UnixTime

Research Note

A.5.8 Audit Checklist

Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.

Checklist

  • Project methodology requires information security objectives, risks, and controls to be identified.
  • Methodology defines security checkpoints across the project lifecycle.
  • Methodology requires security review after project changes.
  • Information security responsibilities are assigned to project roles.
  • Sampled projects include information security risk assessment.
  • Project security risks are distinct from delivery risks.
  • Security requirements are documented with functional requirements.
  • Risks are traceable to controls and requirements.
  • Developed systems, acquired systems, add-ons, and customizations are assessed.
  • Security requirements are tested before acceptance or go-live.
  • Deficiencies are tracked, escalated, and resolved or risk-accepted.
  • Transition to operations includes enduring controls, evidence, owners, and support arrangements.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 8

Note Metadata

Aliases: A.5.8 Checklist

Source: 90 Templates/A.5.8 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.