UnixTime

Research Note

A.5.17 Audit Checklist

Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.

Checklist

  • Authentication information policy or standard exists.
  • Secret authentication information types are defined.
  • Users are positively identified before credential issue or reset.
  • Initial temporary credentials require change on first use.
  • Default vendor credentials are changed before production use.
  • Users acknowledge credential confidentiality responsibilities.
  • Users are trained on credential handling and compromise reporting.
  • Technical password/MFA settings match policy.
  • Reset process includes identity verification and logging.
  • Urgent reset process has follow-up review.
  • Privileged credentials are vaulted or tightly controlled.
  • Service secrets are stored and rotated according to risk.
  • Shared credentials are avoided or controlled through approved exceptions.
  • Password quality testing, if performed, is authorized.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 17

Note Metadata

Aliases: A.5.17 Checklist

Source: 90 Templates/A.5.17 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.