When to use this
Use this checklist during an internal audit of authentication mechanisms, MFA, failed logon controls, recovery flows, and authentication exceptions.
Related controls
- A.8.5 Secure Authentication
- A.8.5 Audit Evidence Pack
- Secure Authentication Standard
- Authentication Mechanism Review Checklist
- Authentication Exception and Compensating Control Record
Audit checklist
- Review authentication standard.
- Review risk assessment for authentication strength.
- Sample MFA configuration for high-risk access.
- Confirm MFA uses different factor types.
- Review failed logon lockout/delay/throttling controls.
- Review authentication error messages.
- Review recovery/reset process.
- Review authentication logs and alerting.
- Review exceptions and compensating controls.
- Interview system owner or IAM owner.
Findings table
| System | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 5
Note Metadata
Aliases: A.8.5 Secure Authentication Audit Checklist
Source: 90 Templates/A.8.5 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.5 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Audit Risk Mapping
- Authentication Exception and Compensating Control Record
- Authentication Mechanism Review Checklist
- Secure Authentication Standard
- Audit Evidence Index
- Templates MOC