Checklists

Compliance Checklists

Regulatory compliance checklists for HIPAA, SOX, FDA, and FedRAMP

Compliance checklists help ensure software systems meet regulatory requirements. These checklists should be customized based on your specific regulatory environment and used throughout the development lifecycle.

HIPAA Compliance Checklist

Administrative Safeguards

Physical Safeguards

Facility access controls implemented
Workstation use policies defined
Workstation security measures in place
Device and media controls documented

Technical Safeguards

HIPAA Technical Safeguards

PHI Handling

Requirement	Implementation
Minimum Necessary	Only access PHI required for job function
De-identification	Remove 18 HIPAA identifiers when possible
Encryption	AES-256 at rest, TLS 1.2+ in transit
Audit Trail	Log all PHI access with user, timestamp, action
Retention	6 years minimum for HIPAA records

SOX Compliance Checklist

IT General Controls (ITGCs)

Access Controls

User access management documented
Segregation of duties enforced
Privileged access limited and monitored
Access reviews conducted quarterly
Terminated user access removed promptly

Change Management

Change control process documented
Changes tested before production
Changes approved by appropriate personnel
Emergency change procedures defined
Change records maintained

IT Operations

Job scheduling documented and monitored
Backup procedures documented and tested
Restore procedures tested regularly
Incident management procedures in place
Problem management procedures in place

Application Controls

┌─────────────────────────────────────────────────────────────────────────────┐
│                     SOX APPLICATION CONTROLS                                 │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  INPUT CONTROLS                                                              │
│  □ Input validation implemented                                             │
│  □ Authorization before data entry                                          │
│  □ Duplicate detection in place                                             │
│  □ Error handling and correction procedures                                 │
│                                                                              │
│  PROCESSING CONTROLS                                                         │
│  □ Calculations verified                                                    │
│  □ Batch totals reconciled                                                  │
│  □ Processing logs maintained                                               │
│  □ Exception handling documented                                            │
│                                                                              │
│  OUTPUT CONTROLS                                                             │
│  □ Report distribution controlled                                           │
│  □ Output validation performed                                              │
│  □ Sensitive output secured                                                 │
│                                                                              │
│  AUDIT TRAIL                                                                 │
│  □ All financial transactions logged                                        │
│  □ User, timestamp, before/after values captured                           │
│  □ Logs protected from modification                                         │
│  □ 7-year retention implemented                                             │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

FDA QSR Compliance Checklist

Design Controls (21 CFR 820.30)

Design and development plan established
Design input requirements documented
Design output documents created
Design review conducted and documented
Design verification completed
Design validation completed
Design transfer procedures followed
Design changes controlled

Software Development (IEC 62304)

Activity	Class A	Class B	Class C
Development planning	Required	Required	Required
Requirements analysis	Required	Required	Required
Architecture design	-	Required	Required
Detailed design	-	-	Required
Unit verification	-	Required	Required
Integration testing	-	Required	Required
System testing	Required	Required	Required

Traceability Requirements

Documentation (DHF)

Design History File Contents:

□ User needs document
□ Design input (requirements)
□ Risk analysis (FMEA, Hazard Analysis)
□ Design output (specifications)
□ Design review records
□ Verification records (test results)
□ Validation records (user testing)
□ Change control records
□ Design transfer records

FedRAMP Compliance Checklist

Pre-Assessment

Impact level determined (Low/Moderate/High)
Authorization path selected (JAB/Agency)
3PAO engaged
System boundary defined

Documentation

System Security Plan (SSP) complete
All controls documented
Network diagrams current
Data flow diagrams complete
Policies and procedures documented

Key Control Families

┌─────────────────────────────────────────────────────────────────────────────┐
│                    FEDRAMP CONTROL CHECKLIST                                 │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  ACCESS CONTROL (AC)                                                         │
│  □ Account management procedures (AC-2)                                     │
│  □ Access enforcement mechanisms (AC-3)                                     │
│  □ Separation of duties (AC-5)                                              │
│  □ Least privilege (AC-6)                                                   │
│  □ Session controls (AC-12)                                                 │
│                                                                              │
│  AUDIT (AU)                                                                  │
│  □ Audit events defined (AU-2)                                              │
│  □ Audit record content (AU-3)                                              │
│  □ Audit storage capacity (AU-4)                                            │
│  □ Audit review and analysis (AU-6)                                         │
│  □ Audit record retention (AU-11)                                           │
│                                                                              │
│  CONFIGURATION MANAGEMENT (CM)                                               │
│  □ Baseline configuration (CM-2)                                            │
│  □ Configuration change control (CM-3)                                      │
│  □ Security settings (CM-6)                                                 │
│  □ Software usage restrictions (CM-10)                                      │
│                                                                              │
│  INCIDENT RESPONSE (IR)                                                      │
│  □ Incident response plan (IR-1)                                            │
│  □ Incident handling (IR-4)                                                 │
│  □ Incident reporting (IR-6)                                                │
│  □ Incident response testing (IR-3)                                         │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

Continuous Monitoring

Audit Preparation Checklist

Documentation Review

Policies current and approved
Procedures match actual practices
Evidence organized by control
Exception documentation complete
Prior audit findings addressed

Evidence Collection

Evidence Type	Examples
Configuration	Screenshots, exports of settings
Access Reviews	Approval emails, review reports
Change Records	Tickets, approval workflows
Testing Results	Test reports, vulnerability scans
Training Records	Completion certificates, attendance

Interview Preparation

Key personnel identified
Roles and responsibilities documented
Process walkthroughs prepared
Sample transactions identified

Compliance Mapping

Control Crosswalk

Requirement	HIPAA	SOX	FDA	FedRAMP
Access Control	164.312(a)	ITGC	820.30	AC
Audit Logging	164.312(b)	ITGC	820.180	AU
Change Control	164.308(a)(8)	ITGC	820.70	CM
Risk Assessment	164.308(a)(1)	302/404	820.30	RA
Incident Response	164.308(a)(6)	ITGC	820.198	IR

Compliance

This section fulfills ISO 13485 requirements for regulatory requirements (4.1.1), internal audit (8.2.2), and control of records (4.2.4), and ISO 27001 requirements for compliance with legal requirements (A.5.31), compliance verification (A.5.36), and information security policies (A.5.1).

View full compliance matrix

How is this guide?

Last updated on

Security Checklists

Security review checklists for code, infrastructure, and deployment

Templates

Ready-to-use templates for architecture, project management, QA, and requirements

Compliance Checklists

On this page