IT Audit Checklist
IT Audit Checklist
IT Audit Checklist
Table of Contents
Security Policy............................................................................................................................................................................................4
Information security policy......................................................................................................................................................................4
Organization of information security......................................................................................................................................................5
Internal Organization...............................................................................................................................................................................5
External Parties........................................................................................................................................................................................5
Asset Management.....................................................................................................................................................................................5
Responsibility for assets..........................................................................................................................................................................5
Information classification........................................................................................................................................................................5
Human resources security.........................................................................................................................................................................5
Prior to employment................................................................................................................................................................................5
During employment.................................................................................................................................................................................5
Termination or change of employment....................................................................................................................................................5
Physical and Environmental Security......................................................................................................................................................5
Secure Areas............................................................................................................................................................................................5
Equipment Security.................................................................................................................................................................................5
Communications and Operations Management.....................................................................................................................................5
Operational Procedures and responsibilities............................................................................................................................................5
Third party service delivery management...............................................................................................................................................5
System planning and acceptance.............................................................................................................................................................5
Protection against malicious and mobile code.........................................................................................................................................5
Backup.....................................................................................................................................................................................................5
Network Security Management...............................................................................................................................................................5
Media handling........................................................................................................................................................................................5
Exchange of Information.........................................................................................................................................................................5
Audit Checklist
30/12/2015
Page - 2
Audit Checklist
30/12/2015
Audit Date:___________________________
Results
Checklist Standard
Section
Findings
Audit Question
Security Policy
1.1
5.1
1.1.1
5.1.1
1.1.2
5.1.2
Review of
Informational
Security Policy
Page - 3
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
Whether any defined Information Security Policy
review procedures exist and do they include
requirements for the management review.
Whether the results of the management review are
taken into account.
Whether management approval is obtained for the
revised policy.
6.1
2.1.1
6.1.1
2.1.2
6.1.2
2.1.3
6.1.3
Internal Organization
Management
commitment to
information
security
Information
security
coordination
Allocation of
information
Page - 4
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
security
responsibilities
2.1.4
6.1.4
2.1.5
6.1.5
Authorization
process for
information
processing
facilities
Confidentiality
agreements
2.1.6
6.1.6
2.1.7
6.1.7
2.1.8
6.1.8
Contact with
authorities
Contact with
special interest
groups
Independent
Page - 5
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
review of
information
security
2.2
6.2
2.2.1
6.2.1
2.2.2
6.2.2
2.2.3
6.2.3
Audit Question
reviewed independently at planned intervals, or when
major changes to security implementation occur.
External Parties
Identification
of risks related
to external
parties
Addressing
security when
dealing with
customers
Addressing
Security in
third party
agreements
Page - 6
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
Asset Management
3.1
7.1
3.1.1
7.1.1
3.1.2
7.1.2
3.1.3
7.1.3
3.2
7.2
3.2.1
7.2.1
3.2.2
7.2.2
Ownership of
assets
Acceptable use
of assets
Information classification
Classification
guidelines
Information
labelling and
handling
Page - 7
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
8.1
4.1.1
8.1.1
Prior to employment
Roles and
responsibilities
4.1.2
8.1.2
Screening
4.1.3
8.1.3
Terms and
conditions of
employment
Page - 8
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
employee, third party users and contractors.
4.2
8.2
4.2.1
8.2.1
4.2.2
8.2.2
4.2.3
8.2.3
4.3
8.3
4.3.1
8.3.1
4.3.2
8.3.2
During employment
Management
responsibilities
Information
security
awareness,
education and
training
Disciplinary
process
Page - 9
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Audit Question
Findings
assets
4.3.3
8.3.3
Removal of
access rights
9.1
5.1.1
9.1.1
5.1.2
9.1.2
5.1.3
9.1.3
Secure Areas
Physical
Security
Perimeter
Physical entry
Controls
Securing
Offices, rooms
and facilities
Page - 10
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
5.1.4
9.1.4
Protecting
against
external and
environmental
threats
Audit Question
Whether the physical protection against damage from
fire, flood, earthquake, explosion, civil unrest and other
forms of natural or man-made disaster should be
designed and applied.
5.1.5
9.1.5
5.1.6
9.1.6
5.2
9.2
5.2.1
9.2.1
5.2.2
9.2.2
Working in
Secure Areas
Public access
delivery and
loading areas
Equipment Security
Equipment
siting
protection
Supporting
Page - 11
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
utilities
5.2.3
9.2.3
Cabling
Security
Audit Question
supporting utilities.
Whether permanence of power supplies, such as a
multiple feed, an Uninterruptible Power Supply (ups),
a backup generator, etc. are being utilized.
Whether the power and telecommunications cable,
carrying data or supporting information services, is
protected from interception or damage.
Whether there are any additional security controls in
place for sensitive or critical information.
5.2.4
9.2.4
Equipment
Maintenance
Page - 12
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
5.2.5
9.2.5
5.2.6
9.2.6
5.2.7
9.2.7
Securing of
equipment offpremises
Audit Question
Whether risks were assessed with regards to any
equipment usage outside an organizations premises,
and mitigation controls implemented.
Whether the usage of an information processing
facility outside the organization has been authorized by
the management.
Whether all equipment, containing storage media, is
10.1
6.1.1
10.1.1
Page - 13
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
6.1.2
10.1.2
6.1.3
10.1.3
6.1.4
10.1.4
6.2
10.2
6.2.1
10.2.1
6.2.2
10.2.2
Change
management
Segregation of
duties
Separation of
development,
test and
operational
facilities
Audit Question
Whether all changes to information processing
facilities and systems are controlled.
Whether duties and areas of responsibility are
separated, in order to reduce opportunities for
unauthorized modification or misuse of information, or
services.
Whether the development and testing facilities are
isolated from operational facilities. For example,
development and production software should be run on
different computers. Where necessary, development
and production networks should be kept separate from
each other.
Monitoring
and review of
third party
Page - 14
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
services
6.2.3
10.2.3
6.3
10.3
6.3.1
10.3.1
Managing
changes to
third party
services
Audit Question
services, reports and records, on regular interval.
Whether changes to provision of services, including
maintaining and improving existing information
security policies, procedures and controls, are
managed.
Does this take into account criticality of business
systems, processes involved and re-assessment of risks
6.3.2
6.4
10.3.2
10.4
System
acceptance
Page - 15
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
6.4.1
10.4.1
6.4.2
10.4.2
Controls
against
malicious code
Controls
against mobile
code
Audit Question
Whether detection, prevention and recovery controls,
to protect against malicious code and appropriate user
awareness procedures, were developed and
implemented.
Whether only authorized mobile code is used.
Whether the configuration ensures that authorized
mobile code operates according to security policy.
Whether execution of unauthorized mobile code is
prevented.
(Mobile code is software code that transfers from one
computer to another computer and then executes
automatically. It performs a specific function with
little or no user intervention. Mobile code is associated
with a number of middleware services.)
6.5
10.5
6.5.1
10.5.1
Backup
Information
backup
6.6
10.6
Page - 16
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Audit Question
Findings
Network
Controls
6.6.1
10.6.1
6.6.2
10.6.2
Security of
network
services
6.7
10.7
6.7.1
10.7.1
Media handling
Management
of removable
media
Page - 17
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Audit Question
Findings
Disposal of
Media
6.7.2
10.7.2
6.7.3
10.7.3
6.7.4
10.7.4
6.8
10.8
6.8.1
10.8.1
6.8.2
10.8.2
Information
handling
procedures
Security of
system
documentation
Exchange of Information
Information
exchange
policies and
procedures
Exchange
agreements
Page - 18
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
the sensitivity of the business information involved.
6.8.3
10.8.3
6.8.4
10.8.4
6.8.5
10.8.5
6.9
10.9
6.9.1
10.9.1
Electronic
Messaging
Business
information
systems
Page - 19
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
trading, including details of security issues.
6.9.2
10.9.2
6.9.3
10.9.3
6.10
10.10
6.10.1
10.10.1
On-Line
Transactions
Publicly
available
information
Monitoring
Audit logging
6.10.2
10.10.2
Monitoring
system use
Page - 20
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
assessment.
6.10.3
10.10.3
6.10.4
10.10.4
6.10.5
10.10.5
Administrator
and operator
logs
Fault logging
6.10.6
10.10.6
Clock
synchronisatio
n
Access Control
7.1
11.1
Page - 21
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Audit Question
Findings
Access Control
Policy
7.1.1
11.1.1
7.2
11.2
7.2.1
11.2.1
7.2.2
11.2.2
7.2.3
11.2.3
User Password
Management
Whether there is any formal user registration and deregistration procedure for granting access to all
information systems and services.
Whether the allocation and use of any privileges in
information system environment is restricted and
controlled i.e., Privileges are allocated on need-to-use
basis, privileges are allocated only after formal
authorization process.
The allocation and reallocation of passwords should be
controlled through a formal management process.
Whether the users are asked to sign a statement to keep
the password confidential.
Page - 22
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Audit Question
Findings
Review of user
access rights
7.2.4
11.2.4
7.3
11.3
7.3.1
11.3.1
7.3.2
11.3.2
User Responsibilities
Password use
Unattended
user equipment
7.3.3
11.3.3
7.4
11.4
7.4.1
11.4.1
Page - 23
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Audit Question
Findings
services
7.4.2
11.4.2
7.4.3
11.4.3
7.4.4
11.4.4
7.4.5
11.4.5
User
authentication
for external
connections
Equipment
identification
in networks
Remote
diagnostic and
configuration
port protection
Segregation in
networks
Page - 24
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
wireless networks from internal and private networks.
7.4.6
11.4.6
7.4.7
11.4.7
Network
connection
control
Network
routing control
7.5
11.5
7.5.1
11.5.1
7.5.2
11.5.2
Page - 25
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
to maintain accountability.
7.5.3
11.5.3
7.5.4
11.5.4
7.5.5
11.5.5
7.5.6
11.5.6
7.6
11.6
7.6.1
11.6.1
Password
management
system
Use of system
utilities
Session timeout
Limitation of
connection
time
Page - 26
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
restriction
7.6.2
11.6.2
7.7
11.7
7.7.1
11.7.1
Sensitive
system
isolation
7.7.2
11.7.2
Teleworking
Page - 27
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
12.1
8.1.1
12.1.1
8.2
12.2
8.2.1
12.2.1
Page - 28
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
8.2.2
8.2.3
12.2.2
12.2.3
Control of
internal
processing
Message
integrity
Audit Question
Whether validation checks are incorporated into
applications to detect any corruption of information
through processing errors or deliberate acts.
Whether the design and implementation of applications
ensure that the risks of processing failures leading to a
loss of integrity are minimised.
Whether requirements for ensuring and protecting
message integrity in applications are identified, and
appropriate controls identified and implemented.
Whether an security risk assessment was carried out to
determine if message integrity is required, and to
identify the most appropriate method of
implementation.
8.2.4
12.2.4
8.3
12.3
8.3.1
12.3.1
Output data
validation
Cryptographic controls
Whether the organization has Policy on use of
Page - 29
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
Whether the cryptographic policy does consider the
management approach towards the use of
cryptographic controls, risk assessment results to
identify required level of protection, key management
methods and various standards for effective
implementation
8.3.2
12.3.2
Key
management
8.4
12.4
8.4.1
12.4.1
Page - 30
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
8.4.2
8.4.3
12.4.2
12.4.3
8.5
12.5
8.5.1
12.5.1
Protection of
system test
data
Access Control
to program
source code
Audit Question
Whether system test data is protected and controlled.
Whether use of personal information or any sensitive
information for testing operational database is shunned.
Whether strict controls are in place to restrict access to
program source libraries.
(This is to avoid the potential for unauthorized,
unintentional changes.)
8.5.2
12.5.2
Technical
review of
applications
after operating
system changes
Page - 31
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
8.5.3
8.5.4
8.5.5
12.5.3
12.5.4
12.5.5
8.6
12.6
8.6.1
12.6.1
Restriction on
changes to
software
packages
Information
leakage
Outsourced
software
development
Audit Question
Whether modifications to software package is
discouraged and/ or limited to necessary changes.
Whether all changes are strictly controlled.
Page - 32
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
taken to mitigate the associated risk.
13.1
9.1.1
13.1.1
9.1.2
13.1.2
9.2
13.2
9.2.1
13.2.1
Reporting
security
weaknesses
Page - 33
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
Whether the objective of information security incident
management is agreed with the management.
9.2.2
9.2.3
13.2.2
13.2.3
Learning from
information
security
incidents
Collection of
evidence
14.1
10.1.1
14.1.1
Page - 34
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
information
security in the
business
continuity
management
process
10.1.2
14.1.2
10.1.3
14.1.3
Business
continuity and
risk assessment
Audit Question
developing and maintaining business continuity
throughout the organization.
Whether this process understands the risks the
organization is facing, identify business critical assets,
identify incident impacts, consider the implementation
of additional preventative controls and documenting
the business continuity plans addressing the security
requirements.
Whether events that cause interruption to business
process is identified along with the probability and
impact of such interruptions and their consequence for
information security.
plans including
Whether the plan considers identification and
information
agreement of responsibilities, identification of
security
acceptable loss, implementation of recovery and
10.1.4
14.1.4
Business
continuity
Page - 35
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
planning
framework
10.1.5
14.1.5
Testing,
maintaining
and reassessing
business
continuity
plans
Audit Question
all plans are consistent and identify priorities for
testing and maintenance.
Whether business continuity plan addresses the
identified information security requirement.
Whether Business continuity plans are tested regularly
to ensure that they are up to date and effective.
Whether business continuity plan tests ensure that all
members of the recovery team and other relevant staff
are aware of the plans and their responsibility for
business continuity and information security and know
their role when plan is evoked.
Compliance
11.1
15.1
11.1.1
15.1.1
Page - 36
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
11.1.2
15.1.2
Audit Question
Whether there are procedures to ensure compliance
11.1.3
15.1.3
Protection of
organizational
records
11.1.4
15.1.4
Data
protection and
privacy of
Page - 37
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
Audit Question
personal
information
11.1.5
15.1.5
Prevention of
misuse of
information
processing
facilities
11.1.6
15.1.6
11.2
15.2
11.2.1
15.2.1
Regulation of
cryptographic
controls
Page - 38
Compliance
Audit Checklist
30/12/2015
Results
Checklist Standard
Section
Findings
standards
11.2.2
15.2.2
11.3
15.3
11.3.1
15.3.1
Technical
compliance
checking
Audit Question
Do managers regularly review the compliance of
information processing facility within their area of
responsibility for compliance with appropriate security
policy and procedure
Whether information systems are regularly checked for
compliance with security implementation standards.
Whether the technical compliance check is carried out
by, or under the supervision of, competent, authorized
personnel.
11.3.2
15.3.2
Protection of
information
system audit
tools
Page - 39
Compliance
Audit Checklist
30/12/2015
Page - 40