When to use this
Use this checklist during an internal audit of secure configuration baselines, implementation, monitoring, exceptions, and review.
Related controls
- A.8.9 Configuration Management
- A.8.9 Audit Evidence Pack
- Configuration Baseline Register
- Configuration Exception and Risk Acceptance Record
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
Audit checklist
- Review configuration baseline register.
- Review system-to-baseline mapping.
- Sample configuration compliance reports.
- Check exception/deviation records.
- Review risk assessments and compensating controls for deviations.
- Review drift alerts and closure evidence.
- Check linkage to change and incident management.
- Review baseline review/update records.
- Interview system owner or configuration owner.
Findings table
| System/baseline | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 9
Note Metadata
Aliases: A.8.9 Configuration Management Audit Checklist
Source: 90 Templates/A.8.9 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.9 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Audit Risk Mapping
- Configuration Baseline Register
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
- Configuration Exception and Risk Acceptance Record
- Audit Evidence Index
- Templates MOC