When to use this
Use this checklist during design review, audit preparation, or system assessment to test whether authentication behavior is secure.
Related controls
Checklist
- Authentication method is linked to risk assessment.
- MFA is required for high-risk access where justified.
- MFA factors are different types.
- Password or secret entry is masked.
- Failed attempts trigger lockout, delay, throttling, alert, or equivalent control.
- Error messages do not reveal account existence or system internals.
- Recovery process is controlled.
- Authentication logs are retained and reviewed where required.
- Legacy weaknesses have documented compensating controls.
Review table
| System | Access type | Authentication method | Risk level | Gap | Compensating control | Owner |
|---|---|---|---|---|---|---|
| TBD | TBD | TBD | Low/Medium/High | TBD | TBD | TBD |
- Template
- Iso27001
- Technological controls
- Authentication
Note Metadata
Aliases: Authentication Review Checklist
Source: 90 Templates/Authentication Mechanism Review Checklist.md
Related Notes
- A.8.5 Audit Evidence Pack
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- A.8.5 Audit Checklist
- Secure Authentication Standard
- Templates MOC