UnixTime

Research Note

A.8 Technological Controls Audit Guide

1. Review policies and standards before sampling technical evidence. 2. Sample endpoint inventory against MDM/EDR/compliance reports. 3. Check remote access, timeout, encryption...

On this page

Auditor lens

Use this page when planning first-party audit tests for technological controls.

Audit objectives

Control What to verify Evidence pack
A.8.1 User End Point Devices Endpoint devices are known, authorized, protected, compliant, and covered by user guidance A.8.1 Audit Evidence Pack
A.8.2 Privileged Access Rights Privileged access is restricted, justified, separately identifiable, logged, reviewed, and removed A.8.2 Audit Evidence Pack
A.8.3 Information Access Restriction Access to information, assets, functions, databases, reports, exports, and dynamic sessions is restricted according to policy and business need A.8.3 Audit Evidence Pack
A.8.4 Access to Source Code Source code, development tools, and software libraries are access-controlled and change-controlled A.8.4 Audit Evidence Pack
A.8.5 Secure Authentication Authentication mechanisms are risk-based, secure, and aligned with access restrictions A.8.5 Audit Evidence Pack
A.8.6 Capacity Management Resource use is monitored, trended, forecast, and adjusted before capacity becomes an availability issue A.8.6 Audit Evidence Pack
A.8.7 Protection Against Malware Malware protection is deployed, current, monitored, supported by awareness, and backed by response records A.8.7 Audit Evidence Pack
A.8.8 Management of Technical Vulnerabilities Vulnerabilities are identified, exposure is evaluated, treatment is controlled, and remediation is retested A.8.8 Audit Evidence Pack
A.8.9 Configuration Management Secure configurations are baselined, implemented, monitored, reviewed, and exceptions are risk-managed A.8.9 Audit Evidence Pack
A.8.10 Information Deletion Information is deleted when no longer required using appropriate method and evidence A.8.10 Audit Evidence Pack
A.8.11 Data Masking Masking, pseudonymisation, tokenisation, and anonymisation are defined, controlled, and legally appropriate A.8.11 Audit Evidence Pack
A.8.12 Data Leakage Prevention DLP scope, rules, alerts, transfer approvals, and user awareness control sensitive data leakage A.8.12 Audit Evidence Pack
A.8.13 Information Backup Backup copies are maintained, protected, and regularly restore-tested according to backup policy A.8.13 Audit Evidence Pack
A.8.14 Redundancy of Information Processing Facilities Redundancy arrangements are sufficient to meet availability requirements and have been tested A.8.14 Audit Evidence Pack
A.8.15 Logging Logs are produced, stored, protected, retained, analysed, and escalated where needed A.8.15 Audit Evidence Pack
A.8.16 Monitoring Activities Monitoring detects risk-relevant anomalous behaviour and feeds potential incident evaluation and response A.8.16 Audit Evidence Pack
A.8.19 Installation of Software on Operational Systems Software installation on operational systems is authorized, tested, logged, licence-valid, supportable, and recoverable A.8.19 Audit Evidence Pack
A.8.20 Networks Security Networks and network devices are secured, managed, monitored, and controlled A.8.20 Audit Evidence Pack
A.8.21 Security of Network Services Network service security mechanisms, service levels, and requirements are identified, implemented, and monitored A.8.21 Audit Evidence Pack
A.8.22 Segregation of Networks Services, users, and systems are segregated into appropriate network zones and controlled connections A.8.22 Audit Evidence Pack
A.8.23 Web Filtering External website access is managed to reduce malicious content exposure A.8.23 Audit Evidence Pack
A.8.24 Use of Cryptography Cryptographic rules and key management are defined, implemented, legally considered, and operated A.8.24 Audit Evidence Pack
A.8.25 Secure Development Life Cycle Secure development rules are established, applied, verified, and improved A.8.25 Audit Evidence Pack
A.8.26 Application Security Requirements Application security requirements are identified, specified, approved, and tested A.8.26 Audit Evidence Pack
A.8.27 Secure System Architecture and Engineering Principles Secure engineering principles are documented, maintained, and applied to system development A.8.27 Audit Evidence Pack
A.8.28 Secure Coding Secure coding principles are selected, applied, checked, and exception-managed A.8.28 Audit Evidence Pack
A.8.29 Security Testing in Development and Acceptance Security testing processes are defined and implemented during development and acceptance A.8.29 Audit Evidence Pack
A.8.30 Outsourced Development Outsourced system development is directed, monitored, reviewed, and contractually controlled A.8.30 Audit Evidence Pack
A.8.31 Separation of Development Test and Production Environments Development, test, and production environments are separated and secured A.8.31 Audit Evidence Pack
A.8.32 Change Management Changes to information processing facilities and systems are controlled, approved, tested, logged, and recoverable A.8.32 Audit Evidence Pack
A.8.33 Test Information Test information is selected, protected, managed, logged, and deleted appropriately A.8.33 Audit Evidence Pack
A.8.34 Protection of Information Systems During Audit Testing Audit tests and assurance activities on operational systems are planned, agreed, logged, and protected A.8.34 Audit Evidence Pack

Audit approach

  1. Review policies and standards before sampling technical evidence.
  2. Sample endpoint inventory against MDM/EDR/compliance reports.
  3. Check remote access, timeout, encryption, patching, and malware controls.
  4. Sample BYOD enrollment and removal.
  5. Sample privileged access approvals, registers, and admin identities.
  6. Review privileged activity logs and evidence of review.
  7. Check emergency access use and post-use review.
  8. Sample application roles, database permissions, reports, exports, and maintenance utilities.
  9. Review dynamic privilege or support-session authorization and logs.
  10. Sample source repository access, CI/CD access, branch protection, and code change records.
  11. Sample authentication configuration, MFA, failed logon handling, and exceptions.
  12. Sample capacity monitoring, thresholds, trend forecasts, and action plans.
  13. Sample malware protection coverage, update status, alert logs, infection response records, and awareness evidence.
  14. Sample vulnerability scan/test reports, remediation trackers, patch/change records, retests, and exceptions.
  15. Sample configuration baselines, compliance reports, deviation approvals, drift alerts, and baseline reviews.
  16. Sample retention rules, deletion records, destruction certificates, and cloud/backup deletion evidence.
  17. Sample masking decisions, role access to full data, lookup segregation, re-combination logs, and re-identification assessments.
  18. Sample DLP scope, approved flows, rules, alert reviews, transfer approvals, and awareness records.
  19. Sample backup scope, job logs, restore tests, backup protection, and archive recoverability.
  20. Sample redundancy requirements, architecture, failover tests, actual recovery records, and compensating controls.
  21. Sample log sources, log detail, retention, protection, alert triage, and corrective action.
  22. Trace monitoring from risk scenario to detection use case, alert rule, data source, triage decision, and incident escalation.
  23. Sample monitoring coverage, threshold tuning, alert fatigue evidence, detected incidents, and out-of-hours escalation.
  24. Sample production software installation records, testing, rollback, licence/support checks, and installer authorization.
  25. Sample network topology, zoning, device configuration, administrative networks, virtual/cloud networks, monitoring, and network changes.
  26. Sample network service requirements, provider security features, service levels, monitoring, and compensating controls.
  27. Sample network segregation design, inter-zone rules, segmentation tests, wireless controls, and exceptions.
  28. Sample web filtering policy, configuration, coverage, exceptions, bypass prevention, and malicious destination alerts.
  29. Sample cryptographic policy, use cases, approved algorithms, key lifecycle records, certificate/CA reviews, legal assessments, and escrow/recovery controls.
  30. Sample secure development standards, training, code reviews, vulnerability closure, supplier development, and standards review.
  31. Sample application security requirements, approvals, transaction controls, testing, and exceptions.
  32. Sample architecture principles, design reviews, threat models, deviations, and contractor communication.
  33. Sample coding activities, secure coding standards, automated checks, code review records, generated code review, and exceptions.
  34. Sample security test plans, acceptance criteria, test results, remediation, retest evidence, user/operations involvement, and final sign-off.
  35. Sample outsourced development contracts, supplier risk assessments, monitoring records, test/code review evidence, defect closure, IP clauses, and acceptance records.
  36. Sample environment inventories, access reviews, network restrictions, CI/CD promotion controls, production data use in test, and change records.
  37. Sample change records for impact assessment, approval, testing, rollback, implementation logging, release traceability, and emergency review.
  38. Sample test information records for live-data approvals, masking, access control, output handling, logging, and deletion.
  39. Sample audit testing plans for operational approval, scope, tools, stop criteria, activity logging, result protection, and independence.
  40. Interview users and administrators to test awareness and actual practice.

Common audit challenges

Challenge Audit response
Endpoint policy exists Sample compliance reports and user behavior
BYOD is informal Treat personal devices accessing organization data as in-scope
Remote access is assumed secure Check device compliance, MFA, session timeout, and logs
Admin rights are politically sensitive Test need-to-use, not seniority or convenience
Logs exist Check protection, retention, and review
Emergency access exists Check use records and post-use restoration
Application roles exist Compare them with owner-approved access rules and database permissions
Exports are allowed Check whether extracted information remains controlled
Git is protected Check build tools, CI/CD, libraries, macros, reports, and production copies
MFA is enabled Check factor types, coverage, failed logon controls, and recovery paths
Dashboards exist Check trend analysis, thresholds, owners, and completed actions
Anti-malware is installed Check coverage, updates, alert review, infection records, and user awareness
Vulnerability scan exists Follow findings through risk rating, treatment, retest, and exception handling
Baseline exists Check implementation, monitoring, deviations, drift handling, and review
Retention policy exists Sample actual deletion evidence, including backups and cloud data
Data is masked Check whether it is reversible, who can re-combine it, and whether re-identification risk was assessed
DLP tool exists Check sensitive data scope, approved flows, alert handling, false positives, and user awareness
Backup jobs are successful Check restore tests, backup protection, and continuity alignment
Redundancy exists Check whether it meets availability requirements and has been tested
Logs exist Check protection, retention, analysis, separation of duties, and escalation
Monitoring exists Trace detection use cases to risk, sources, thresholds, incident handling, and tuning
Production install is routine Check approval, testing, installer authority, rollback, licence/support, and deployment logs
Network diagram exists Check actual configuration, zoning, virtual networks, admin paths, and monitoring evidence
Provider network service exists Check required security mechanisms, service levels, monitoring, and provider limitation handling
Zones are named Check enforced traffic rules and segmentation test evidence
Web filtering tool exists Check policy mapping, coverage, exception control, bypass resistance, and alert handling
Encryption exists Check approved algorithms, key lifecycle, private key protection, certificate management, and legal review
Secure coding standard exists Check training, mandatory use, independent review, findings closure, and supplier application
Application has requirements Check security requirements are specific, approved, risk-based, and tested
Architecture principles exist Check they are applied in design reviews and exceptions are approved
Static analysis tool exists Check standards mapping, finding review, remediation, exceptions, and generated/supplier code coverage
Security test completed Check risk-based scope, acceptance criteria, retesting, unresolved findings, and sign-off
Supplier contract exists Check whether the organization directs, monitors, and reviews supplier development activity
Dev/test/prod are named separately Check actual access, network, identity, CI/CD, and test-data separation
Change ticket exists Check impact assessment, security review, test evidence, rollback, approval, and post-implementation review
Test environment is non-production Check whether sensitive data, logs, debug files, and outputs still need production-like protection
Audit activity is planned Check operational approval, tool control, logging, result protection, and independence
  • Iso27001
  • Auditor guide
  • Technological controls
  • Internal audit

Note Metadata

Aliases: A.8 Audit Guide

Source: 06 Auditor Guide/A.8 Technological Controls Audit Guide.md

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.