UnixTime

Research Note

A.8.9 Audit Checklist

Use this checklist during an internal audit of secure configuration baselines, implementation, monitoring, exceptions, and review.

On this page

When to use this

Use this checklist during an internal audit of secure configuration baselines, implementation, monitoring, exceptions, and review.

Audit checklist

  • Review configuration baseline register.
  • Review system-to-baseline mapping.
  • Sample configuration compliance reports.
  • Check exception/deviation records.
  • Review risk assessments and compensating controls for deviations.
  • Review drift alerts and closure evidence.
  • Check linkage to change and incident management.
  • Review baseline review/update records.
  • Interview system owner or configuration owner.

Findings table

System/baseline Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD
  • Template
  • Audit
  • Iso27001
  • A8 9

Note Metadata

Aliases: A.8.9 Configuration Management Audit Checklist

Source: 90 Templates/A.8.9 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.