UnixTime

Research Note

A.5.20 Audit Checklist

Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.

Checklist

  • Supplier risk assessment exists.
  • Supplier agreement or contract exists.
  • Security requirements match supplier access, information exposure, and service criticality.
  • Agreement includes confidentiality and information handling requirements.
  • Agreement includes access control and authentication requirements where relevant.
  • Agreement includes incident notification requirements.
  • Agreement includes subcontractor and flow-down requirements where relevant.
  • Agreement includes termination, return, deletion, or exit requirements.
  • Control responsibilities between parties are clear.
  • Agreement is approved by authorized representatives.
  • Supplier access did not begin before required controls were agreed.
  • Deviations are documented, justified, approved, and reviewed.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 20

Note Metadata

Aliases: A.5.20 Checklist

Source: 90 Templates/A.5.20 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.