Security audit checklist
Work through access, application, and infrastructure checks to audit your current security posture. Each task has an optional note field for a finding, an owner, or a link — check items off as you complete them, then export the whole checklist (with your notes) to a branded PDF or a CSV for your records.
Frequently asked questions
How strict should our password policy actually be?
Modern guidance (e.g. NIST SP 800-63B) favours length over complexity rules — a long passphrase is both easier to remember and harder to brute-force than a short password with mandatory special characters. Rather than guessing at a policy, run your minimum length and character requirements through the Password policy calculator and check individual password strength with the Password entropy calculator to see how your current policy holds up against realistic cracking speeds.
What should rate limiting actually be set to on login and password-reset endpoints?
Too loose and you leave brute-force attacks viable; too strict and you lock out legitimate users who mistype a password. The right threshold depends on your endpoint and attacker cost assumptions — use the Brute-force rate limit calculator to model how long a credential-stuffing attempt would take against different rate limit settings before picking one.
Why does an employee offboarding process belong in a security audit rather than an HR checklist?
Access left active after someone leaves is one of the most common causes of a breach that has nothing to do with your infrastructure being technically insecure — a departed employee, contractor, or agency partner with still-valid credentials is a standing risk regardless of how strong your passwords or WAF rules are. An audit that only checks technical controls and skips access lifecycle management is checking the lock on the front door while leaving a spare key under the mat.
Share this tool
Related checklists
- Security GDPR compliance checklist → A GDPR compliance checklist covering privacy notices, consent, vendor agreements, and data subject rights. Check items off, add notes, then export your progress to PDF or CSV.
- Security Data breach response checklist → A step-by-step checklist for responding to a data breach — covering containment, regulatory notification deadlines, and post-incident remediation. Check items off, add notes, then export your progress to PDF or CSV.
- SaaS Monthly SaaS health review checklist → A monthly review checklist covering MRR movement, cohort churn, customer sentiment, and unit economics for a SaaS business. Check items off, add notes, then export your progress to PDF or CSV.
- SaaS SaaS pricing change checklist → A checklist for rolling out a SaaS pricing change safely — covering existing customers, billing systems, public-facing pages, and a rollback plan. Check items off, add notes, then export your progress to PDF or CSV.