{ "schemaVersion": "1.0", "item": { "slug": "iso-27001-evidence-collection", "name": "ISO 27001 Evidence Collection", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/stevenobiajulu/iso-27001-evidence-collection", "canonicalUrl": "https://clawhub.ai/stevenobiajulu/iso-27001-evidence-collection", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/iso-27001-evidence-collection", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=iso-27001-evidence-collection", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CONNECTORS.md", "SKILL.md", "rules/api-exports.md", "rules/evidence-types.md", "rules/screenshot-guide.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/iso-27001-evidence-collection" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/iso-27001-evidence-collection", "agentPageUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection/agent", "manifestUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection/agent.json", "briefUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "ISO 27001 Evidence Collection", "body": "Systematically collect audit evidence for ISO 27001:2022 and SOC 2. This skill provides API-first evidence collection commands, organizes evidence by control, and validates completeness before auditor review." }, { "title": "Security Model", "body": "No scripts executed — this skill is markdown-only procedural guidance\nNo secrets required — works with reference checklists; CLI commands use existing local credentials\nEvidence stays local — all outputs go to the local filesystem\nIP-clean — references NIST SP 800-53 (public domain); ISO controls cited by section ID only" }, { "title": "When to Use", "body": "Activate this skill when:\n\nPreparing evidence package for external audit — 2-4 weeks before auditor arrives\nQuarterly evidence refresh — update evidence that has aged beyond the audit window\nAfter remediation — collect evidence proving a finding has been fixed\nNew system onboarding — establish baseline evidence for a newly in-scope system\nEvidence gap analysis — identify what's missing before the audit\n\nDo NOT use for:\n\nRunning the internal audit itself — use iso-27001-internal-audit\nSOC 2-only readiness assessment — use soc2-readiness\nInterpreting audit findings — use the internal audit skill" }, { "title": "Evidence Hierarchy (Best to Worst)", "body": "RankTypeExampleWhy Better1API export (JSON/CSV)gcloud iam service-accounts list --format=jsonTimestamped, tamper-evident, reproducible2System-generated reportSOC 2 report from vendor, SIEM exportAuthoritative source, includes metadata3Configuration exportTerraform state, policy JSONShows intended state, version-controlled4Screenshot with system clockscreencapture -x ~/evidence/...Visual proof, but harder to validate5Manual attestationSigned statement by responsible personLast resort, requires corroboration" }, { "title": "Evidence Freshness Requirements", "body": "Evidence TypeMax AgeRefresh CadenceAccess lists90 daysQuarterlyVulnerability scans30 daysMonthlyConfiguration exports90 daysQuarterlyTraining records12 monthsAnnualPenetration test12 monthsAnnualPolicy documents12 monthsAnnual reviewIncident recordsAudit periodContinuousRisk assessment12 monthsAnnual + on change" }, { "title": "Evidence Naming Convention", "body": "{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext}\n\nExamples:\n\nA.5.15_user-access-list_2026-02-28.json\nA.8.8_vulnerability-scan_2026-02-28.csv\nA.8.13_backup-test-results_2026-02-28.pdf" }, { "title": "Step 1: Identify Evidence Gaps", "body": "Determine what evidence is missing or stale.\n\n# If compliance MCP is available:\nlist_evidence_gaps(framework=\"iso27001_2022\", tier=\"critical\")\n\n# If reading local compliance data:\n# Check compliance/evidence/*.md files for upload_status != \"OK\"\n# Check renewal_next dates for upcoming expirations" }, { "title": "Step 2: Prioritize Collection", "body": "Order evidence collection by:\n\nMissing evidence for Critical-tier controls — audit blockers\nStale evidence past renewal date — auditor will reject\nEvidence for Relevant-tier controls — expected but not blocking\nCheckbox-tier evidence — policies and attestations" }, { "title": "Step 3: Collect by Platform", "body": "Run evidence collection commands grouped by platform to minimize context-switching.\n\nGitHub Evidence\n\n# Org settings: MFA requirement, default permissions\ngh api orgs/{org} | jq '{\n two_factor_requirement_enabled,\n default_repository_permission,\n members_can_create_public_repositories\n}' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json\n\n# Branch protection on production repos\nfor repo in $(gh repo list {org} --json name -q '.[].name'); do\n gh api repos/{org}/$repo/branches/main/protection 2>/dev/null | \\\n jq '{repo: \"'$repo'\", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json\ndone\n\n# Recent merged PRs (change management evidence)\ngh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \\\n > evidence/A.8.32_change-records_$(date +%Y-%m-%d).json\n\n# Dependabot alerts (vulnerability management)\ngh api repos/{org}/{repo}/dependabot/alerts?state=open \\\n > evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json\n\n# Secret scanning alerts\ngh api orgs/{org}/secret-scanning/alerts --paginate \\\n > evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json\n\n# Audit log\ngh api orgs/{org}/audit-log?per_page=100 \\\n > evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json\n\nGCP Evidence\n\n# IAM policy (access control)\ngcloud projects get-iam-policy {project} --format=json \\\n > evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json\n\n# Service accounts\ngcloud iam service-accounts list --format=json \\\n > evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json\n\n# Audit logging config\ngcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \\\n > evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json\n\n# Log sinks (centralization)\ngcloud logging sinks list --format=json \\\n > evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json\n\n# Compute instances (asset inventory)\ngcloud compute instances list --format=json \\\n > evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json\n\n# Cloud SQL backup config\ngcloud sql backups list --instance={instance} --format=json \\\n > evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json\n\n# Firewall rules\ngcloud compute firewall-rules list --format=json \\\n > evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json\n\nAzure Evidence\n\n# Role assignments (access control)\naz role assignment list --all --output json \\\n > evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json\n\n# Activity log (audit trail)\naz monitor activity-log list --max-events 100 --output json \\\n > evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json\n\n# Network security groups\naz network nsg list --output json \\\n > evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json\n\n# Backup jobs\naz backup job list --resource-group {rg} --vault-name {vault} --output json \\\n > evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json\n\n# Storage encryption\naz storage account list --query \"[].{name:name, encryption:encryption}\" --output json \\\n > evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json\n\nGoogle Workspace Evidence\n\n# User list with MFA status\ngam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \\\n > evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv\n\n# Admin roles\ngam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv\n\n# Mobile devices\ngam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv\n\nmacOS Endpoint Evidence\n\n# FileVault encryption\nfdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt\n\n# System configuration\nsystem_profiler SPHardwareDataType SPSoftwareDataType \\\n > evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt\n\n# Screen lock settings\nprofiles show -type configuration 2>/dev/null | grep -A10 -i \"lock\\|idle\\|screensaver\" \\\n > evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt" }, { "title": "Step 4: Validate Evidence Package", "body": "Check completeness before submitting to auditor:\n\nCompleteness: Do you have evidence for every applicable control in the SoA?\nFreshness: Is every piece of evidence within the required age?\nFormat: Are API exports in JSON/CSV with timestamps? Screenshots have system clock visible?\nNaming: Files follow the naming convention?\nCoverage: Critical-tier controls have at least 2 forms of evidence?\n\n# If compliance MCP is available:\nlist_evidence_gaps(framework=\"iso27001_2022\") # Should return empty for complete package" }, { "title": "Step 5: Generate Evidence Index", "body": "Create an index file listing all evidence, mapped to controls:\n\n# Evidence Package Index\nGenerated: {date}\nAudit period: {start} to {end}\n\n| Control | Evidence File | Type | Collected | Status |\n|---------|--------------|------|-----------|--------|\n| A.5.15 | gcp-iam-policy_2026-02-28.json | API export | 2026-02-28 | Current |\n| A.5.17 | workspace-users-mfa_2026-02-28.csv | API export | 2026-02-28 | Current |\n| ... | ... | ... | ... | ... |" }, { "title": "DO", "body": "Use API exports with ISO 8601 timestamps over screenshots whenever possible\nCollect evidence from the SOURCE system (IdP, not a secondary report)\nInclude metadata: collection date, system version, user who collected\nStore evidence in version-controlled directory with clear naming\nCollect evidence for the AUDIT PERIOD (usually past 12 months), not just current state\nUse screencapture -x ~/evidence/{filename}.png for screenshots (captures without shadow/border)" }, { "title": "DON'T", "body": "Take screenshots without visible system clock (menu bar on macOS, taskbar on Windows)\nCollect evidence from sandbox/staging instead of production\nManually edit evidence after collection (auditors may verify against source)\nWait until the week before the audit to collect everything\nAssume stale evidence is acceptable — check freshness requirements above\nMix evidence from different audit periods in the same file" }, { "title": "Troubleshooting", "body": "ProblemSolutionAPI command requires authUse existing local credentials: gcloud auth login, az login, gh auth loginTool not installedInstall: brew install gh, brew install --cask google-cloud-sdk, brew install azure-cliInsufficient permissionsRequest read-only access to the relevant service; document the access request as evidenceEvidence too largeUse --limit or --max-events flags; collect summary statistics instead of full exportVendor won't provide SOC 2 reportRequest via their trust center; if unavailable, document the request and use their security pageScreenshot doesn't include clockOn macOS: use full-screen capture, or screencapture -x which includes menu bar" }, { "title": "Rules", "body": "For detailed evidence collection guidance by topic:\n\nFileCoveragerules/api-exports.mdCLI commands by cloud provider (GCP, Azure, AWS, GitHub, Google Workspace)rules/screenshot-guide.mdWhen and how to take audit-ready screenshotsrules/evidence-types.mdEvidence type requirements per control domain" }, { "title": "Attribution", "body": "Evidence collection procedures and control guidance developed with Internal ISO Audit (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits)." }, { "title": "Runtime Detection", "body": "Compliance MCP server available (best) — Automated gap detection, evidence freshness tracking\nLocal compliance data available (good) — Reads evidence status from compliance/evidence/*.md\nReference only (baseline) — Uses embedded checklists and command reference" } ], "body": "ISO 27001 Evidence Collection\n\nSystematically collect audit evidence for ISO 27001:2022 and SOC 2. This skill provides API-first evidence collection commands, organizes evidence by control, and validates completeness before auditor review.\n\nSecurity Model\nNo scripts executed — this skill is markdown-only procedural guidance\nNo secrets required — works with reference checklists; CLI commands use existing local credentials\nEvidence stays local — all outputs go to the local filesystem\nIP-clean — references NIST SP 800-53 (public domain); ISO controls cited by section ID only\nWhen to Use\n\nActivate this skill when:\n\nPreparing evidence package for external audit — 2-4 weeks before auditor arrives\nQuarterly evidence refresh — update evidence that has aged beyond the audit window\nAfter remediation — collect evidence proving a finding has been fixed\nNew system onboarding — establish baseline evidence for a newly in-scope system\nEvidence gap analysis — identify what's missing before the audit\n\nDo NOT use for:\n\nRunning the internal audit itself — use iso-27001-internal-audit\nSOC 2-only readiness assessment — use soc2-readiness\nInterpreting audit findings — use the internal audit skill\nCore Concepts\nEvidence Hierarchy (Best to Worst)\nRank\tType\tExample\tWhy Better\n1\tAPI export (JSON/CSV)\tgcloud iam service-accounts list --format=json\tTimestamped, tamper-evident, reproducible\n2\tSystem-generated report\tSOC 2 report from vendor, SIEM export\tAuthoritative source, includes metadata\n3\tConfiguration export\tTerraform state, policy JSON\tShows intended state, version-controlled\n4\tScreenshot with system clock\tscreencapture -x ~/evidence/...\tVisual proof, but harder to validate\n5\tManual attestation\tSigned statement by responsible person\tLast resort, requires corroboration\nEvidence Freshness Requirements\nEvidence Type\tMax Age\tRefresh Cadence\nAccess lists\t90 days\tQuarterly\nVulnerability scans\t30 days\tMonthly\nConfiguration exports\t90 days\tQuarterly\nTraining records\t12 months\tAnnual\nPenetration test\t12 months\tAnnual\nPolicy documents\t12 months\tAnnual review\nIncident records\tAudit period\tContinuous\nRisk assessment\t12 months\tAnnual + on change\nEvidence Naming Convention\n{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext}\n\n\nExamples:\n\nA.5.15_user-access-list_2026-02-28.json\nA.8.8_vulnerability-scan_2026-02-28.csv\nA.8.13_backup-test-results_2026-02-28.pdf\nStep-by-Step Workflow\nStep 1: Identify Evidence Gaps\n\nDetermine what evidence is missing or stale.\n\n# If compliance MCP is available:\nlist_evidence_gaps(framework=\"iso27001_2022\", tier=\"critical\")\n\n# If reading local compliance data:\n# Check compliance/evidence/*.md files for upload_status != \"OK\"\n# Check renewal_next dates for upcoming expirations\n\nStep 2: Prioritize Collection\n\nOrder evidence collection by:\n\nMissing evidence for Critical-tier controls — audit blockers\nStale evidence past renewal date — auditor will reject\nEvidence for Relevant-tier controls — expected but not blocking\nCheckbox-tier evidence — policies and attestations\nStep 3: Collect by Platform\n\nRun evidence collection commands grouped by platform to minimize context-switching.\n\nGitHub Evidence\n# Org settings: MFA requirement, default permissions\ngh api orgs/{org} | jq '{\n two_factor_requirement_enabled,\n default_repository_permission,\n members_can_create_public_repositories\n}' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json\n\n# Branch protection on production repos\nfor repo in $(gh repo list {org} --json name -q '.[].name'); do\n gh api repos/{org}/$repo/branches/main/protection 2>/dev/null | \\\n jq '{repo: \"'$repo'\", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json\ndone\n\n# Recent merged PRs (change management evidence)\ngh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \\\n > evidence/A.8.32_change-records_$(date +%Y-%m-%d).json\n\n# Dependabot alerts (vulnerability management)\ngh api repos/{org}/{repo}/dependabot/alerts?state=open \\\n > evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json\n\n# Secret scanning alerts\ngh api orgs/{org}/secret-scanning/alerts --paginate \\\n > evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json\n\n# Audit log\ngh api orgs/{org}/audit-log?per_page=100 \\\n > evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json\n\nGCP Evidence\n# IAM policy (access control)\ngcloud projects get-iam-policy {project} --format=json \\\n > evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json\n\n# Service accounts\ngcloud iam service-accounts list --format=json \\\n > evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json\n\n# Audit logging config\ngcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \\\n > evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json\n\n# Log sinks (centralization)\ngcloud logging sinks list --format=json \\\n > evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json\n\n# Compute instances (asset inventory)\ngcloud compute instances list --format=json \\\n > evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json\n\n# Cloud SQL backup config\ngcloud sql backups list --instance={instance} --format=json \\\n > evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json\n\n# Firewall rules\ngcloud compute firewall-rules list --format=json \\\n > evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json\n\nAzure Evidence\n# Role assignments (access control)\naz role assignment list --all --output json \\\n > evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json\n\n# Activity log (audit trail)\naz monitor activity-log list --max-events 100 --output json \\\n > evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json\n\n# Network security groups\naz network nsg list --output json \\\n > evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json\n\n# Backup jobs\naz backup job list --resource-group {rg} --vault-name {vault} --output json \\\n > evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json\n\n# Storage encryption\naz storage account list --query \"[].{name:name, encryption:encryption}\" --output json \\\n > evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json\n\nGoogle Workspace Evidence\n# User list with MFA status\ngam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \\\n > evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv\n\n# Admin roles\ngam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv\n\n# Mobile devices\ngam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv\n\nmacOS Endpoint Evidence\n# FileVault encryption\nfdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt\n\n# System configuration\nsystem_profiler SPHardwareDataType SPSoftwareDataType \\\n > evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt\n\n# Screen lock settings\nprofiles show -type configuration 2>/dev/null | grep -A10 -i \"lock\\|idle\\|screensaver\" \\\n > evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt\n\nStep 4: Validate Evidence Package\n\nCheck completeness before submitting to auditor:\n\nCompleteness: Do you have evidence for every applicable control in the SoA?\nFreshness: Is every piece of evidence within the required age?\nFormat: Are API exports in JSON/CSV with timestamps? Screenshots have system clock visible?\nNaming: Files follow the naming convention?\nCoverage: Critical-tier controls have at least 2 forms of evidence?\n# If compliance MCP is available:\nlist_evidence_gaps(framework=\"iso27001_2022\") # Should return empty for complete package\n\nStep 5: Generate Evidence Index\n\nCreate an index file listing all evidence, mapped to controls:\n\n# Evidence Package Index\nGenerated: {date}\nAudit period: {start} to {end}\n\n| Control | Evidence File | Type | Collected | Status |\n|---------|--------------|------|-----------|--------|\n| A.5.15 | gcp-iam-policy_2026-02-28.json | API export | 2026-02-28 | Current |\n| A.5.17 | workspace-users-mfa_2026-02-28.csv | API export | 2026-02-28 | Current |\n| ... | ... | ... | ... | ... |\n\nDO / DON'T\nDO\nUse API exports with ISO 8601 timestamps over screenshots whenever possible\nCollect evidence from the SOURCE system (IdP, not a secondary report)\nInclude metadata: collection date, system version, user who collected\nStore evidence in version-controlled directory with clear naming\nCollect evidence for the AUDIT PERIOD (usually past 12 months), not just current state\nUse screencapture -x ~/evidence/{filename}.png for screenshots (captures without shadow/border)\nDON'T\nTake screenshots without visible system clock (menu bar on macOS, taskbar on Windows)\nCollect evidence from sandbox/staging instead of production\nManually edit evidence after collection (auditors may verify against source)\nWait until the week before the audit to collect everything\nAssume stale evidence is acceptable — check freshness requirements above\nMix evidence from different audit periods in the same file\nTroubleshooting\nProblem\tSolution\nAPI command requires auth\tUse existing local credentials: gcloud auth login, az login, gh auth login\nTool not installed\tInstall: brew install gh, brew install --cask google-cloud-sdk, brew install azure-cli\nInsufficient permissions\tRequest read-only access to the relevant service; document the access request as evidence\nEvidence too large\tUse --limit or --max-events flags; collect summary statistics instead of full export\nVendor won't provide SOC 2 report\tRequest via their trust center; if unavailable, document the request and use their security page\nScreenshot doesn't include clock\tOn macOS: use full-screen capture, or screencapture -x which includes menu bar\nRules\n\nFor detailed evidence collection guidance by topic:\n\nFile\tCoverage\nrules/api-exports.md\tCLI commands by cloud provider (GCP, Azure, AWS, GitHub, Google Workspace)\nrules/screenshot-guide.md\tWhen and how to take audit-ready screenshots\nrules/evidence-types.md\tEvidence type requirements per control domain\nAttribution\n\nEvidence collection procedures and control guidance developed with Internal ISO Audit (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).\n\nRuntime Detection\nCompliance MCP server available (best) — Automated gap detection, evidence freshness tracking\nLocal compliance data available (good) — Reads evidence status from compliance/evidence/*.md\nReference only (baseline) — Uses embedded checklists and command reference" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/stevenobiajulu/iso-27001-evidence-collection", "publisherUrl": "https://clawhub.ai/stevenobiajulu/iso-27001-evidence-collection", "owner": "stevenobiajulu", "version": "0.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection", "downloadUrl": "https://openagent3.xyz/downloads/iso-27001-evidence-collection", "agentUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection/agent", "manifestUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection/agent.json", "briefUrl": "https://openagent3.xyz/skills/iso-27001-evidence-collection/agent.md" } }