UnixTime

Research Note

A.5.18 Audit Checklist

Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.

Checklist

  • Access request process exists.
  • Access requests include business need.
  • Users accept conditions of access where relevant.
  • Asset owner or authorized approver approves access.
  • Provisioned access matches approved access.
  • Access reviews are performed periodically.
  • Reviews compare actual access to authorized access.
  • Mover access is updated promptly.
  • Leaver access is removed promptly.
  • Physical access rights are included.
  • Privileged access is included.
  • Shared credentials are changed when membership changes.
  • Review findings are remediated and evidenced.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 18

Note Metadata

Aliases: A.5.18 Checklist

Source: 90 Templates/A.5.18 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.