When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.
Checklist
- Project methodology requires information security objectives, risks, and controls to be identified.
- Methodology defines security checkpoints across the project lifecycle.
- Methodology requires security review after project changes.
- Information security responsibilities are assigned to project roles.
- Sampled projects include information security risk assessment.
- Project security risks are distinct from delivery risks.
- Security requirements are documented with functional requirements.
- Risks are traceable to controls and requirements.
- Developed systems, acquired systems, add-ons, and customizations are assessed.
- Security requirements are tested before acceptance or go-live.
- Deficiencies are tracked, escalated, and resolved or risk-accepted.
- Transition to operations includes enduring controls, evidence, owners, and support arrangements.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 8
Note Metadata
Aliases: A.5.8 Checklist
Source: 90 Templates/A.5.8 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.