When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.
Checklist
- Access control policy exists.
- Rules cover physical and logical access.
- Least privilege is defined and applied.
- Need-to-know and need-to-use are considered.
- Access rights are based on business requirements.
- Access is aligned with classification and handling requirements.
- Asset owners or authorized roles approve access.
- Role-based access profiles are used where practical.
- Privileged access is justified and monitored.
- Access reviews are performed periodically.
- Leaver and mover access is updated promptly.
- Exceptions are documented and approved.
- Senior-user access is justified, not assumed.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 15
Note Metadata
Aliases: A.5.15 Checklist
Source: 90 Templates/A.5.15 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.