Audit Checklist

This checklist helps auditors and compliance officers verify IDPFlare's alignment with ISO 27001 and SOC 2 requirements. Use this during internal audits, pre-assessments, and formal examinations.

Instructions

  1. Review each control
  2. Identify evidence sources
  3. Mark status (☐ Compliant | ✗ Gap | ⚠ Partial | N/A Not Applicable)
  4. Document gaps for remediation
  5. Track evidence for auditor requests
Status Legend:
  • Pending - Not yet assessed
  • Compliant - Evidence available
  • Gap - Control not implemented
  • Partial - Control partially implemented
  • N/A Not Applicable - Control doesn't apply

Section 1: Access Control (SOC 2 CC3.1.2, ISO 8.2)

ID Control Status Evidence Location
AC-001 Unique user identification for each user D1 users table, audit logs
AC-002 Password policy enforced (min 12 chars) wrangler.toml: PASSWORD_MIN_LENGTH
AC-003 Multi-factor authentication required/available wrangler.toml: MFA_MODE
AC-004 MFA using TOTP (RFC 6238) Source code: src/services/mfa.service.ts
AC-005 Session timeout configured wrangler.toml: SESSION_DURATION_SECONDS
AC-006 Token lifetime limits wrangler.toml: *_DURATION_SECONDS
AC-007 Failed login attempt tracking audit_log table: login_failure events
AC-008 Account lockout after N failed attempts wrangler.toml: RATE_LIMIT_LOGIN_ATTEMPTS
AC-009 Role-based access control (RBAC) API key scopes, user roles
AC-010 Authorization checks on API endpoints Source code: middleware/admin-auth.ts
AC-011 Session revocation capability User sessions, token revocation
AC-012 API key authentication with scopes api_keys table, scope validation
AC-013 Privileged access requires additional auth Admin role, admin JWT required
AC-014 Access rights reviewed quarterly Access review documentation ⚠
AC-015 Offboarding process for access removal Offboarding documentation ⚠

Section 2: Authentication (SOC 2 CC3.1.2)

ID Control Status Evidence Location
AUTH-001 Password hashing using secure algorithm crypto.ts: SHA-256 hashing
AUTH-002 Passwords not stored in plaintext Database schema: password_hash field
AUTH-003 JWT signing using RS256 jwt.ts, JWT_PRIVATE_KEY secret
AUTH-004 Authorization codes are short-lived AUTH_CODE_DURATION_SECONDS
AUTH-005 Authorization codes are single-use authorization_codes: used_at field
AUTH-006 Refresh tokens can be revoked refresh_tokens: is_revoked field
AUTH-007 PKCE support for public clients OAuth flow code_challenge
AUTH-008 CSRF protection on state-changing operations middleware/csrf.ts
AUTH-009 Secure cookie attributes (HttpOnly, Secure) security.ts: buildSessionCookie()
AUTH-010 Timing-safe password comparison security.ts: timingSafeEqual()

Section 3: Encryption (SOC 2 CC3.1.3, ISO 8.5.1)

ID Control Status Evidence Location
ENC-001 Data in transit encrypted (TLS 1.2+) HTTPS required by Cloudflare
ENC-002 D1/KV data at rest encrypted Cloudflare docs
ENC-003 MFA secrets encrypted at rest ENCRYPTION_KEY, AES-GCM
ENC-004 Backup codes encrypted Source code: mfa.service.ts
ENC-005 JWT signed with private key JWT_PRIVATE_KEY secret
ENC-006 RSA key pair for JWT signing scripts/generate-keys.js
ENC-007 Cryptographic randomness for tokens crypto.getRandomValues() usage
ENC-008 No weak algorithms used (MD5, SHA1) Code review for crypto usage
ENC-009 Key management procedures Key rotation documentation ⚠

Section 4: Logging and Monitoring (SOC 2 CC3.1.6, ISO 8.3.8)

ID Control Status Evidence Location
LOG-001 Audit log table exists schema: audit_log table
LOG-002 Authentication events logged login_success, login_failure
LOG-003 Authorization events logged oauth_authorize, token_issued
LOG-004 Admin actions logged admin_* event types
LOG-005 Security events logged rate_limit_exceeded, account_locked
LOG-006 IP address captured audit_log: ip_address field
LOG-007 User agent captured audit_log: user_agent field
LOG-008 Timestamp on all events audit_log: created_at field
LOG-009 Logs retained for minimum 90 days Retention configuration ⚠
LOG-010 Log export to SIEM Export automation ⚠
LOG-011 Monitoring/alerting configured Alert configuration ⚠

Section 5: Input Validation and Security (SOC 2 CC3.1.6)

ID Control Status Evidence Location
IN-001 Email validation security.ts: isValidEmail()
IN-002 Input length limits enforced security.ts: INPUT_LIMITS
IN-003 XSS prevention (HTML escaping) security.ts: escapeHtml()
IN-004 SQL injection prevention Parameterized queries
IN-005 Open redirect prevention security.ts: isValidReturnUrl()
IN-006 SSRF prevention on hook URLs security.ts: isSafeExternalUrl()
IN-007 CSRF token generation/validation middleware/csrf.ts
IN-008 Rate limiting on login wrangler.toml: RATE_LIMIT_*
IN-009 Rate limiting on API endpoints KV-based rate limiting

Section 6: Data Protection (SOC 2 CC3.1.7, ISO 8.3)

ID Control Status
DP-001 User deletion cascades to related data
DP-002 Data minimization (only collect necessary data)
DP-003 Right to access (user can view data)
DP-004 Right to rectification
DP-005 Right to erasure

Section 7: Change Management (SOC 2 CC3.1.5)

ID Control Status
CM-001 Changes require approval ⚠
CM-002 Changes tracked ⚠
CM-003 Changes tested before production ⚠

Section 8: Backup and Recovery (SOC 2 CC3.1.6c, ISO 8.3.6)

ID Control Status
BR-001 Automated D1 database backups ⚠
BR-002 Backup schedule defined ⚠
BR-003 Backups retained (minimum 30 days) ⚠
BR-004 Off-site backup storage ⚠
BR-005 Restoration procedures documented ⚠
BR-006 Restoration tested quarterly ⚠

Section 9: Incident Response (SOC 2 CC3.1.14)

ID Control Status
IR-001 Incident response plan exists ⚠
IR-002 Incident severity levels defined ⚠
IR-003 Incident detection methods ⚠
IR-004 Incident reporting procedures ⚠
IR-005 Incident response procedures ⚠
IR-006 Post-incident reviews conducted ⚠

Section 10: Vendor Management (SOC 2 CC3.1.9)

ID Control Status
VM-001 Cloudflare risk assessment ⚠
VM-002 IDPFlare vendor review ⚠
VM-003 Cloudflare status monitoring ⚠

Section 11: Vulnerability Management (SOC 2 CC3.1.6)

ID Control Status
VMG-001 Dependency scanning configured ⚠
VMG-002 Vulnerability alerts monitored ⚠
VMG-003 Critical patches applied within SLA ⚠
VMG-004 Annual penetration test ⚠

Section 12: Training and Awareness (ISO 6.5)

ID Control Status
TA-001 Security awareness training exists ⚠
TA-002 Training completed by relevant staff ⚠

Section 13: Policies and Documentation

ID Control Status
POL-001 Information security policy ⚠
POL-002 Access control policy ⚠
POL-003 Change management policy ⚠
POL-004 Incident response policy ⚠
POL-005 Data retention policy ⚠

Section 14: Cloudflare Platform Controls (Inherited)

<
ID Control Status
CF-001 Physical security of data centers
CF-002 Environmental controls
CF-003 Network security controls
CF-004 DDoS protection
CF-005 Web Application Firewall
CF-006 Platform monitoring
CF-007 Platform availability SLA
CF-008 ISO 27001 certification
CF-009 SOC 2 Type II report
CF-010 Platform encryption at rest

⚠ = Deployer responsibility

Gap Analysis Summary

Critical Gaps (Must Address)

Control Gap Remediation Timeline
LOG-010 No log export to SIEM 2 weeks
LOG-011-014 No monitoring/alerting 2 weeks
BR-001-007 No backup implementation 1 week
IR-001-008 No incident response 2 weeks
AC-014-015 No access review/offboarding 4 weeks
CM-001-006 No change management 2 weeks
VMG-001-005 No vulnerability management 4 weeks
POL-001-008 No security policies 4 weeks

Audit Evidence Checklist

Before audit, ensure you can provide:

Technical Evidence

  • ✔ wrangler.toml configuration
  • ✔ Database schema (migrations/0001_init.sql)
  • ✔ Source code excerpts (crypto.ts, security.ts, audit.service.ts)
  • ✔ Audit log samples
  • ✔ Backup scripts and schedules
  • ✔ Monitoring configuration
  • ✔ Alert rules

Documentation Evidence

  • ✔ Security policies (all 8 policies)
  • ✔ Procedures (onboarding, offboarding, backup, etc.)
  • ✔ Change tickets (sample)
  • ✔ Access reviews (quarterly)
  • ✔ Incident reports (if any)
  • ✔ Training records
  • ✔ Vendor assessments
  • ✔ Risk assessment

Cloudflare Evidence

  • ✔ Current ISO 27001 certificate
  • ✔ Current SOC 2 Type II report
  • ✔ D1/KV security documentation
  • ✔ Platform compliance documentation

Quick SQL Queries for Audit Evidence

-- Show failed login attempts in last 7 days
SELECT * FROM audit_log
WHERE event_type = 'login_failure'
  AND created_at > ((strftime('%s', 'now') - 604800) * 1000)
ORDER BY created_at DESC;

-- Show admin actions
SELECT * FROM audit_log
WHERE event_type LIKE 'admin_%'
ORDER BY created_at DESC
LIMIT 100;

-- Show all unique event types
SELECT DISTINCT event_type, COUNT(*) as count
FROM audit_log
GROUP BY event_type
ORDER BY count DESC;

-- Show user access (last login)
SELECT id, email, last_login_at, created_at
FROM users
WHERE is_active = 1
ORDER BY last_login_at DESC;

-- Show API keys and scopes
SELECT id, name, scopes, created_at
FROM api_keys
WHERE is_active = 1;

← Back to Compliance Overview