This skill should be used when generating audit evidence, producing compliance documentation, creating evidence narratives, writing assessment reports, or when the user asks about "audit evidence", "compliance evidence", "evidence package", "audit documentation", or "ISO 27001 evidence".
Transform raw code assessment findings into formal, auditor-ready evidence narratives. This skill guides the production of evidence that meets ISO 27001 audit requirements.
ISO 27001 auditors expect evidence that demonstrates:
## Control: A.8.5 — Secure Authentication
### Implementation Status: Partially Implemented
### Maturity Level: 3/5 (Defined)
### Evidence of Implementation
The application implements authentication using [framework/library] with the
following security measures observed:
**Password Storage** (A.8.5.a):
- Passwords are hashed using Argon2id with cost parameters [memory=65536, time=3, parallelism=4]
- Evidence: `src/auth/password.ts` lines 15-28
- Assessment: Meets OWASP recommendations for password storage
**Session Management** (A.8.5.b):
- Session tokens generated using cryptographically secure random bytes (32 bytes)
- Tokens stored with HttpOnly, Secure, and SameSite=Strict flags
- Evidence: `src/auth/session.ts` lines 10-35
- Assessment: Meets secure session management requirements
### Identified Gaps
1. **Rate Limiting**: No rate limiting observed on the login endpoint
(`src/routes/auth.ts:45`). This creates risk of brute-force attacks.
2. **MFA**: No multi-factor authentication implementation found.
### Recommendations
1. Implement rate limiting on authentication endpoints (priority: high)
2. Add multi-factor authentication support (priority: medium)
### Assessment Metadata
- **Assessed by**: Shinsa Compliance Plugin v1.0.0
- **Date**: [ISO-8601 timestamp]
- **Confidence**: 0.85
- **Scope**: [repository path]
Before finalizing evidence, verify: