In this ultimate how to audit guide to ISO 27001 Protection of Information Systems During Audit Testing , you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Audit Testing Plan & Scope Formally Defined
- 2. Operational Impact Risk Assessment Verified
- 3. Read-Only Access Restrictions Enforced
- 4. Audit Activity Logging Verified
- 5. Audit Timing & Scheduling Minimised Disruption
- 6. Third-Party Rules of Engagement (RoE) Validated
- 7. Vulnerability Scanning Configuration Verified
- 8. Availability Monitoring During Testing Confirmed
- 9. Data Copying & Extraction Controls Verified
- 10. Access Revocation Post-Audit Verified
Auditing ISO 27001 Annex A.8.34 validates that information systems are protected during audit testing to prevent operational disruption or data compromise. The audit confirms the Primary Implementation Requirement that testing activities are planned, authorized, and monitored to minimize risk. The Business Benefit is the assurance that security assessments do not inadvertently cause downtime or data breaches.
Use this pass/fail checklist to strictly validate compliance with ISO 27001 Annex A 8.34 (Protection of information systems during audit testing). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Annex A 8.34 Audit Guide.
1. Audit Testing Plan & Scope Formally Defined
- Verification Criteria: A documented plan exists for every technical audit (e.g., Pentest, Vulnerability Scan) explicitly defining the scope, timing, and systems involved.
- Required Evidence: The “Audit Plan” or “Rules of Engagement” (RoE) document signed by both the Auditor and the System Owner.
Pass/Fail Test: If a vulnerability scan was launched against the production network without a pre-agreed scope document defining the boundaries, mark as Non-Compliant.
2. Operational Impact Risk Assessment Verified
- Verification Criteria: Before testing begins, an assessment is conducted to determine if the audit activities could disrupt business operations or system availability.
- Required Evidence: A “Pre-Audit Risk Assessment” or email thread confirming that performance impacts (e.g., latency from scanning) were considered.
Pass/Fail Test: If heavy load testing was scheduled during peak business hours (e.g., Black Friday sales) without a risk acceptance sign-off, mark as Non-Compliant.
3. Read-Only Access Restrictions Enforced
- Verification Criteria: Auditors are granted “Read-Only” access by default; write/edit permissions are strictly prohibited unless specifically required for the test (e.g., exploiting a vulnerability).
- Required Evidence: Access Control Lists (ACLs) or Role assignments showing the Auditor account belongs to a “View Only” or “Auditor” group.
Pass/Fail Test: If the external auditor was given “Domain Admin” or “Super User” rights just to make access easier to provision, mark as Non-Compliant.
