UnixTime

Research Note

A.8.11 Audit Checklist

Use this checklist during an internal audit of masking, pseudonymisation, tokenisation, anonymisation, re-combination, and re-identification controls.

On this page

When to use this

Use this checklist during an internal audit of masking, pseudonymisation, tokenisation, anonymisation, re-combination, and re-identification controls.

Audit checklist

  • Review data masking standard.
  • Review sensitive data inventory and masking decisions.
  • Confirm roles permitted to view full data.
  • Review masking/tokenisation/anonymisation configuration.
  • Check lookup table/key segregation.
  • Review re-combination authorization and logs.
  • Review deletion of re-combined data.
  • Assess potentially identifiable information.
  • Test a sample masked/anonymised data set for re-identification risk.

Findings table

Data set/use case Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD
  • Template
  • Audit
  • Iso27001
  • A8 11

Note Metadata

Aliases: A.8.11 Data Masking Audit Checklist

Source: 90 Templates/A.8.11 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.