UnixTime

Research Note

A.8.16 Audit Checklist

Use this checklist during an internal audit of security monitoring, alerting, anomaly detection, triage, escalation, and incident evaluation.

On this page

When to use this

Use this checklist during an internal audit of security monitoring, alerting, anomaly detection, triage, escalation, and incident evaluation.

Audit checklist

  • Review monitoring strategy, standard, or procedure.
  • Trace monitoring requirements from risk assessment and critical assets.
  • Review detection use cases and alert rules.
  • Sample monitoring coverage across networks, systems, applications, cloud, and security tools.
  • Review blind spots and compensating controls.
  • Review alert thresholds and tuning evidence.
  • Sample alert triage records.
  • Trace true positives to event assessment or incident response records.
  • Check evidence of false-positive and event-fatigue management.
  • Check out-of-hours escalation procedure and test evidence.
  • Review monitoring performance and improvement records.

Findings table

Monitoring area Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD
  • Template
  • Audit
  • Iso27001
  • A8 16

Note Metadata

Aliases: A.8.16 Monitoring Activities Audit Checklist

Source: 90 Templates/A.8.16 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.