47-Point Security Audit

Salesforce Security Audit Checklist — 47 Items, 7 Categories

A scannable, no-fluff checklist for every Salesforce admin running a security review. Each row has three fields: the check, why it matters, and how to verify it in Setup.

Don't work through all 47 in one sitting. Pick a category, walk the rows against a recent export of your org's metadata, and sign off. Repeat quarterly — security posture decays faster than most orgs plan for.

01

Identity & Access

7 items

Start with identity — before anything else. Who can log in, how they authenticate, and whether their access is current and intentional.

02

Integrations & OAuth

7 items

Connected apps authenticate as users and keep working long after those users leave. Treat them as live credentials with their own audit rhythm.

03

Data & Sharing

7 items

Org-wide defaults set the baseline. Every subsequent sharing rule has to fight against the default. Get the default right and the rest of the model is simpler.

04

Network & IP

6 items

Network controls are how you stop a stolen credential from being used anywhere in the world. Lock the perimeter to the IPs you actually log in from.

05

Monitoring & Audit Trail

6 items

Audit logs tell you what happened. Monitoring configuration decides whether you get alerted before the incident is over. Both are required.

06

Recovery & Backup

6 items

Backup posture is rarely the cause of an incident. It is the difference between an incident and a catastrophe. Audit it like the rest.

07

Admin Hygiene

8 items

The day-to-day administrative debris that compounds over years. Permission sets you forgot about. Flows from a 2022 project. Easy wins if you tackle them quarterly.

Run categories 1–3 against your real org.

The Permissions Scanner inventories profiles and permission sets, flags low-assignment sets, and surfaces FLS gaps in a single shareable report — client-side, no Salesforce credentials. The Items 1–7, 17, 21 in this checklist are exactly what it covers.

Run Permissions Scanner →