When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.
Checklist
- Authentication information policy or standard exists.
- Secret authentication information types are defined.
- Users are positively identified before credential issue or reset.
- Initial temporary credentials require change on first use.
- Default vendor credentials are changed before production use.
- Users acknowledge credential confidentiality responsibilities.
- Users are trained on credential handling and compromise reporting.
- Technical password/MFA settings match policy.
- Reset process includes identity verification and logging.
- Urgent reset process has follow-up review.
- Privileged credentials are vaulted or tightly controlled.
- Service secrets are stored and rotated according to risk.
- Shared credentials are avoided or controlled through approved exceptions.
- Password quality testing, if performed, is authorized.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 17
Note Metadata
Aliases: A.5.17 Checklist
Source: 90 Templates/A.5.17 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.