When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.
Checklist
- Cloud service register exists.
- Cloud service owners are assigned.
- Cloud risk assessments are performed.
- Data location and support location are reviewed.
- Shared responsibility is documented.
- Required security features are defined and enabled or risk-accepted.
- Cloud agreements address relevant security requirements.
- Provider assurance is reviewed.
- Service dashboards/reports are reviewed.
- Provider incident notification process is defined.
- Provider incidents are reviewed and acted on.
- Exit plans exist for critical cloud services.
- Risks above tolerance are accepted by appropriate management.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 23
Note Metadata
Aliases: A.5.23 Checklist
Source: 90 Templates/A.5.23 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.