Auditor lens
Use this page when planning first-party audit tests for technological controls.
Audit objectives
| Control | What to verify | Evidence pack |
|---|---|---|
| A.8.1 User End Point Devices | Endpoint devices are known, authorized, protected, compliant, and covered by user guidance | A.8.1 Audit Evidence Pack |
| A.8.2 Privileged Access Rights | Privileged access is restricted, justified, separately identifiable, logged, reviewed, and removed | A.8.2 Audit Evidence Pack |
| A.8.3 Information Access Restriction | Access to information, assets, functions, databases, reports, exports, and dynamic sessions is restricted according to policy and business need | A.8.3 Audit Evidence Pack |
| A.8.4 Access to Source Code | Source code, development tools, and software libraries are access-controlled and change-controlled | A.8.4 Audit Evidence Pack |
| A.8.5 Secure Authentication | Authentication mechanisms are risk-based, secure, and aligned with access restrictions | A.8.5 Audit Evidence Pack |
| A.8.6 Capacity Management | Resource use is monitored, trended, forecast, and adjusted before capacity becomes an availability issue | A.8.6 Audit Evidence Pack |
| A.8.7 Protection Against Malware | Malware protection is deployed, current, monitored, supported by awareness, and backed by response records | A.8.7 Audit Evidence Pack |
| A.8.8 Management of Technical Vulnerabilities | Vulnerabilities are identified, exposure is evaluated, treatment is controlled, and remediation is retested | A.8.8 Audit Evidence Pack |
| A.8.9 Configuration Management | Secure configurations are baselined, implemented, monitored, reviewed, and exceptions are risk-managed | A.8.9 Audit Evidence Pack |
| A.8.10 Information Deletion | Information is deleted when no longer required using appropriate method and evidence | A.8.10 Audit Evidence Pack |
| A.8.11 Data Masking | Masking, pseudonymisation, tokenisation, and anonymisation are defined, controlled, and legally appropriate | A.8.11 Audit Evidence Pack |
| A.8.12 Data Leakage Prevention | DLP scope, rules, alerts, transfer approvals, and user awareness control sensitive data leakage | A.8.12 Audit Evidence Pack |
| A.8.13 Information Backup | Backup copies are maintained, protected, and regularly restore-tested according to backup policy | A.8.13 Audit Evidence Pack |
| A.8.14 Redundancy of Information Processing Facilities | Redundancy arrangements are sufficient to meet availability requirements and have been tested | A.8.14 Audit Evidence Pack |
| A.8.15 Logging | Logs are produced, stored, protected, retained, analysed, and escalated where needed | A.8.15 Audit Evidence Pack |
| A.8.16 Monitoring Activities | Monitoring detects risk-relevant anomalous behaviour and feeds potential incident evaluation and response | A.8.16 Audit Evidence Pack |
| A.8.19 Installation of Software on Operational Systems | Software installation on operational systems is authorized, tested, logged, licence-valid, supportable, and recoverable | A.8.19 Audit Evidence Pack |
| A.8.20 Networks Security | Networks and network devices are secured, managed, monitored, and controlled | A.8.20 Audit Evidence Pack |
| A.8.21 Security of Network Services | Network service security mechanisms, service levels, and requirements are identified, implemented, and monitored | A.8.21 Audit Evidence Pack |
| A.8.22 Segregation of Networks | Services, users, and systems are segregated into appropriate network zones and controlled connections | A.8.22 Audit Evidence Pack |
| A.8.23 Web Filtering | External website access is managed to reduce malicious content exposure | A.8.23 Audit Evidence Pack |
| A.8.24 Use of Cryptography | Cryptographic rules and key management are defined, implemented, legally considered, and operated | A.8.24 Audit Evidence Pack |
| A.8.25 Secure Development Life Cycle | Secure development rules are established, applied, verified, and improved | A.8.25 Audit Evidence Pack |
| A.8.26 Application Security Requirements | Application security requirements are identified, specified, approved, and tested | A.8.26 Audit Evidence Pack |
| A.8.27 Secure System Architecture and Engineering Principles | Secure engineering principles are documented, maintained, and applied to system development | A.8.27 Audit Evidence Pack |
| A.8.28 Secure Coding | Secure coding principles are selected, applied, checked, and exception-managed | A.8.28 Audit Evidence Pack |
| A.8.29 Security Testing in Development and Acceptance | Security testing processes are defined and implemented during development and acceptance | A.8.29 Audit Evidence Pack |
| A.8.30 Outsourced Development | Outsourced system development is directed, monitored, reviewed, and contractually controlled | A.8.30 Audit Evidence Pack |
| A.8.31 Separation of Development Test and Production Environments | Development, test, and production environments are separated and secured | A.8.31 Audit Evidence Pack |
| A.8.32 Change Management | Changes to information processing facilities and systems are controlled, approved, tested, logged, and recoverable | A.8.32 Audit Evidence Pack |
| A.8.33 Test Information | Test information is selected, protected, managed, logged, and deleted appropriately | A.8.33 Audit Evidence Pack |
| A.8.34 Protection of Information Systems During Audit Testing | Audit tests and assurance activities on operational systems are planned, agreed, logged, and protected | A.8.34 Audit Evidence Pack |
Audit approach
- Review policies and standards before sampling technical evidence.
- Sample endpoint inventory against MDM/EDR/compliance reports.
- Check remote access, timeout, encryption, patching, and malware controls.
- Sample BYOD enrollment and removal.
- Sample privileged access approvals, registers, and admin identities.
- Review privileged activity logs and evidence of review.
- Check emergency access use and post-use review.
- Sample application roles, database permissions, reports, exports, and maintenance utilities.
- Review dynamic privilege or support-session authorization and logs.
- Sample source repository access, CI/CD access, branch protection, and code change records.
- Sample authentication configuration, MFA, failed logon handling, and exceptions.
- Sample capacity monitoring, thresholds, trend forecasts, and action plans.
- Sample malware protection coverage, update status, alert logs, infection response records, and awareness evidence.
- Sample vulnerability scan/test reports, remediation trackers, patch/change records, retests, and exceptions.
- Sample configuration baselines, compliance reports, deviation approvals, drift alerts, and baseline reviews.
- Sample retention rules, deletion records, destruction certificates, and cloud/backup deletion evidence.
- Sample masking decisions, role access to full data, lookup segregation, re-combination logs, and re-identification assessments.
- Sample DLP scope, approved flows, rules, alert reviews, transfer approvals, and awareness records.
- Sample backup scope, job logs, restore tests, backup protection, and archive recoverability.
- Sample redundancy requirements, architecture, failover tests, actual recovery records, and compensating controls.
- Sample log sources, log detail, retention, protection, alert triage, and corrective action.
- Trace monitoring from risk scenario to detection use case, alert rule, data source, triage decision, and incident escalation.
- Sample monitoring coverage, threshold tuning, alert fatigue evidence, detected incidents, and out-of-hours escalation.
- Sample production software installation records, testing, rollback, licence/support checks, and installer authorization.
- Sample network topology, zoning, device configuration, administrative networks, virtual/cloud networks, monitoring, and network changes.
- Sample network service requirements, provider security features, service levels, monitoring, and compensating controls.
- Sample network segregation design, inter-zone rules, segmentation tests, wireless controls, and exceptions.
- Sample web filtering policy, configuration, coverage, exceptions, bypass prevention, and malicious destination alerts.
- Sample cryptographic policy, use cases, approved algorithms, key lifecycle records, certificate/CA reviews, legal assessments, and escrow/recovery controls.
- Sample secure development standards, training, code reviews, vulnerability closure, supplier development, and standards review.
- Sample application security requirements, approvals, transaction controls, testing, and exceptions.
- Sample architecture principles, design reviews, threat models, deviations, and contractor communication.
- Sample coding activities, secure coding standards, automated checks, code review records, generated code review, and exceptions.
- Sample security test plans, acceptance criteria, test results, remediation, retest evidence, user/operations involvement, and final sign-off.
- Sample outsourced development contracts, supplier risk assessments, monitoring records, test/code review evidence, defect closure, IP clauses, and acceptance records.
- Sample environment inventories, access reviews, network restrictions, CI/CD promotion controls, production data use in test, and change records.
- Sample change records for impact assessment, approval, testing, rollback, implementation logging, release traceability, and emergency review.
- Sample test information records for live-data approvals, masking, access control, output handling, logging, and deletion.
- Sample audit testing plans for operational approval, scope, tools, stop criteria, activity logging, result protection, and independence.
- Interview users and administrators to test awareness and actual practice.
Common audit challenges
| Challenge | Audit response |
|---|---|
| Endpoint policy exists | Sample compliance reports and user behavior |
| BYOD is informal | Treat personal devices accessing organization data as in-scope |
| Remote access is assumed secure | Check device compliance, MFA, session timeout, and logs |
| Admin rights are politically sensitive | Test need-to-use, not seniority or convenience |
| Logs exist | Check protection, retention, and review |
| Emergency access exists | Check use records and post-use restoration |
| Application roles exist | Compare them with owner-approved access rules and database permissions |
| Exports are allowed | Check whether extracted information remains controlled |
| Git is protected | Check build tools, CI/CD, libraries, macros, reports, and production copies |
| MFA is enabled | Check factor types, coverage, failed logon controls, and recovery paths |
| Dashboards exist | Check trend analysis, thresholds, owners, and completed actions |
| Anti-malware is installed | Check coverage, updates, alert review, infection records, and user awareness |
| Vulnerability scan exists | Follow findings through risk rating, treatment, retest, and exception handling |
| Baseline exists | Check implementation, monitoring, deviations, drift handling, and review |
| Retention policy exists | Sample actual deletion evidence, including backups and cloud data |
| Data is masked | Check whether it is reversible, who can re-combine it, and whether re-identification risk was assessed |
| DLP tool exists | Check sensitive data scope, approved flows, alert handling, false positives, and user awareness |
| Backup jobs are successful | Check restore tests, backup protection, and continuity alignment |
| Redundancy exists | Check whether it meets availability requirements and has been tested |
| Logs exist | Check protection, retention, analysis, separation of duties, and escalation |
| Monitoring exists | Trace detection use cases to risk, sources, thresholds, incident handling, and tuning |
| Production install is routine | Check approval, testing, installer authority, rollback, licence/support, and deployment logs |
| Network diagram exists | Check actual configuration, zoning, virtual networks, admin paths, and monitoring evidence |
| Provider network service exists | Check required security mechanisms, service levels, monitoring, and provider limitation handling |
| Zones are named | Check enforced traffic rules and segmentation test evidence |
| Web filtering tool exists | Check policy mapping, coverage, exception control, bypass resistance, and alert handling |
| Encryption exists | Check approved algorithms, key lifecycle, private key protection, certificate management, and legal review |
| Secure coding standard exists | Check training, mandatory use, independent review, findings closure, and supplier application |
| Application has requirements | Check security requirements are specific, approved, risk-based, and tested |
| Architecture principles exist | Check they are applied in design reviews and exceptions are approved |
| Static analysis tool exists | Check standards mapping, finding review, remediation, exceptions, and generated/supplier code coverage |
| Security test completed | Check risk-based scope, acceptance criteria, retesting, unresolved findings, and sign-off |
| Supplier contract exists | Check whether the organization directs, monitors, and reviews supplier development activity |
| Dev/test/prod are named separately | Check actual access, network, identity, CI/CD, and test-data separation |
| Change ticket exists | Check impact assessment, security review, test evidence, rollback, approval, and post-implementation review |
| Test environment is non-production | Check whether sensitive data, logs, debug files, and outputs still need production-like protection |
| Audit activity is planned | Check operational approval, tool control, logging, result protection, and independence |
Related templates
- A.8.1 Audit Checklist
- A.8.2 Audit Checklist
- Endpoint Device Security Standard
- Endpoint Device Inventory and Compliance Register
- Privileged Access Register
- Privileged Access Review Checklist
- Information Access Rule Matrix
- Information Access Restriction Review Checklist
- Dynamic Privilege Session Record
- Sensitive Function and Export Control Checklist
- Source Code Access Register
- Development Tool and Library Integrity Checklist
- Source Code Change Control Checklist
- Secure Authentication Standard
- Authentication Mechanism Review Checklist
- Capacity Management Plan
- Capacity Monitoring and Forecast Register
- Malware Protection Standard
- Malware Protection Coverage and Update Register
- Malware Infection Response Record
- Malware Awareness Checklist
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Patch Testing and Rollback Checklist
- Configuration Baseline Register
- Configuration Compliance Review Checklist
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Data Masking Standard
- Data Masking Decision Register
- DLP Scope and Rule Register
- Approved Sensitive Data Flow Register
- DLP Alert Review and Tuning Log
- Backup Policy and Schedule
- Backup and Restore Test Record
- Backup Scope and Coverage Register
- Redundancy Requirements and Architecture Register
- Redundancy Failover Test Record
- Logging and Monitoring Standard
- Log Source and Retention Register
- Log Review and Alert Triage Record
- Monitoring Detection Use Case Register
- Monitoring Coverage and Data Source Map
- Monitoring Alert Threshold Review
- Out-of-Hours Monitoring Escalation Checklist
- A.8.16 Audit Checklist
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Software Rollback and Fallback Checklist
- Software Licence and Support Verification Checklist
- A.8.19 Audit Checklist
- Network Security Architecture and Zoning Standard
- Network Device Configuration and Change Review
- Network Monitoring and Corrective Action Register
- Virtual Network and Hypervisor Security Review
- A.8.20 Audit Checklist
- Network Service Security Requirements Register
- Network Service Provider Review Checklist
- Network Service SLA and Security Feature Review
- A.8.21 Audit Checklist
- Network Zone and Connection Matrix
- Network Segmentation Test Checklist
- Wireless Network Security Assessment
- A.8.22 Audit Checklist
- Web Filtering Policy and Category Matrix
- Web Filtering Exception Register
- Web Filtering Coverage Review
- A.8.23 Audit Checklist
- Cryptographic Controls Policy
- Cryptographic Use Case and Algorithm Register
- Cryptographic Key Management Register
- Certificate Authority and Certificate Review
- Key Escrow and Emergency Recovery Checklist
- Cryptographic Legal Requirements Assessment
- A.8.24 Audit Checklist
- Secure Development Policy
- Secure Development Compliance Review Checklist
- Secure Code Review Record
- Developer Security Training Matrix
- A.8.25 Audit Checklist
- Application Security Requirements Register
- Application Transaction Security Checklist
- Application Security Requirements Approval Record
- A.8.26 Audit Checklist
- Secure Architecture Principles Standard
- Security Architecture Review Record
- Security Engineering Deviation Record
- A.8.27 Audit Checklist
- Secure Coding Standard
- Secure Coding Compliance Review Checklist
- Secure Coding Exception Record
- AI-Generated Code Security Review Checklist
- A.8.28 Audit Checklist
- Security Test Plan
- Security Acceptance Criteria Checklist
- Security Test Results and Remediation Tracker
- Security Acceptance Sign-Off Record
- A.8.29 Audit Checklist
- Outsourced Development Security Requirements Checklist
- Outsourced Development Review Register
- Supplier Development Evidence Request List
- A.8.30 Audit Checklist
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Test Data Security Approval Record
- A.8.31 Audit Checklist
- Change Management Procedure
- Change Request and Security Impact Assessment
- Emergency Change Record
- Release and Rollback Plan
- A.8.32 Audit Checklist
- Test Information Management Register
- Test Data Protection Checklist
- A.8.33 Audit Checklist
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- A.8.34 Audit Checklist
- Iso27001
- Auditor guide
- Technological controls
- Internal audit
Note Metadata
Aliases: A.8 Audit Guide
Source: 06 Auditor Guide/A.8 Technological Controls Audit Guide.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.8.1 Audit Checklist
- A.8.1 Audit Evidence Pack
- A.8.2 Audit Checklist
- A.8.2 Audit Evidence Pack
- A.8.3 Audit Evidence Pack
- A.8.4 Audit Evidence Pack
- A.8.5 Audit Evidence Pack
- A.8.6 Audit Evidence Pack
- A.8.7 Audit Evidence Pack
- A.8.8 Audit Evidence Pack
- A.8.9 Audit Evidence Pack
- A.8.10 Audit Evidence Pack
- A.8.11 Audit Evidence Pack
- A.8.12 Audit Evidence Pack
- A.8.13 Audit Evidence Pack
- A.8.14 Audit Evidence Pack
- A.8.15 Audit Evidence Pack
- A.8.16 Audit Checklist
- A.8.16 Audit Evidence Pack
- A.8.19 Audit Checklist
- A.8.19 Audit Evidence Pack
- A.8.20 Audit Checklist
- A.8.20 Audit Evidence Pack
- A.8.21 Audit Checklist
- A.8.21 Audit Evidence Pack
- A.8.22 Audit Checklist
- A.8.22 Audit Evidence Pack
- A.8.23 Audit Checklist
- A.8.23 Audit Evidence Pack
- A.8.24 Audit Checklist
- A.8.24 Audit Evidence Pack
- A.8.25 Audit Checklist
- A.8.25 Audit Evidence Pack
- A.8.26 Audit Checklist
- A.8.26 Audit Evidence Pack
- A.8.27 Audit Checklist
- A.8.27 Audit Evidence Pack
- A.8.28 Audit Checklist
- A.8.28 Audit Evidence Pack
- A.8.29 Audit Checklist
- A.8.29 Audit Evidence Pack
- A.8.30 Audit Checklist
- A.8.30 Audit Evidence Pack
- A.8.31 Audit Checklist
- A.8.31 Audit Evidence Pack
- A.8.32 Audit Checklist
- A.8.32 Audit Evidence Pack
- A.8.33 Audit Checklist
- A.8.33 Audit Evidence Pack
- A.8.34 Audit Checklist
- A.8.34 Audit Evidence Pack
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- Development Test Production Separation Checklist
- Supplier Development Evidence Request List
Related Notes
- A.8.1 Audit Evidence Pack
- A.8.10 Audit Evidence Pack
- A.8.11 Audit Evidence Pack
- A.8.12 Audit Evidence Pack
- A.8.13 Audit Evidence Pack
- A.8.14 Audit Evidence Pack
- A.8.15 Audit Evidence Pack
- A.8.16 Audit Evidence Pack
- A.8.19 Audit Evidence Pack
- A.8.2 Audit Evidence Pack
- A.8.20 Audit Evidence Pack
- A.8.21 Audit Evidence Pack
- A.8.22 Audit Evidence Pack
- A.8.23 Audit Evidence Pack
- A.8.24 Audit Evidence Pack
- A.8.25 Audit Evidence Pack
- A.8.26 Audit Evidence Pack
- A.8.27 Audit Evidence Pack
- A.8.28 Audit Evidence Pack
- A.8.29 Audit Evidence Pack
- A.8.3 Audit Evidence Pack
- A.8.30 Audit Evidence Pack
- A.8.31 Audit Evidence Pack
- A.8.32 Audit Evidence Pack
- A.8.33 Audit Evidence Pack
- A.8.34 Audit Evidence Pack
- A.8.4 Audit Evidence Pack
- A.8.5 Audit Evidence Pack
- A.8.6 Audit Evidence Pack
- A.8.7 Audit Evidence Pack
- A.8.8 Audit Evidence Pack
- A.8.9 Audit Evidence Pack
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.5 - Secure Authentication
- ISO 27001 A.8.6 - Capacity Management
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- ISO 27001 Auditor Guide
- A.8.1 Audit Checklist
- A.8.16 Audit Checklist
- A.8.19 Audit Checklist
- A.8.2 Audit Checklist
- A.8.20 Audit Checklist
- A.8.21 Audit Checklist
- A.8.22 Audit Checklist
- A.8.23 Audit Checklist
- A.8.24 Audit Checklist
- A.8.25 Audit Checklist
- A.8.26 Audit Checklist
- A.8.27 Audit Checklist
- A.8.28 Audit Checklist
- A.8.29 Audit Checklist
- A.8.30 Audit Checklist
- A.8.31 Audit Checklist
- A.8.32 Audit Checklist
- A.8.33 Audit Checklist
- A.8.34 Audit Checklist
- AI-Generated Code Security Review Checklist
- Application Security Requirements Approval Record
- Application Security Requirements Register
- Application Transaction Security Checklist
- Approved Sensitive Data Flow Register
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- Authentication Mechanism Review Checklist
- Backup and Restore Test Record
- Backup Policy and Schedule
- Backup Scope and Coverage Register
- Capacity Management Plan
- Capacity Monitoring and Forecast Register
- Certificate Authority and Certificate Review
- Change Management Procedure
- Change Request and Security Impact Assessment
- Configuration Baseline Register
- Configuration Compliance Review Checklist
- Cryptographic Controls Policy
- Cryptographic Key Management Register
- Cryptographic Legal Requirements Assessment
- Cryptographic Use Case and Algorithm Register
- Data Masking Decision Register
- Data Masking Standard
- Developer Security Training Matrix
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Development Tool and Library Integrity Checklist
- DLP Alert Review and Tuning Log
- DLP Scope and Rule Register
- Dynamic Privilege Session Record
- Emergency Change Record
- Endpoint Device Inventory and Compliance Register
- Endpoint Device Security Standard
- Information Access Restriction Review Checklist
- Information Access Rule Matrix
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Key Escrow and Emergency Recovery Checklist
- Log Review and Alert Triage Record
- Log Source and Retention Register
- Logging and Monitoring Standard
- Malware Awareness Checklist
- Malware Infection Response Record
- Malware Protection Coverage and Update Register
- Malware Protection Standard
- Monitoring Alert Threshold Review
- Monitoring Coverage and Data Source Map
- Monitoring Detection Use Case Register
- Network Device Configuration and Change Review
- Network Monitoring and Corrective Action Register
- Network Security Architecture and Zoning Standard
- Network Segmentation Test Checklist
- Network Service Provider Review Checklist
- Network Service Security Requirements Register
- Network Service SLA and Security Feature Review
- Network Zone and Connection Matrix
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Out-of-Hours Monitoring Escalation Checklist
- Outsourced Development Review Register
- Outsourced Development Security Requirements Checklist
- Patch Testing and Rollback Checklist
- Privileged Access Register
- Privileged Access Review Checklist
- Redundancy Failover Test Record
- Redundancy Requirements and Architecture Register
- Release and Rollback Plan
- Secure Architecture Principles Standard
- Secure Authentication Standard
- Secure Code Review Record
- Secure Coding Compliance Review Checklist
- Secure Coding Exception Record
- Secure Coding Standard
- Secure Development Compliance Review Checklist
- Secure Development Policy
- Security Acceptance Criteria Checklist
- Security Acceptance Sign-Off Record
- Security Architecture Review Record
- Security Engineering Deviation Record
- Security Test Plan
- Security Test Results and Remediation Tracker
- Sensitive Function and Export Control Checklist
- Software Licence and Support Verification Checklist
- Software Rollback and Fallback Checklist
- Source Code Access Register
- Source Code Change Control Checklist
- Supplier Development Evidence Request List
- Test Data Protection Checklist
- Test Data Security Approval Record
- Test Information Management Register
- Virtual Network and Hypervisor Security Review
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Web Filtering Coverage Review
- Web Filtering Exception Register
- Web Filtering Policy and Category Matrix
- Wireless Network Security Assessment
- Annex A Controls MOC
- Audit Evidence Index
- ISO 27001 Overview