ITGRC Compliance Audit Checklists - alishahbaz/ITGRC GitHub Wiki

📌 ITGRC Compliance Audit Checklists

1️⃣ SOX Compliance Audit Checklist (Section 302 & 404)

✅ Access Control & Identity Management

  • ✔ Are user roles and permissions documented and reviewed quarterly?
  • ✔ Is Multi-Factor Authentication (MFA) enforced for financial systems?
  • ✔ Are terminated users deactivated within 24 hours?

✅ Change Management

  • ✔ Are all IT changes tracked in an IT Service Management (ITSM) tool?
  • ✔ Does the Change Advisory Board (CAB) approve all significant changes?
  • ✔ Are changes tested before deployment?

✅ Logging & Monitoring

  • ✔ Are financial system logs retained for 7 years?
  • ✔ Are logs reviewed for unauthorized access attempts?

✅ Data Protection & Backup

  • ✔ Are financial records encrypted (AES-256)?
  • ✔ Is there an offsite backup with a tested recovery plan?

✅ Incident Response & Business Continuity

  • ✔ Does the company have a documented Incident Response Plan (IRP)?
  • ✔ Is the Disaster Recovery Plan (DRP) tested annually?

2️⃣ PCI DSS Compliance Audit Checklist (v4.0)

✅ Access Control & User Management (Req. 7 & 8)

  • ✔ Is access restricted based on business need-to-know?
  • ✔ Are all system users assigned unique IDs?
  • ✔ Is MFA enforced for remote and administrative access?

✅ Network Security & Encryption (Req. 1 & 4)

  • ✔ Are firewalls and network segmentation implemented?
  • ✔ Is cardholder data encrypted using AES-256?
  • ✔ Is TLS 1.2 or higher used for data in transit?

✅ Logging & Monitoring (Req. 10)

  • ✔ Is a SIEM solution in place to detect suspicious activity?
  • ✔ Are logs stored for at least 1 year and reviewed daily?

✅ Vulnerability & Patch Management (Req. 6 & 11)

  • ✔ Are security patches applied within 30 days of release?
  • ✔ Are quarterly vulnerability scans performed?

✅ Incident Response (Req. 12.10)

  • ✔ Is there a formal PCI DSS Incident Response Plan (IRP)?
  • ✔ Are employees trained to handle security breaches?

3️⃣ ISO 27001 Compliance Audit Checklist

✅ Access Control (A.9)

  • ✔ Is access restricted based on job function?
  • ✔ Are periodic access reviews performed?

✅ Asset & Risk Management (A.8 & A.15)

  • ✔ Is there an asset inventory of all IT systems?
  • ✔ Are third-party vendors assessed for security compliance?

✅ Security Logging & Incident Response (A.12 & A.16)

  • ✔ Are logs generated, retained, and reviewed?
  • ✔ Is an Incident Response Plan (IRP) tested annually?

✅ Business Continuity & Disaster Recovery (A.17)

  • ✔ Is there a tested Disaster Recovery Plan (DRP)?
  • ✔ Is data backed up and tested for recoverability?

✅ Cryptography & Encryption (A.10)

  • ✔ Are encryption keys stored securely (HSM)?
  • ✔ Are sensitive files encrypted at rest and in transit?

4️⃣ NIST Cybersecurity Framework (CSF) Audit Checklist

✅ Identify (ID) – Asset & Risk Management

  • ✔ Is there an updated asset inventory?
  • ✔ Has a risk assessment been conducted?

✅ Protect (PR) – Access Control & Data Security

  • ✔ Is Role-Based Access Control (RBAC) enforced?
  • ✔ Are security awareness training sessions conducted?

✅ Detect (DE) – Threat Detection & SIEM Logging

  • ✔ Are logs collected and reviewed in real-time?
  • ✔ Is anomaly detection enabled in the SIEM?

✅ Respond (RS) – Incident Management

  • ✔ Is there a defined incident escalation matrix?
  • ✔ Are tabletop exercises performed to simulate cyberattacks?

✅ Recover (RC) – Business Continuity & DR

  • ✔ Is a Business Continuity Plan (BCP) in place?
  • ✔ Are backups tested for disaster recovery?

5️⃣ GDPR Compliance Audit Checklist

✅ Data Subject Rights (Article 15-22)

  • ✔ Can users access, delete, or modify their personal data?
  • ✔ Are Data Subject Access Requests (DSARs) completed within 30 days?

✅ Data Security & Encryption (Article 32)

  • ✔ Is personal data encrypted at rest and in transit?
  • ✔ Are access controls implemented to prevent unauthorized access?

✅ Data Retention & Deletion (Article 5 & 17)

  • ✔ Is personal data deleted after the retention period?
  • ✔ Are backup copies securely erased when no longer needed?

✅ Breach Notification (Article 33 & 34)

  • ✔ Is there a 72-hour breach reporting mechanism?
  • ✔ Are employees trained on how to handle data breaches?

✅ Third-Party & Vendor Compliance (Article 28)

  • ✔ Do vendors sign Data Processing Agreements (DPAs)?
  • ✔ Are third-party audits performed annually?

📌 Summary Table – Compliance Audit Checklist Overview

Compliance 🔑 Key Controls 📆 Frequency 🔍 Key Tools
SOX Access Control, Change Mgmt, Logging Quarterly Azure AD, ServiceNow, Splunk
PCI DSS Network Security, Encryption, Vulnerability Scans Ongoing Qualys, Nessus, AWS KMS
ISO 27001 Risk Mgmt, Data Protection, BCP Annually Veeam, CyberArk, SIEM
NIST CSF Threat Detection, SIEM, Incident Response Continuous IBM QRadar, AWS GuardDuty
GDPR Data Rights, Encryption, Breach Notification Ongoing Microsoft Purview, OneTrust