When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.
Checklist
- Access request process exists.
- Access requests include business need.
- Users accept conditions of access where relevant.
- Asset owner or authorized approver approves access.
- Provisioned access matches approved access.
- Access reviews are performed periodically.
- Reviews compare actual access to authorized access.
- Mover access is updated promptly.
- Leaver access is removed promptly.
- Physical access rights are included.
- Privileged access is included.
- Shared credentials are changed when membership changes.
- Review findings are remediated and evidenced.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 18
Note Metadata
Aliases: A.5.18 Checklist
Source: 90 Templates/A.5.18 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.