories

ISO 27002控制类别

Control Testing Approach

控制测试方法

Finding Management

问题管理

Finding Classification

问题分类

Finding Documentation Template

问题文档模板

Corrective Action Workflow

纠正措施流程

Certification Support

认证支持

Stage 1 Audit Preparation

第一阶段审计准备

Stage 2 Audit Preparation

第二阶段审计准备

Surveillance Audit Cycle

监督审计周期

Tools

工具

scripts/

scripts/

Audit Planning Example

审计计划示例

Generate annual audit plan

Generate annual audit plan

With custom control risk ratings

With custom control risk ratings

References

参考资料

Audit Performance Metrics

审计绩效指标

Compliance Framework Integration

合规框架整合