UnixTime

Research Note

A.8.8 Audit Checklist

Use this checklist during an internal audit of vulnerability intelligence, scanning, risk evaluation, remediation, patching, exceptions, and retesting.

On this page

When to use this

Use this checklist during an internal audit of vulnerability intelligence, scanning, risk evaluation, remediation, patching, exceptions, and retesting.

Audit checklist

  • Review vulnerability management procedure.
  • Review vulnerability information sources.
  • Review asset/scanning scope.
  • Sample vulnerability scan reports.
  • Check penetration testing approach for sensitive systems.
  • Sample risk rating and prioritization.
  • Sample patch/change records.
  • Review patch testing and rollback evidence.
  • Review retest evidence.
  • Review exceptions and risk acceptance.
  • Review vulnerability metrics or management reporting.

Findings table

System/finding Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD