[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-82256c85-e855-41e8-ab91-59407062634a":3,"$fYlCWPbJr_bpzFFHQvyNkQnTRtzeDb2QnVlTBagrhgHg":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"82256c85-e855-41e8-ab91-59407062634a","aims-audit","ISO\u002FIEC 42001 AIMS内部审计6问强制询问。在认证阶段1之前、年度内部审计周期之前或将新AI系统纳入现有AIMS时使用。","cat_coding_review","mod_coding","alirezarezvani,coding","---\nname: \"aims-audit\"\ndescription: \"\u002Fcs:aims-audit \u003Cscope> — ISO\u002FIEC 42001 AIMS internal-audit 6-question forcing interrogation. Use before certification stage 1, before annual internal audit cycles, or when onboarding a new AI system into an existing AIMS.\"\n---\n\n# \u002Fcs:aims-audit — AIMS ISO 42001 Forcing Questions\n\n**Command:** `\u002Fcs:aims-audit \u003Cscope>`\n\nThe ISO 42001 AIMS specialist pressure-tests any AI Management System work. Six questions before any certification commitment, internal audit cycle, or new-system onboarding.\n\n## When to Run\n\n- Before stage 1 ISO 42001 certification audit\n- Before annual internal audit cycle (Clause 9.2)\n- When onboarding a new AI system into existing AIMS scope\n- When AI risk register hasn't been refreshed in > 6 months\n- After material model change (re-evaluate risks per Clause 6.1.2)\n- When audit findings hint at AIMS \u002F ISMS \u002F QMS duplication\n\n## The Six AIMS Questions\n\n### 1. Does the AIMS scope statement name every AI system?\n**Scope omission = certification finding.**\n- Including: embedded models, third-party AI services, \"experimental\" production systems\n- Run `aims_gap_analyzer.py` to verify Clause 4.3 evidence\n- \"AI features added by SaaS vendors we use\" = in scope if they affect the company's services\n\n### 2. Does the AI policy commit to lawful use AND beneficial purpose AND human oversight AND continual improvement?\n**Missing any of the four = critical nonconformity at stage 1.**\n- AI policy is NOT info-sec policy — it has separate substantive content\n- Reference ISO 42001 Annex A.2.2 + Clause 5.2\n- Marketing-copy \"AI ethics\" doesn't pass\n\n### 3. What's the risk register coverage, and which Annex A controls treat each risk?\n**Risk identification without control mapping = Clause 6.1.3 fails.**\n- Run `ai_risk_register_builder.py` per ISO 23894 methodology\n- Every high\u002Fcritical risk must link to ≥ 1 Annex A control\n- \"Residual verdict: additional_treatment_required\" must be closed before stage 1\n\n### 4. Has the AI risk assessment been re-run since the last material model change?\n**Concept drift is not a one-time event.**\n- Article 9 EU AI Act + ISO 42001 Clause 6.1.2 both require iterative risk assessment\n- Material change = retraining on new data, fine-tuning, architecture change, deployment context change\n- If \"we did it 18 months ago and haven't touched it,\" the AIMS is broken\n\n### 5. What's the Clause 9.2 internal audit plan, and is auditor independence respected?\n**Without 9.2 plan, the AIMS is incomplete.**\n- Run `aims_audit_scheduler.py` with scope + auditors + prior findings\n- Audit every clause + applicable Annex A control over rolling 3-year cycle\n- Same auditor cannot audit own work\n- Cross-check with cs-quality-regulatory if integrated with 13485 audit programme\n\n### 6. Has the AIMS been integrated with existing ISMS \u002F QMS, or built in parallel?\n**Parallel systems = 5x ongoing maintenance cost.**\n- 60% of Clauses 4-10 evidence reuses ISO 27001 \u002F 13485 with AI scope appended\n- CAPA loop should be ONE loop with AI-tagged nonconformities, not separate\n- Reference `cross_framework_mapping_ai.md` for the reuse map\n- Cross-check with cs-ciso-advisor on ISO 27001 alignment\n\n## Workflow\n\n```bash\n# 1. AIMS gap analysis\npython ..\u002F..\u002Fra-qm-team\u002Fskills\u002Fiso42001-specialist\u002Fscripts\u002Faims_gap_analyzer.py evidence.json\n\n# 2. AI risk register\npython ..\u002F..\u002Fra-qm-team\u002Fskills\u002Fiso42001-specialist\u002Fscripts\u002Fai_risk_register_builder.py risks.json\n\n# 3. Internal audit plan\npython ..\u002F..\u002Fra-qm-team\u002Fskills\u002Fiso42001-specialist\u002Fscripts\u002Faims_audit_scheduler.py audit_scope.json\n\n# 4. Cross-framework reuse map (via compliance-os)\npython ..\u002F..\u002Fskills\u002Fcompliance-os\u002Fscripts\u002Fcross_framework_mapper.py program.json\n```\n\n## Output Format\n\n```markdown\n# AIMS Audit: \u003Cscope>\n**Date:** YYYY-MM-DD\n\n## The Decision Being Made\n[gap-closure | risk-treatment | audit-scope | new-system-onboarding]\n\n## Gap Analysis (Clauses 4-10)\n- Weighted coverage: X%\n- Critical gaps: N\n- Major gaps: M\n- Certification readiness: ready | stage_2_candidate | not_ready\n\n## AI Risk Register\n- Total risks: N\n- By severity: critical=X, high=Y, medium=Z, low=W\n- Requires additional treatment: K\n- Top risk requiring action: \u003Cdescription>\n\n## Clause 9.2 Audit Plan\n- 12-month coverage: clauses=X, controls=Y\n- Auditor independence: clean | issues\n- Prior-year follow-up: scheduled in Q1\n\n## Cross-Framework Reuse\n- ISO 27001 evidence reused: % of AIMS Clauses 4-10\n- 13485 evidence reused: % (if applicable)\n- Net-new for AIMS: % (mostly Annex A)\n\n## Verdict\n🟢 STAGE-1-READY | 🟡 CLOSE-CRITICALS-FIRST | 🔴 NOT-READY\n\n## Top 3 Actions\n[3 concrete next steps with owner + date]\n```\n\n## Routing\n\n- `\u002Fcs:compliance-readiness` — for multi-framework view\n- `\u002Fcs:ai-act-readiness` — if EU AI Act also applies\n- `\u002Fcs:caio-review` — for executive AI strategy decisions\n- `\u002Fcs:ciso-review` — for ISO 27001 cross-framework alignment\n- `\u002Fcs:decide` — to log the verdict\n- `\u002Fcs:freeze 30` — on certification commitments\n\n## Related\n\n- Agent: [`cs-aims-iso42001`](..\u002F..\u002Fagents\u002Fcs-aims-iso42001.md)\n- Skill: [`iso42001-specialist`](..\u002F..\u002F..\u002Fra-qm-team\u002Fskills\u002Fiso42001-specialist\u002FSKILL.md)\n- Adjacent: `..\u002F..\u002Fskills\u002Fcompliance-os\u002F`, `..\u002Fai-act-readiness\u002F`, `..\u002Fcompliance-readiness\u002F`\n\n---\n\n**Version:** 1.0.0\n","","imported","https:\u002F\u002Fgithub.com\u002Falirezarezvani\u002Fclaude-skills","user_system_seed","SkillOPIC",true,181,390,"2026-05-16 13:52:26",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"b76b8861-4568-4c13-8151-b0e6878d5762","1.0.0","aims-audit.zip",2502,"uploads\u002Fskills\u002F82256c85-e855-41e8-ab91-59407062634a\u002Faims-audit.zip","30e3da44d376fa2630b045700005e4d96088d1fbf10ac6755cd13203d6075970","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":5276}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]