Application Container Audit/Assurance Program 

download now Free to members only.
Non-members Join today to get your free copy, or purchase the file for US $50.

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Audit Guidelines Knowledge Center community


With application virtualization, the number of applications in the hosted environment can be increased without a corresponding increase in the number of servers. Also, applications can be ‘segmented’ into more manageable sizes of data rather than pushing the entire application to the device on which the application is going to be installed. While these cost savings and better application deployments are examples of application virtualization benefits, organizations looked beyond this primary focus on delivering applications. Particularly, as organizations embraced ways to implement change faster, the challenge became maintaining consistency and reliability as software migrated from one computing environment to another.

Application containers can be used to mitigate this challenge because they consist of the application and all of the application’s dependencies such as libraries and configuration files. To provide assurance that application containers are maintaining consistency and reliability, ISACA’s Application Container Audit/Assurance Program considers preservation of data integrity through all phases of application containerization (planning, development, deployment, maintenance, and destruction). This is achieved by tests in the following areas:

  • Risk Analysis and Management
  • Security Awareness and Training
  • Images
  • Registry
  • Orchestrator
  • Application Security during Development
  • Secure connections
  • Hardening
  • Container Destruction

Audit Objectives

The primary purpose of this audit program is to assist IT auditors in their assessments of application container deployments. Accordingly, this audit program takes into consideration assurance around:

  • Clarity in roles and responsibilities given the larger role in security played by developers with application containers
  • Safeguarding of the host operating system by deactivation of unnecessary services
  • Mitigation of risks associated with use of a shared kernel, which is inherent in the application container infrastructure
  • Confidentiality of network traffic between application containers on the same host