Framework FAQs
      Back to home
      2. Framework FAQs

      ISO 27001: 2022 A.8.34 Protection of information systems during audit testing

      This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.34 Protection of information systems during audit testing.

      ISO 27001: 2022 Control Description

      Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

      Purpose

      To reduce the impact of audits and other assurance activities on operational systems and business processes.

      Guidance on implementation

      When conducting audit tests or assurance activities on operational systems, it’s important to follow these guidelines:

      1. Management Agreement
        Obtain agreement from appropriate management for any audit access to systems and data.
      2. Scope Control
        Clearly define and agree on the scope of the technical audit tests with relevant management.
      3. Read-Only Access
        Limit audit tests to read-only access to software and data. If read-only access isn’t sufficient, have a qualified administrator with the necessary access rights perform the test on behalf of the auditor.
      4. Security Verification
        If access is granted, ensure that the devices used for accessing the systems (e.g., laptops or tablets) meet security requirements, such as having up-to-date antivirus software and patches.
      5. Isolated Access
        If more than read-only access is required, work with isolated copies of system files. Delete these copies after the audit is complete, or secure them if they must be retained for audit documentation purposes.
      6. Special Requests
        Identify and agree on any special or additional processing needs, such as running specific audit tools.
      7. Timing of Tests
        Schedule audit tests that could impact system availability to occur outside of business hours.
      8. Monitoring and Logging
        Ensure all access during audit and test activities is monitored and logged for security and compliance purposes.

      Additional Information

      Audit tests and other assurance activities may also take place on development and test systems. These activities can affect the integrity of code or expose sensitive information, so the same care and guidelines should be applied in these environments as well.