Table of contents
- ISO 27002 Protection of Information Systems During Audit Testing
- What is ISO 27002:2022 Control 8.34?
- Definition of ISO 27002 Control 8.34
- Purpose of ISO 27002 Control 8.34
- Ownership of ISO 27002 Control 8.34
- Compliance Guidance
- Supplementary Guidance on ISO 27002 Control 8.34
- Changes and Differences to ISO 27002:2013
- ISO 27002 Control 8.34 FAQ
- ISO 27002 Control 8.34 Attributes Table
ISO 27002 Protection of Information Systems During Audit Testing
Auditing is essential for identifying and eliminating security risks and weaknesses in information systems. It is a decisive process for protecting data.
The audit process, conducted in operational, testing, or development settings, can put sensitive data at risk of unauthorised disclosure, or of losing its integrity and availability.
To address these concerns, Protection of Information Systems During Audit Testing provides specific guidance on safeguarding sensitive information during audit activities. By following these guidelines, organisations can ensure the security and integrity of their data throughout the audit process.
What is ISO 27002:2022 Control 8.34?
ISO 27002 Control 8.34 Protection of Information Systems During Audit Testing provides implementation guidance on how to implement ISO 27001 Annex A 8.34.
Definition of ISO 27002 Control 8.34
ISO 27002 defines ISO 27002 Control 8.34 as – Audit tests and other assurance activities involving the assessment of operational systems require careful planning and agreement between the tester and appropriate management.
Purpose of ISO 27002 Control 8.34
This is a preventive control designed to minimise disruptions to operational systems and business processes during audits and other assurance activities.
Ownership of ISO 27002 Control 8.34
The IT management team is responsible for developing, approving, and implementing appropriate audit procedures.
Compliance Guidance
When implementing Protection of Information Systems During Audit Testing the following ISO 27002:2022 Control 8.34 guidance should be considered:
Access Agreements: Appropriate management and the auditor must agree on all necessary access to systems and information assets. This includes defining the scope of technical audit tests.
Read-Only Access: Organisations should prioritise providing auditors with read-only access to information and software whenever possible.
If read-only access is not feasible, an administrator with the necessary access rights should perform system or data access on behalf of the auditor.
Device Security: Before granting access, organisations must verify that the auditor’s devices meet all applicable security requirements.
Isolated Copies: Access should be limited to isolated copies of files extracted from the system. These copies should be permanently deleted upon audit completion, unless required for legal or regulatory purposes. This control does not apply when read-only access is provided.
Special Processing Requests: Any requests by auditors to perform special processing, such as deploying audit tools, must be approved by management.
Minimising Disruption: If an audit poses a risk to system availability, it should be conducted outside of normal business hours to minimise disruption.
Access Request Logging: All access requests for audit purposes must be properly logged for audit trail purposes.
Supplementary Guidance on ISO 27002 Control 8.34
When conducting audits within testing or development environments, organisations must be mindful of the following critical risks:
Compromise of Code Integrity:
Accidental or intentional modifications to the codebase during the audit process can introduce vulnerabilities, errors, or unexpected behaviour.
Loss of Sensitive Information:
The exposure of sensitive data, such as intellectual property, trade secrets, or confidential customer information, during the audit process can have severe consequences.
Mitigating These Risks
To mitigate these risks, organisations should implement robust security controls and procedures specifically for audit activities within testing and development environments. These measures may include:
- Utilising isolated and secure audit environments: Conducting audits in segregated environments that are isolated from the production environment can minimise the risk of unintended code modifications or data breaches.
- Implementing strong access controls: Restricting access to audit environments and implementing strong authentication and authorisation mechanisms can help prevent unauthorised access and data breaches.
- Regularly reviewing and updating security controls: Continuously assess and update security controls to address emerging threats and vulnerabilities within the testing and development environments.
Changes and Differences to ISO 27002:2013
While the 2022 version of ISO 27002 retains many similarities to its predecessor, two key distinctions emerge:
New Requirement for Device Security:
The 2022 version introduces a crucial new requirement:
Before granting any access to systems or data during an audit, organisations must verify that the auditor’s devices meet all applicable security requirements.
This requirement was not explicitly addressed in the 2013 version.
Focus on Testing and Development Environments:
The 2022 version, within its Supplementary Guidance, specifically cautions organisations about the security risks associated with auditing testing and development environments. These risks include the potential for code integrity compromise and the accidental disclosure of sensitive information.
The 2013 version did not explicitly address the unique security considerations of auditing these environments.
ISO 27002 Control 8.34 FAQ
ISO 27001 Annex A 8.34 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.34 is the implementation guidance for the control.
Yes, Protection of Information Systems During Audit Testing is a required information security control for ISO 27001 certification.
ISO 27002 Control 8.34 Attributes Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | System and Network Security | Governance and Ecosystem |
Integrity | Information Protection | Protection | ||
Availability |