Back to Details

iso-27001-evidence-collection

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

ISO 27001 Evidence Collection

ISO 27001 证据收集

Systematically collect audit evidence for ISO 27001:2022 and SOC 2. This skill provides API-first evidence collection commands, organizes evidence by control, and validates completeness before auditor review.
可系统性收集ISO 27001:2022和SOC 2的审计证据。本工具提供API优先的证据采集命令,按控制项归类证据,并在提交给审计人员审核前验证证据的完整性。

Security Model

安全模型

  • No scripts executed — this skill is markdown-only procedural guidance
  • No secrets required — works with reference checklists; CLI commands use existing local credentials
  • Evidence stays local — all outputs go to the local filesystem
  • IP-clean — references NIST SP 800-53 (public domain); ISO controls cited by section ID only
  • 不执行任何脚本 — 本工具仅提供Markdown格式的操作指引
  • 无需输入密钥 — 基于参考 checklist 运行;CLI命令使用本地已有的凭证
  • 证据仅保存在本地 — 所有输出都写入本地文件系统
  • 无知识产权风险 — 引用公有领域的NIST SP 800-53标准;ISO控制项仅引用章节ID

When to Use

适用场景

Activate this skill when:
  1. Preparing evidence package for external audit — 2-4 weeks before auditor arrives
  2. Quarterly evidence refresh — update evidence that has aged beyond the audit window
  3. After remediation — collect evidence proving a finding has been fixed
  4. New system onboarding — establish baseline evidence for a newly in-scope system
  5. Evidence gap analysis — identify what's missing before the audit
Do NOT use for:
  • Running the internal audit itself — use 
    iso-27001-internal-audit
  • SOC 2-only readiness assessment — use 
    soc2-readiness
  • Interpreting audit findings — use the internal audit skill
当存在以下需求时可启用本工具:
  1. 为外部审计准备证据包 — 审计人员入场前2-4周
  2. 季度证据更新 — 更新超出审计有效期的过时证据
  3. 整改完成后 — 收集证据证明问题已修复
  4. 新系统上线 — 为新纳入审计范围的系统建立基线证据
  5. 证据缺口分析 — 审计前识别缺失的证据项
请勿用于以下场景:
  • 执行内部审计本身 — 请使用
    iso-27001-internal-audit
    工具
  • 仅SOC 2就绪度评估 — 请使用
    soc2-readiness
    工具
  • 解读审计发现 — 请使用内部审计工具

Core Concepts

核心概念

Evidence Hierarchy (Best to Worst)

证据优先级(从最优到最差)

RankTypeExampleWhy Better
1API export (JSON/CSV)
gcloud iam service-accounts list --format=json
Timestamped, tamper-evident, reproducible
2System-generated reportSOC 2 report from vendor, SIEM exportAuthoritative source, includes metadata
3Configuration exportTerraform state, policy JSONShows intended state, version-controlled
4Screenshot with system clock
screencapture -x ~/evidence/...
Visual proof, but harder to validate
5Manual attestationSigned statement by responsible personLast resort, requires corroboration
优先级类型示例优势
1API导出(JSON/CSV)
gcloud iam service-accounts list --format=json
带时间戳、防篡改、可复现
2系统生成的报告供应商提供的SOC 2报告、SIEM导出文件权威来源、包含元数据
3配置导出Terraform状态文件、策略JSON展示预期状态、支持版本控制
4带系统时钟的截图
screencapture -x ~/evidence/...
可视化证明,但验证难度较高
5手动声明责任人签字的说明文件最后选择,需要其他佐证

Evidence Freshness Requirements

证据有效期要求

Evidence TypeMax AgeRefresh Cadence
Access lists90 daysQuarterly
Vulnerability scans30 daysMonthly
Configuration exports90 daysQuarterly
Training records12 monthsAnnual
Penetration test12 monthsAnnual
Policy documents12 monthsAnnual review
Incident recordsAudit periodContinuous
Risk assessment12 monthsAnnual + on change
证据类型最长有效期更新频率
访问列表90天季度
漏洞扫描报告30天月度
配置导出90天季度
培训记录12个月年度
渗透测试报告12个月年度
政策文档12个月年度评审
事件记录审计周期内持续更新
风险评估报告12个月年度+变更时更新

Evidence Naming Convention

证据命名规范

{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext}
Examples:
  • A.5.15_user-access-list_2026-02-28.json
  • A.8.8_vulnerability-scan_2026-02-28.csv
  • A.8.13_backup-test-results_2026-02-28.pdf
{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext}
示例:
  • A.5.15_user-access-list_2026-02-28.json
  • A.8.8_vulnerability-scan_2026-02-28.csv
  • A.8.13_backup-test-results_2026-02-28.pdf

Step-by-Step Workflow

分步工作流

Step 1: Identify Evidence Gaps

步骤1:识别证据缺口

Determine what evidence is missing or stale.
undefined
确定缺失或过时的证据项。
undefined

If Internal ISO Audit MCP server is available:

如果有内部ISO审计MCP服务器可用:

search_guidance(query="evidence", domain="organizational") # Find controls needing evidence list_controls(domain="technological") # List all tech controls to assess gaps get_control_guidance(control_id="A.5.15") # Get evidence requirements for a specific control
search_guidance(query="evidence", domain="organizational") # 查找需要证据的控制项 list_controls(domain="technological") # 列出所有技术控制项评估缺口 get_control_guidance(control_id="A.5.15") # 获取特定控制项的证据要求

If reading local compliance data:

如果读取本地合规数据:

Check compliance/evidence/*.md files for upload_status != "OK"

检查compliance/evidence/*.md文件中upload_status != "OK"的项

Check renewal_next dates for upcoming expirations

检查renewal_next日期确认即将过期的证据

undefined
undefined

Step 2: Prioritize Collection

步骤2:优先级排序

Order evidence collection by:
  1. Missing evidence for Critical-tier controls — audit blockers
  2. Stale evidence past renewal date — auditor will reject
  3. Evidence for Relevant-tier controls — expected but not blocking
  4. Checkbox-tier evidence — policies and attestations
按以下顺序安排证据采集:
  1. 关键级控制项缺失的证据 — 审计阻塞项
  2. 超出更新日期的过时证据 — 审计人员会拒收
  3. 相关级控制项的证据 — 预期需要但不会阻塞审计
  4. 勾选类证据 — 政策和声明文件

Step 3: Collect by Platform

步骤3:按平台采集

Run evidence collection commands grouped by platform to minimize context-switching.
按平台分组执行证据采集命令,减少上下文切换。

GitHub Evidence

GitHub 证据

bash
undefined
bash
undefined

Org settings: MFA requirement, default permissions

组织设置:MFA要求、默认权限

gh api orgs/{org} | jq '{ two_factor_requirement_enabled, default_repository_permission, members_can_create_public_repositories }' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json
gh api orgs/{org} | jq '{ two_factor_requirement_enabled, default_repository_permission, members_can_create_public_repositories }' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json

Branch protection on production repos

生产仓库的分支保护规则

for repo in $(gh repo list {org} --json name -q '.[].name'); do gh api repos/{org}/$repo/branches/main/protection 2>/dev/null |
jq '{repo: "'$repo'", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json done
for repo in $(gh repo list {org} --json name -q '.[].name'); do gh api repos/{org}/$repo/branches/main/protection 2>/dev/null |
jq '{repo: "'$repo'", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json done

Recent merged PRs (change management evidence)

近期合并的PR(变更管理证据)

gh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \
evidence/A.8.32_change-records_$(date +%Y-%m-%d).json
gh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \
evidence/A.8.32_change-records_$(date +%Y-%m-%d).json

Dependabot alerts (vulnerability management)

Dependabot告警(漏洞管理)

gh api repos/{org}/{repo}/dependabot/alerts?state=open \
evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json
gh api repos/{org}/{repo}/dependabot/alerts?state=open \
evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json

Secret scanning alerts

密钥扫描告警

gh api orgs/{org}/secret-scanning/alerts --paginate \
evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json
gh api orgs/{org}/secret-scanning/alerts --paginate \
evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json

Audit log

审计日志

gh api orgs/{org}/audit-log?per_page=100 \
evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json
undefined
gh api orgs/{org}/audit-log?per_page=100 \
evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json
undefined

GCP Evidence

GCP 证据

bash
undefined
bash
undefined

IAM policy (access control)

IAM策略(访问控制)

gcloud projects get-iam-policy {project} --format=json \
evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json
gcloud projects get-iam-policy {project} --format=json \
evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json

Service accounts

服务账号

gcloud iam service-accounts list --format=json \
evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json
gcloud iam service-accounts list --format=json \
evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json

Audit logging config

审计日志配置

gcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \
evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json
gcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \
evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json

Log sinks (centralization)

日志接收器(中心化存储)

gcloud logging sinks list --format=json \
evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json
gcloud logging sinks list --format=json \
evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json

Compute instances (asset inventory)

计算实例(资产清单)

gcloud compute instances list --format=json \
evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json
gcloud compute instances list --format=json \
evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json

Cloud SQL backup config

Cloud SQL备份配置

gcloud sql backups list --instance={instance} --format=json \
evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json
gcloud sql backups list --instance={instance} --format=json \
evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json

Firewall rules

防火墙规则

gcloud compute firewall-rules list --format=json \
evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json
undefined
gcloud compute firewall-rules list --format=json \
evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json
undefined

Azure Evidence

Azure 证据

bash
undefined
bash
undefined

Role assignments (access control)

角色分配(访问控制)

az role assignment list --all --output json \
evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json
az role assignment list --all --output json \
evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json

Activity log (audit trail)

活动日志(审计轨迹)

az monitor activity-log list --max-events 100 --output json \
evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json
az monitor activity-log list --max-events 100 --output json \
evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json

Network security groups

网络安全组

az network nsg list --output json \
evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json
az network nsg list --output json \
evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json

Backup jobs

备份任务

az backup job list --resource-group {rg} --vault-name {vault} --output json \
evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json
az backup job list --resource-group {rg} --vault-name {vault} --output json \
evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json

Storage encryption

存储加密

az storage account list --query "[].{name:name, encryption:encryption}" --output json \
evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json
undefined
az storage account list --query "[].{name:name, encryption:encryption}" --output json \
evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json
undefined

Google Workspace Evidence

Google Workspace 证据

bash
undefined
bash
undefined

User list with MFA status

带MFA状态的用户列表

gam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \
evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv
gam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \
evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv

Admin roles

管理员角色

gam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv
gam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv

Mobile devices

移动设备

gam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv
undefined
gam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv
undefined

macOS Endpoint Evidence

macOS 终端证据

bash
undefined
bash
undefined

FileVault encryption

FileVault加密状态

fdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt
fdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt

System configuration

系统配置

system_profiler SPHardwareDataType SPSoftwareDataType \
evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt
system_profiler SPHardwareDataType SPSoftwareDataType \
evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt

Screen lock settings

锁屏设置

profiles show -type configuration 2>/dev/null | grep -A10 -i "lock|idle|screensaver" \
evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt
undefined
profiles show -type configuration 2>/dev/null | grep -A10 -i "lock|idle|screensaver" \
evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt
undefined

Step 4: Validate Evidence Package

步骤4:验证证据包

Check completeness before submitting to auditor:
  1. Completeness: Do you have evidence for every applicable control in the SoA?
  2. Freshness: Is every piece of evidence within the required age?
  3. Format: Are API exports in JSON/CSV with timestamps? Screenshots have system clock visible?
  4. Naming: Files follow the naming convention?
  5. Coverage: Critical-tier controls have at least 2 forms of evidence?
undefined
提交给审计人员前检查完整性:
  1. 完整性:SoA中每个适用的控制项都有对应证据吗?
  2. 有效性:所有证据都在要求的有效期内吗?
  3. 格式:API导出是带时间戳的JSON/CSV格式吗?截图可见系统时钟吗?
  4. 命名:文件符合命名规范吗?
  5. 覆盖度:关键级控制项至少有2种形式的证据吗?
undefined

If Internal ISO Audit MCP server is available:

如果有内部ISO审计MCP服务器可用:

list_controls() # Get all controls to verify evidence coverage get_control_guidance(control_id="A.8.8") # Check specific control's evidence expectations search_guidance(query="vulnerability scanning evidence") # Find controls related to specific evidence types
undefined
list_controls() # 获取所有控制项验证证据覆盖度 get_control_guidance(control_id="A.8.8") # 检查特定控制项的证据要求 search_guidance(query="vulnerability scanning evidence") # 查找与特定证据类型相关的控制项
undefined

Step 5: Generate Evidence Index

步骤5:生成证据索引

Create an index file listing all evidence, mapped to controls:
markdown
undefined
创建索引文件列出所有证据,映射到对应控制项:
markdown
undefined

Evidence Package Index

证据包索引

Generated: {date} Audit period: {start} to {end}
ControlEvidence FileTypeCollectedStatus
A.5.15gcp-iam-policy_2026-02-28.jsonAPI export2026-02-28Current
A.5.17workspace-users-mfa_2026-02-28.csvAPI export2026-02-28Current
...............
undefined
生成时间:{date} 审计周期:{start} 至 {end}
控制项证据文件类型采集时间状态
A.5.15gcp-iam-policy_2026-02-28.jsonAPI导出2026-02-28有效
A.5.17workspace-users-mfa_2026-02-28.csvAPI导出2026-02-28有效
...............
undefined

DO / DON'T

注意事项

DO

推荐操作

  • Use API exports with ISO 8601 timestamps over screenshots whenever possible
  • Collect evidence from the SOURCE system (IdP, not a secondary report)
  • Include metadata: collection date, system version, user who collected
  • Store evidence in version-controlled directory with clear naming
  • Collect evidence for the AUDIT PERIOD (usually past 12 months), not just current state
  • Use 
    screencapture -x ~/evidence/{filename}.png
    for screenshots (captures without shadow/border)
  • 优先使用带ISO 8601时间戳的API导出,而非截图
  • 从源系统采集证据(如IdP,而非二次生成的报告)
  • 包含元数据:采集日期、系统版本、采集人
  • 将证据存储在版本控制目录中,命名清晰
  • 采集审计周期(通常过去12个月)的证据,而非仅当前状态
  • 截图使用
    screencapture -x ~/evidence/{filename}.png
    (无阴影/边框)

DON'T

禁止操作

  • Take screenshots without visible system clock (menu bar on macOS, taskbar on Windows)
  • Collect evidence from sandbox/staging instead of production
  • Manually edit evidence after collection (auditors may verify against source)
  • Wait until the week before the audit to collect everything
  • Assume stale evidence is acceptable — check freshness requirements above
  • Mix evidence from different audit periods in the same file
  • 截图不包含可见的系统时钟(macOS的菜单栏、Windows的任务栏)
  • 从沙箱/测试环境而非生产环境采集证据
  • 采集后手动编辑证据(审计人员可能会与源系统核对)
  • 等到审计前一周才开始收集所有证据
  • 假设过时证据可接受 — 请参考上文的有效期要求
  • 将不同审计周期的证据混合在同一个文件中

Troubleshooting

常见问题

ProblemSolution
API command requires authUse existing local credentials: 
gcloud auth login
, 
az login
, 
gh auth login
Tool not installedInstall: 
brew install gh
, 
brew install --cask google-cloud-sdk
, 
brew install azure-cli
Insufficient permissionsRequest read-only access to the relevant service; document the access request as evidence
Evidence too largeUse 
--limit
or 
--max-events
flags; collect summary statistics instead of full export
Vendor won't provide SOC 2 reportRequest via their trust center; if unavailable, document the request and use their security page
Screenshot doesn't include clockOn macOS: use full-screen capture, or 
screencapture -x
which includes menu bar
问题解决方案
API命令需要认证使用现有本地凭证:
gcloud auth login
, 
az login
, 
gh auth login
工具未安装安装:
brew install gh
, 
brew install --cask google-cloud-sdk
, 
brew install azure-cli
权限不足申请相关服务的只读权限;将权限申请记录作为证据留存
证据过大使用
--limit
--max-events
参数;采集汇总统计数据而非全量导出
供应商不提供SOC 2报告通过其信任中心申请;如果无法获取,留存申请记录并使用其安全页面内容作为替代
截图不包含时钟macOS上使用全屏截图,或
screencapture -x
会包含菜单栏

Rules

规则

For detailed evidence collection guidance by topic:
FileCoverage
rules/api-exports.md
CLI commands by cloud provider (GCP, Azure, AWS, GitHub, Google Workspace)
rules/screenshot-guide.md
When and how to take audit-ready screenshots
rules/evidence-types.md
Evidence type requirements per control domain
按主题查看详细的证据采集指引:
文件覆盖范围
rules/api-exports.md
各云平台的CLI命令(GCP、Azure、AWS、GitHub、Google Workspace)
rules/screenshot-guide.md
何时及如何拍摄符合审计要求的截图
rules/evidence-types.md
各控制领域的证据类型要求

Attribution

版权声明

Evidence collection procedures and control guidance developed with Internal ISO Audit (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).
证据采集流程和控制项指引由Internal ISO Audit开发(Hazel Castro,ISO 27001主任审核员,14年以上经验,参与过100+次审计)。

Runtime Detection

运行时检测

  1. Internal ISO Audit MCP server available (best) — Live control guidance lookup, NIST cross-reference, full-text search across all control evidence expectations. Server: 
    internalisoaudit.com/api/mcp
  2. Local compliance data available (good) — Reads evidence status from 
    compliance/evidence/*.md
  3. Reference only (baseline) — Uses embedded checklists and command reference in 
    rules/
  1. 内部ISO审计MCP服务器可用(最优) — 实时控制指引查询、NIST交叉引用、全控制项证据要求全文搜索。服务器地址:
    internalisoaudit.com/api/mcp
  2. 本地合规数据可用(良好) — 从
    compliance/evidence/*.md
    读取证据状态
  3. 仅参考模式(基线) — 使用
    rules/
    目录下内置的checklist和命令参考