When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that identities are managed across the full lifecycle.
Checklist
- Identity lifecycle procedure exists.
- All user types are in scope, including administrators, support users, developers, contractors, and third-party users.
- Identities are unique where possible.
- Identity creation is authorized and logged.
- Identity changes are processed for movers.
- Leaver identities are disabled or removed promptly.
- Live identities are periodically reviewed.
- System identities match registered users and authorizations.
- Redundant identities are not reissued.
- Shared identities are rare and justified.
- Shared identities have risk assessment, approval, usage tracking, and credential custody controls.
- Shared credentials are changed when custody changes.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 16
Note Metadata
Aliases: A.5.16 Checklist
Source: 90 Templates/A.5.16 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.