ISO 27001 Evidence Collection
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent audit-evidence collection guide, but it asks the agent/user to run broad read-only cloud and identity export commands that can produce sensitive local evidence files.
This skill appears benign and instruction-only. Before installing or using it, confirm that you are comfortable running the listed read-only export commands with your existing CLI logins, limit collection to the systems in audit scope, and protect the local evidence directory because it may contain sensitive organizational and personnel data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong organization, project, or account, the user could create unnecessary exports of sensitive cloud, repository, or audit information.
The skill instructs use of multiple platform CLIs/APIs for audit exports. This is central to the stated purpose, but broad API export commands should be run deliberately because they can collect substantial organization data.
Run evidence collection commands grouped by platform to minimize context-switching.
Review each command, confirm the active CLI account and target org/project, and run only the platform exports needed for the audit scope.
The agent or user may perform read-only exports using privileged local sessions, potentially revealing IAM, audit, admin, or repository data.
The skill does not request new secrets, but its commands rely on whatever local GitHub/cloud/workspace credentials are already logged in. That is expected for evidence collection, but users should notice the delegated account access.
No secrets required — works with reference checklists; CLI commands use existing local credentials
Use least-privilege read-only audit accounts where possible and verify local CLI authentication before running commands.
Incorrect local evidence status files could cause the agent to miss gaps or treat stale evidence as acceptable.
Local compliance files can influence evidence gap analysis. This is appropriate for the skill, but stale or incorrect local status files could lead to inaccurate audit preparation.
If the `compliance/` directory exists with evidence status files, the skill reads those directly.
Keep local compliance evidence files current, restrict who can edit them, and verify important gap-analysis results before relying on them.
Audit evidence files may contain private employee, vendor, security, and access-control information.
The evidence checklist includes sensitive HR, personnel, vendor, incident, and access-control records. The guidance calls for redaction in at least one case and local storage, which is purpose-aligned, but these evidence packages should be treated as sensitive.
Background check records | HR system export (redacted)
Store evidence packages in an access-controlled location, redact unnecessary personal data, and avoid sharing raw evidence outside the audit need.