UnixTime

Research Note

A.5.34 Audit Checklist

Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.

Audit checklist

  • PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions.
  • Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence.
  • Senior privacy accountability and operational responsibilities are assigned and understood.
  • Staff handling PII receive role-specific training and can explain responsibilities.
  • Access to PII is role-based, reviewed, and limited to job need.
  • Annual PII review verifies holdings, purpose, retention, access, transfers, and compliance with current requirements.

Evidence requested

  • Inventory or register reviewed.
  • Responsible owner interviewed.
  • Sample records/systems selected.
  • Evidence location recorded.
  • Gaps converted into findings or corrective actions.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 34

Note Metadata

Aliases: A.5.34 Checklist

Source: 90 Templates/A.5.34 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.