A practical, high‑assurance checklist for securing identities, accounts, and access across an organisation.
[ ] IAM policy exists, approved by leadership, and reviewed annually
[ ] Roles and responsibilities for IAM are clearly defined
[ ] Access is granted based on least privilege
[ ] Separation of duties (SoD) is enforced for sensitive functions
[ ] A formal Joiner–Mover–Leaver (JML) process is in place
[ ] Privileged Access Management (PAM) policy is documented
[ ] Multi‑factor authentication (MFA) is mandatory for all users
[ ] Password policy aligns with modern standards (length > complexity)
[ ] All accounts are uniquely assigned (no shared accounts)
[ ] Default accounts are disabled or secured
[ ] Temporary accounts have automatic expiry
[ ] Guest/external accounts are reviewed regularly
[ ] Service accounts are documented and monitored
[ ] Admin accounts are separate from standard user accounts
[ ] Strong password hygiene enforced (minimum 12–14 characters)
[ ] MFA enabled for:
Admins
Remote access
Cloud services
VPN
[ ] Passwordless or phishing‑resistant authentication considered (FIDO2, passkeys)
[ ] Legacy authentication protocols disabled (IMAP, POP3, NTLM, etc.)
[ ] Single Sign‑On (SSO) implemented where possible
[ ] Account lockout thresholds configured
[ ] Role‑based access control (RBAC) implemented
[ ] Access rights reviewed at least quarterly
[ ] High‑risk roles require approval from two people
[ ] Privileged access is time‑bound (Just‑In‑Time access)
[ ] Sensitive systems require additional authentication
[ ] Access to production systems restricted and monitored
[ ] API keys and tokens stored securely (vault, not code)
[ ] Privileged accounts stored in a secure vault
[ ] Session recording enabled for admin activities
[ ] Privileged sessions monitored in real time
[ ] Admin credentials rotated regularly
[ ] Break‑glass accounts exist and are tested
[ ] No standing admin privileges (use elevation workflows)
[ ] All authentication events logged (success + failure)
[ ] Alerts for:
Impossible travel
MFA failures
Privilege escalation
Multiple failed logins
New admin accounts
[ ] Logs sent to SIEM/SOC for analysis
[ ] Service account activity monitored
[ ] Dormant accounts flagged and removed
[ ] Cloud IAM roles reviewed regularly
[ ] No use of overly broad roles (e.g., Owner, Admin)
[ ] Cloud keys rotated and stored securely
[ ] Conditional Access Policies applied (location, device, risk level)
[ ] Identity Protection / Risk‑based authentication enabled
[ ] External identities restricted and monitored
[ ] Devices enrolled in MDM/Intune/Endpoint Manager
[ ] Device compliance required before granting access
[ ] Local admin rights removed for standard users
[ ] Device certificates used for authentication
[ ] Lost/stolen devices can be remotely wiped
[ ] Verify explicitly (identity, device, location, risk)
[ ] Least privilege enforced everywhere
[ ] Assume breach — monitor continuously
[ ] Micro‑segmentation applied where possible
[ ] Continuous access evaluation enabled
[ ] Quarterly access reviews completed
[ ] Annual IAM audit performed
[ ] Privileged access reviewed monthly
[ ] JML process tested regularly
[ ] IAM risks included in risk register
[ ] IAM metrics reported to leadership