UnixTime

Research Note

A.5.16 Audit Checklist

Use this during internal audits to verify that identities are managed across the full lifecycle.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that identities are managed across the full lifecycle.

Checklist

  • Identity lifecycle procedure exists.
  • All user types are in scope, including administrators, support users, developers, contractors, and third-party users.
  • Identities are unique where possible.
  • Identity creation is authorized and logged.
  • Identity changes are processed for movers.
  • Leaver identities are disabled or removed promptly.
  • Live identities are periodically reviewed.
  • System identities match registered users and authorizations.
  • Redundant identities are not reissued.
  • Shared identities are rare and justified.
  • Shared identities have risk assessment, approval, usage tracking, and credential custody controls.
  • Shared credentials are changed when custody changes.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 16

Note Metadata

Aliases: A.5.16 Checklist

Source: 90 Templates/A.5.16 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.