Skip to main content

Application

What we mean by “application” and how to satisfy the related evidence

Cayla Marshall avatar
Written by Cayla Marshall
Updated over 2 years ago

What is an application and how do I know which applications are included in the scope of my audit?

In simple terms, an application is a software program designed to carry out a task. That being said, while nearly all organizations utilize applications in some way, not all organizations will have a single application in scope for their audit. If your company does not have any in-house developed applications (i.e. if your company provides managed or consulting services) then you should talk to your Customer Success Manager (CSM) about what applications will be in-scope for the audit. This will usually be business applications that are critical for providing your service, and may include applications that hold customer data (like Google Drive, Box, or other file sharing applications that may include sensitive information). Talk to your CSM about how to scope this, as not all all business tools or applications will need to be in-scope (i.e., there is usually no need to include evidence for Jira, Slack, etc.)

If your company does have a software tool developed in-house, then the evidence will be related to front-end access to your application. If you don’t have front-end access to your tool, like if all administrators and users would otherwise be listed within network/cloud and operating system evidence items, then the application related items may not be applicable.

As always, if you’re unsure of the audit scope that best fits your organization, feel free to contact your CSM with any questions.

What should my application evidence items look like?

Within your evidence repository, there are a few evidence items related to applications. Below are some examples of what your auditor may be looking for:

Administrator Access to Application

  • What your auditor is looking for: a system generated list (or series of screenshots) of administrative users with access to the application in scope. The screenshot or list must include a date/time stamp or other indication of when the screenshot was taken.

Application User List

  • What your auditor is looking for: a system generated list (or series of screenshots) of all internal users with access to in-scope applications.

  • Pro Tip: you can use the same screenshot for this item as the Administrator Access to Application if you include permissions information that clearly shows who the standard vs privileged users are.

Password Settings - Application

  • What your auditor is looking for: a screenshot of the application layer password settings. The screenshot must include a date/time stamp or other indication of when the screenshot was taken. The configurations should mirror the password policies within relevant security policies.

For more information on application related evidence items, check out our "Where to Find Evidence" collection or contact your CSM directly.

Did this answer your question?