UnixTime

Research Note

A.5.23 Audit Checklist

Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.

Checklist

  • Cloud service register exists.
  • Cloud service owners are assigned.
  • Cloud risk assessments are performed.
  • Data location and support location are reviewed.
  • Shared responsibility is documented.
  • Required security features are defined and enabled or risk-accepted.
  • Cloud agreements address relevant security requirements.
  • Provider assurance is reviewed.
  • Service dashboards/reports are reviewed.
  • Provider incident notification process is defined.
  • Provider incidents are reviewed and acted on.
  • Exit plans exist for critical cloud services.
  • Risks above tolerance are accepted by appropriate management.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 23

Note Metadata

Aliases: A.5.23 Checklist

Source: 90 Templates/A.5.23 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.