UnixTime

Research Note

A.5.21 Audit Checklist

Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.

Checklist

  • Critical ICT suppliers are identified.
  • ICT supply-chain dependencies are recorded for high-risk services.
  • Subcontractors, hosting, support, and data location risks are considered.
  • Supplier agreements include relevant supply-chain security requirements.
  • Flow-down obligations are defined where relevant.
  • Material subcontractor or platform changes require notification.
  • Supplier assurance evidence is reviewed for high-risk services.
  • Supply-chain changes trigger risk reassessment.
  • Incidents involving supply-chain dependencies are escalated.
  • Review depth is proportionate to supplier criticality.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 21

Note Metadata

Aliases: A.5.21 Checklist

Source: 90 Templates/A.5.21 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.