UnixTime

Research Note

A.8.26 Audit Checklist

Use this checklist during an internal audit of application security requirements for developed or acquired applications.

On this page

When to use this

Use this checklist during an internal audit of application security requirements for developed or acquired applications.

Audit checklist

  • Sample applications developed or acquired.
  • Review security requirements register.
  • Trace requirements to risk assessment.
  • Check requirement approval.
  • Review transaction/security control requirements.
  • Check crypto, network, logging, and legal requirements where relevant.
  • Review security testing and acceptance evidence.
  • Check exception/risk acceptance records.

Findings table

Application Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD