In this ultimate how to audit guide to ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 8.34 Audit Checklist
- 1. Audit Testing Scope and Schedule Formalisation Verified
- 2. Audit Tool Access Restriction Confirmed
- 3. Read-Only Access Preference for Audit Testing Validated
- 4. Impact Assessment and Monitoring During Tests Confirmed
- 5. Independent Audit Logging of Audit Activities Verified
- 6. Secure Disposal of Audit Test Data Validated
- 7. Production Environment Hardening Integrity Confirmed
- 8. Recovery and Back-out Plan Availability Verified
- 9. Third-Party Audit Tool Vetting Recorded
- 10. Post-Audit Review of System Integrity Confirmed
ISO 27001 Annex A 8.34 Audit Checklist
Auditing Protection of Information Systems During Audit Testing is the technical verification of safeguards preventing operational disruption during compliance assessments. The Primary Implementation Requirement is the restriction of audit tool access and mandatory read-only configurations, providing the Business Benefit of ensuring continuous service availability while maintaining rigorous security oversight.
This technical verification tool is designed for lead auditors to establish the security of operational systems during testing activities. Use this checklist to validate compliance with ISO 27001 Annex A 8.34.
1. Audit Testing Scope and Schedule Formalisation Verified
Verification Criteria: Audit tests involving operational systems are formally planned, scoped, and scheduled to minimise the risk of service disruption.
Required Evidence: Approved Audit Plan or Technical Assessment Schedule with defined start/end times and identified target systems.
Pass/Fail Test: If technical audit testing (e.g., vulnerability scanning) is performed on production systems without a pre-approved schedule, mark as Non-Compliant.
2. Audit Tool Access Restriction Confirmed
Verification Criteria: Access to audit tools (e.g., scanners, debuggers, or scripts) is restricted to authorised personnel and removed immediately after the test concludes.
Required Evidence: IAM role reports or temporary account logs showing the revocation of “Audit” or “Scanner” privileges post-test.
Pass/Fail Test: If audit service accounts or specialised scanning tools remain active and accessible on production servers outside of active audit windows, mark as Non-Compliant.
3. Read-Only Access Preference for Audit Testing Validated
Verification Criteria: Technical audit tests are configured for “Read-Only” access wherever possible to prevent accidental modification or corruption of operational data.
Required Evidence: Configuration logs from the audit software or database service account settings showing ‘Read-Only’ or ‘SELECT’ permissions only.
Pass/Fail Test: If an automated audit tool is found running with ‘Write’ or ‘Delete’ permissions on a production database, mark as Non-Compliant.
