UnixTime

Research Note

A.5.9 Audit Checklist

Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.

Checklist

  • Inventory includes information assets in technical and non-technical formats.
  • Inventory includes associated physical, virtual, software, service, process, media, contract, and documentation assets where relevant.
  • Important assets have assigned owners.
  • Custodians are assigned where daily protection is delegated.
  • Owners understand their responsibilities.
  • Inventory contains business value or criticality.
  • Inventory contains security classification.
  • Inventory records location or hosting.
  • Inventory records special requirements such as personal data or regulated data.
  • Inventory records backup and disaster recovery arrangements.
  • Inventory records retention period or lifespan.
  • Software licensing information is tracked where applicable.
  • Disposals are recorded with date, method, approval, and recipient/vendor.
  • Project, change, procurement, and disposal processes update the inventory.
  • Inventory accuracy is checked periodically.
  • Inventory itself is protected by access control and backup.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 9

Note Metadata

Aliases: A.5.9 Checklist

Source: 90 Templates/A.5.9 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.