When to use this
Use this checklist during an internal audit of application, database, report, export, print, maintenance utility, and dynamic privilege access restrictions.
Related controls
- A.8.3 Information Access Restriction
- A.8.3 Audit Evidence Pack
- Information Access Rule Matrix
- Information Access Restriction Review Checklist
- Dynamic Privilege Session Record
- Sensitive Function and Export Control Checklist
Audit checklist
- Review access control policy and topic-specific access rules.
- Review owner-approved access rule matrix.
- Sample application roles against approved permissions.
- Compare application permissions with database permissions.
- Check restricted menus, reports, and functions.
- Check maintenance utilities and little-used functions.
- Review export, print, and download restrictions.
- Check whether extracted information remains subject to handling rules.
- Review dynamic privilege or remote support session records.
- Confirm temporary access has start/end times, logs, and review.
- Interview system owners and users.
Findings table
| System/function | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 3
Note Metadata
Aliases: A.8.3 Information Access Restriction Audit Checklist
Source: 90 Templates/A.8.3 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.3 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.3 - Information Access Restriction
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Audit Risk Mapping
- Dynamic Privilege Session Record
- Information Access Restriction Review Checklist
- Information Access Rule Matrix
- Sensitive Function and Export Control Checklist
- Audit Evidence Index
- Templates MOC