UnixTime

Research Note

A.8.5 Audit Checklist

Use this checklist during an internal audit of authentication mechanisms, MFA, failed logon controls, recovery flows, and authentication exceptions.

On this page

When to use this

Use this checklist during an internal audit of authentication mechanisms, MFA, failed logon controls, recovery flows, and authentication exceptions.

Audit checklist

  • Review authentication standard.
  • Review risk assessment for authentication strength.
  • Sample MFA configuration for high-risk access.
  • Confirm MFA uses different factor types.
  • Review failed logon lockout/delay/throttling controls.
  • Review authentication error messages.
  • Review recovery/reset process.
  • Review authentication logs and alerting.
  • Review exceptions and compensating controls.
  • Interview system owner or IAM owner.

Findings table

System Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD
  • Template
  • Audit
  • Iso27001
  • A8 5

Note Metadata

Aliases: A.8.5 Secure Authentication Audit Checklist

Source: 90 Templates/A.8.5 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.