POPIA IT Checklist: 7 Controls Auditors Ask For
Not legal advice. Your lawyer writes the policy. IT proves you're compliant. Here's what SARS and the Information Regulator actually check during audits.
The 7 Technical Controls [With How to Check]
| Control | How to Check | Evidence |
|---|---|---|
| 1. Access Control | Azure AD > Users > MFA status = 100% | Export CSV, screenshot |
| 2. Encryption at Rest | BitLocker enabled on all laptops [Intune > Devices] | Compliance report |
| 3. Encryption in Transit | TLS 1.2 enforced on email [Exchange Admin] | MXToolbox test |
| 4. Audit Logging | M365 Audit log enabled, 90+ day retention | Search logs for user deletion |
| 5. Data Loss Prevention | Policy blocking ID numbers in external email | Test send ID to Gmail, should block |
| 6. Breach Detection | Alerts for mass download, foreign logins | Defender > Incidents screenshot |
| 7. Secure Disposal | BitLocker keys backed up before wipe | Certificate of destruction |
What Happens If You Fail?
- Fine: Up to R10 million or 10% of annual turnover, whichever is greater
- Real case: Estate agency fined R500,000 — no access logs after client data breach
- Insurance: Cyber policies won't pay out if you have no MFA or encryption
Scorecard Template [Copy This]
Create an Excel sheet with these columns: Control | Status | Evidence | Owner | Due Date
Example: MFA 100% | ❌ 80% | Azure CSV | IT Manager | 30 days
Download Excel Scorecard Template
Or book R950 Audit — we score all 7 for you + provide remediation plan.
Get POPIA Score