Sample of possible population lists from an auditor
List of all in-scope application code changes related to in-house development applications that have occurred during the review period
List of all network related changes to firewall and/or router rule set configurations that have occurred within the in-scope environment during the review period
List of all incidents reported during the review period
List of all company owned laptops and/or BYOD devices utilized within or that can connect to the in-scope environments.
List of all new hires during the review period
Inventory list of all servers and workstations utilized within the in-scope environments with details of their primary function/role (e.g. file server, domain controller, web server, application server, database server, desktop, etc.).
List of all system changes made during the review period, to include:- all in-scope application changes- all in-scope database changes- all in-scope operating system changes
List of all terminated employees during the review period
List of all vendors and contractors used for in-scope services during the review period
List of all transferred or reassigned employees employees during the review period
List of vulnerabilities, deviations, and control gaps that required remediation identified during the review period
List of Executive Management (e.g. President, CIO, CTO, CEO, CFO, etc) Members
List of all the installed patches applied to information systems in the past 12 months
List of all current employees during the review period
List of all customers during the review period
List of all data disposals (e.g. system disposals, hardware purging, document destruction, etc.) during the review period