Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing

ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing

Last updated Aug 21, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Protection of Information Systems During Audit Testing mandates that any audit and testing must be planned and it must be agreed with senior management. In ISO 27001 this is known as ISO27001:2022 Annex A 8.34 Protection of Information Systems During Audit Testing. It is one of the 93 ISO 27001 Annex A controls.

The requirement is that audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. It’s purpose is to minimise the impact of audit and other assurance activities on operational systems and business processes.

ISO 27001 is the international standard for an information security management system and a key part of the standard is continual improvement based on auditing and testing.

Key Takeaways

Audits and tests need to be planned and agreed
The control is called ISO 27001:2022 Annex A 8.34 Protection of Information Systems During Audit Testing
It is part of the audit and testing process
Independent and qualified auditors should be used for ISO 27001 audits, following a documented audit methodology.

Key Takeaways
Implementation Guide
Implementation Checklist
Protecting Information Systems
Minimising Disruptions
How to comply
What the auditor will check
Audit Checklist
Top 3 Mistakes People Make
ISO 27001 Protection of Information Systems During Audit Testing FAQ
ISO 27002:2022 Control 8.34
Related ISO 27001 Controls
Further Reading
ISO 27001 Annex A 8.34 Attributes Table

Get the ISO 27001 Certification Kit >

Implementation Guide

The requirement here really comes from the premise that when auditors and testers do stuff for information security, don’t fk stuff up.

It shouldn’t need saying really but it does.

Some of the tests, especially the technical test can be dangerous and cause a lot of harm and damage.

When implementing you want to make sure that:

Agreements are in place, across the board, that agree to the audit and the tests.
That appropriate access controls are in place and access control processes are followed to access the thing being audited.
That anything that is accessing and auditing, specifically technology, is meeting your information security and technical standards and requirements such as patching and antivirus levels before they get access.
That tests involving data only test read only versions of data where possible and where that is not possible that experienced administrators perform the test under the direction and observation of the auditor.
That the running of any tools or technology to facilitate the audit are agreed and documented as agreed.
That audits and tests are conducted outside operational peak operating times such as out of business hours.
That all audit and tests are monitored and logged.

Implementation Checklist

Protection of information systems during audit testing ISO 27001 Annex A 8.34 Implementation Checklist

1. Conduct Risk Management

Challenge

Identifying and mitigating all potential risks, especially within complex IT environments, presents a significant challenge.

Solution

Conduct thorough risk assessments tailored to the specific audit context.
Implement strict access controls for audit-related activities. Ensure that access is granted only to authorised personnel on a “need-to-know” basis.
Deploy and maintain robust monitoring systems that provide real-time alerts for any unusual activity or anomalies.

2. Ensure System Integrity

Challenge

Maintaining system integrity during audits poses significant challenges. Audit procedures often require interaction with live systems, increasing the risk of inadvertent disruptions or instability.

Solution

Develop and enforce strict guidelines for auditors, outlining permissible actions and limitations to minimise the risk of unintended system modifications.
Conduct audits within controlled environments or on system replicas whenever feasible.
Continuously monitor systems during audits to detect any unauthorised changes. Ensure that any necessary changes are reversible and properly documented with appropriate approvals.

3. Safeguard Data Protection and Confidentiality

Challenge

Safeguarding sensitive data during audits is crucial, especially when dealing with personal information, intellectual property, or other confidential material.

Solution

Encrypt all sensitive data accessed during audits.
Utilise role-based access controls to limit data access to authorised auditors.
Regularly train internal staff and external auditors on confidentiality and data protection protocols.
Maintain detailed logs of data access activities, ensuring a comprehensive audit trail.

4. Ensure Audit Preparation and Planning

Challenge

Preparing for and executing an audit effectively requires meticulous planning and coordination across the organisation, especially in complex environments.

Solution

Create a detailed plan that includes risk assessments, system readiness checks, and inter-team coordination.
Conduct audits during periods of low system activity to minimise potential disruption.
Ensure the availability of backup systems and robust recovery plans to maintain business continuity during the audit.
Ensure all relevant teams are prepared and coordinated.

5. Put in place Monitoring and Response

Challenge

Continuous monitoring during audits is crucial for timely incident detection and response. This can be difficult due to limited resources, extensive audit scope, and the need to minimise false alarms.

Solution

Utilise tools for real-time system activity tracking and immediate alerts on suspicious behaviour.
Configure automated alerts for potential risks and breaches to enable rapid response.
Ensure the incident response team is trained and ready to effectively handle security incidents.
Analyse the effectiveness of monitoring and response protocols and identify areas for improvement .

Protecting Information Systems

The following are technical techniques to effectively protection information systems during audit and testing.

Access Control

Restricting access to information systems during audit testing is crucial.

Read-Only Permissions

Implementing read-only permissions for auditors when feasible can prevent accidental or malicious changes to data.

Secure Auditor Devices

Auditor devices should be secured with appropriate controls to prevent unauthorised access or data leakage.

Audit Trails

Maintaining comprehensive audit trails of all activities during testing is essential for accountability and investigation purposes.

Minimising Disruptions

The following are techniques to minimise disruptionduring audit and testing.

Impact Assessment

Before any testing, an assessment should be conducted to identify potential impacts on operational systems and business processes.

Test Environments

Using dedicated test environments, rather than production systems, can minimise the risk of disruption.

Data Masking/Removal:

Sensitive information used in test environments should be masked or removed after testing is complete.  

How to comply

To comply withISO 27001 Annex A 8.34 you are going to implement the ‘how’ to the ‘what’ the control is expecting.

1. Joint Planning

The plan will be a collaborative plan between the auditor and management that sets out clearly what the scope and nature of the audit tests will be and how they will be conducted. This should be documented, signed and approved.

2. Access Management

Access management and access will be agreed ahead of time that covers the specific systems and data that is to be assessed.

Access will be limited and where possible read only access will be provided to minimise risks of unauthorised or accidental changes to systems and data.

Administrative rights should not be granted and where required the auditor should observe an actual administrator perform under their direction.

3. Auditor Device Security Check

Before the auditor is allowed any access, their device will be tested thoroughly to ensure it meets the security requirements of the organisation. If it does not, access will not be granted.

4. Limit Access To Live Data

Where possible and practical the auditor should be provided copies of data and systems, not actual live data and systems.

What the auditor will check

For ISO 27001 Protection of Information Systems During Audit Testing the auditor will check:

1. That you have planned and agreed the audit

The audit will look for the audit plan and for formal, documented approval.

The auditor will check the information security requirements of the Information Security Management System (ISMS) and the Annex A Controls that you have recorded as in scope. They will check these against the in-scope environment.

2. That you have defined the scope of audits and tests clearly

The auditor will check based on the defined scope that you have agreed and should not venture outside that scope.

3. Their own engagement with you

Ironically for this control the auditor will in effect audit their own audit engagement and break the Segregation of Duty requirements covered in ISO 27001 Annex A 5.3 Segregation of duties. Don’t worry though, they are highly unlikely to highlight this as an issue.

Audit Checklist

Protection of information systems during audit testing ISO 27001 Annex A 8.34 Audit Checklist

1. Review the existence and effectiveness of Risk Management

Check if a thorough risk assessments tailored to the specific audit context has been performed and if it considered identifying and addressing potential vulnerabilities and threats.
Review access controls as they apply to audit-related activities and ensure that access is granted only to authorised personnel on a “need-to-know” basis.
Walkthrough monitoring systems and gain evidence that they provide real-time alerts for any unusual activity or anomalies

2. Assess System Integrity is maintained

Check for guidelines for auditors and that they are outlining permissible actions and limitations to minimise the risk of unintended system modifications.
Look for the existence of controlled environments or system replicas whenever feasible.
Review evidence of Continuous Monitoring during audits to detect any unauthorised changes and that any necessary changes were reversible and properly documented with appropriate approvals.

3. Ensure Data Protection and Confidentiality

Review Data Encryption and that they encrypt all sensitive data accessed during audits.
Check role-based access controls and that they limit data access to authorised auditors.
Assess that they regularly train internal staff and external auditors on confidentiality and data protection protocols.
Review Audit Logs and detailed logs of data access activities, ensuring a comprehensive audit trail.

4. Evidence Audit Preparation and Planning

Check the audit plan and if it includes risk assessments, system readiness checks, and inter-team coordination.
Review audit schedules and if audits are conducted during periods of low system activity.
Check for contingencies and the availability of backup systems and robust recovery plans to maintain business continuity during the audit.
Asses inter-team collaboration and are all relevant teams are prepared and coordinated.

5. Monitoring and Response

Review the use of Advanced Monitoring Tools for real-time system activity tracking and immediate alerts on suspicious behaviour.
Walkthrough Automated Alerts and check if they are configured for automated alerts for potential risks and breaches.
Asses if they prepared the Incident Response Teams and the team is trained and ready to effectively handle security incidents.
Analyse the effectiveness of monitoring and response protocols.

Top 3 Mistakes People Make

The top 3 mistakes that people make for ISO 27001 Protection of Information Systems During Audit Testing are:

1. Inadequate Device Security Checks for Auditors

Issue

You allowed the auditor access to your systems without conducting proper security checks on their devices.

Explanation

Before an auditor or tester gains access to your systems, a thorough security check on their devices is crucial. This may include checks for malware, unauthorised software, and adherence to your organisation’s security policies.

Consequence

Neglecting this step can expose your systems to potential risks.

2. Lack of Defined and Agreed-Upon Scope

Issue

You did not formally agree and document the scope of the audit or test.

Explanation

Allowing audits or tests based on vague terms like “best practice” creates ambiguity and potential for disagreement later.

Recommendation

Establish a clear and concise scope of work, outlining the specific objectives, methodologies, and deliverables. This scope should be formally documented and signed by all parties involved.

3. Uncontrolled Granting of Administrative Access

Issue

You granted the auditor administrative access to your systems without proper authorisation and controls.

Explanation

Granting administrative access should never be done without a rigorous approval process and adherence to established access control procedures.

Recommendation

If administrative access is absolutely necessary, follow all established procedures, document the request and approval process thoroughly, and ensure all access controls are strictly enforced.

ISO 27001 Protection of Information Systems During Audit Testing FAQ

Why is ISO 27001 Protection of Information Systems During Audit important?

The protection of information systems during audit, in particular ISO 27001:2022 Annex A 8.34 is important for serveral reasons including:
Preventing Compromise of Confidentiality, Integrity, and Availability (CIA)
Confidentiality: Audits often involve accessing sensitive data. Without proper controls, there’s a risk of unauthorised disclosure of this data during the audit process, whether accidentally or intentionally.
Integrity: Technical audit tests (e.g., vulnerability scanning, penetration testing) can potentially alter or corrupt data or system configurations. Protection measures ensure the integrity of the information and systems remains intact.
Availability: Some audit activities can be resource-intensive or involve actions that could disrupt operational systems. Protection ensures that critical business processes and system availability are not negatively impacted by the audit.
Maintaining Trust and Credibility
An organisation undergoing an ISO 27001 audit aims to demonstrate its commitment to information security. If the audit itself compromises security, it undermines the very purpose of the certification and damages trust with customers, partners, and stakeholders.
This control reinforces the idea that the organisation has thought through and implemented security at every stage, including during reviews of its security posture.
Reducing Risks of Data Breaches and Incidents
The audit process, while necessary, introduces a temporary increase in access to systems and data. Without specific controls, this increased access could inadvertently create vulnerabilities or expose sensitive information to risks like theft, accidental deletion, or unauthorised modification.
By putting safeguards in place, organisations significantly reduce the likelihood of a security incident occurring because of an audit.
Ensuring Accurate and Reliable Audit Results
If information systems are compromised or disrupted during an audit, the audit findings themselves could be skewed or unreliable. Protecting the systems ensures that the audit is conducted in a stable and controlled environment, leading to more accurate assessments of the ISMS effectiveness.
Minimising Business Disruption
Audits, especially those involving in-depth system assessments, can be disruptive. Control 8.34 emphasises planning and agreement between the auditor and management to minimise impact on daily operations. This might include conducting tests outside of business hours or using isolated copies of data.
Compliance with Best Practices
ISO 27001 is a globally recognised standard for information security management. Adhering to its controls, including those related to audit protection, demonstrates that an organisation is following industry best practices.

Is this control applicable to all types of audits?

While the title specifically mentions “audit testing,” the principles are broadly applicable to any activity involving testing the security of information systems, including internal security assessments, external penetration tests, and technical vulnerability assessments, whether conducted by internal teams or third parties.

What are the key considerations before initiating audit testing as per this control?

Key considerations include:
Defining Scope
Clearly defining the systems, networks, and applications to be tested.
Risk Assessment
Identifying potential risks associated with the testing and developing mitigation strategies.
Authorisation
Obtaining forma authorisation from management and relevant system owners.
Communication
Establishing clear communication channels between testers and system owners/administrators.
Backup and Recovery
Ensuring appropriate backups are in place and recovery procedures are understood.
Test Environment
Ideally, utilising a separate, isolated test environment that mirrors production, if feasible.

How does this control relate to penetration testing?

ISO 27001 Annex A 8.34 is highly relevant to penetration testing. It mandates that organisations take precautions to protect their systems during the test. This includes ensuring testers have appropriate authorisations, scope is defined, potential impacts are understood, and procedures are in place to address any adverse effects or incidents that may arise from the testing activity.

What kind of documentation is typically required for compliance with this control?

Typical documentation includes:
Testing Policies and Procedures
Outlining the approach to security testing.
Scope Definition Documents
Detailing what will be tested.
Authorisation Forms/Letters
Formal approval for testing.
Communication Plans
How stakeholders will be informed.
Incident Response Plans (specific to testing)
How to handle unexpected issues during tests.
Test Reports
Documenting the testing activities and results.

What are the potential consequences of not adequately protecting systems during audit testing?

Failure to protect systems during audit testing can lead to:
System Downtime or Outages
Unplanned disruptions to services.
Data Corruption or Loss
Damage or loss of critical information.
Security Breaches
Accidental or intentional exploitation of vulnerabilities during testing that could lead to unauthorized access.
Reputational Damage
Loss of trust from customers or stakeholders.
Legal or Regulatory Non-compliance
Penalties for failing to protect sensitive data.

Should audit testing always be conducted on a separate, non-production environment?

While a separate, non-production environment that mirrors the production system is the ideal scenario for minimising risk, it’s not always feasible or realistic for all testing. If testing must occur in production, more stringent controls, communication, and risk mitigation strategies are required, including scheduling during low-impact periods and having robust rollback plans.

What role does communication play in complying with ISO 27001 Annex A 8.34?

Communication is critical. Before, during, and after testing, clear and timely communication between the testers, system owners, IT operations, and management is essential. This includes notifying relevant personnel of testing schedules, expected impacts, and any incidents that occur, as well as providing post test reports and remediation plans.

ISO 27002:2022 Control 8.34

ISO 27002:2022 Control 8.34 provides implementation guidance for Protection of Information Systems During Audit Testing

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Security Testing in Development and Acceptance: Annex A 8.29

ISO 27001 Annex A 8.34 Attributes Table

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Protect	System and Network Security	Governance and Ecosystem
	Integrity		Information Protection	Protection
	Availability

Tags: Availability Confidentiality Governance and Ecosystem Information Protection Integrity Preventive Protect Protection System and Network Security

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Jumpstart Kit

ISO 27001 Consultant Toolkit

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing

Key Takeaways

Table of contents

Implementation Guide

Implementation Checklist

1. Conduct Risk Management

Challenge

Solution

2. Ensure System Integrity

Challenge

Solution

3. Safeguard Data Protection and Confidentiality

Challenge

Solution

4. Ensure Audit Preparation and Planning

Challenge

Solution

5. Put in place Monitoring and Response

Challenge

Solution

Protecting Information Systems

Access Control

Read-Only Permissions

Secure Auditor Devices

Audit Trails

Minimising Disruptions

Impact Assessment

Test Environments

Data Masking/Removal:

How to comply

1. Joint Planning

2. Access Management

3. Auditor Device Security Check

4. Limit Access To Live Data

What the auditor will check

1. That you have planned and agreed the audit

2. That you have defined the scope of audits and tests clearly

3. Their own engagement with you

Audit Checklist

1. Review the existence and effectiveness of Risk Management

2. Assess System Integrity is maintained

3. Ensure Data Protection and Confidentiality

4. Evidence Audit Preparation and Planning

5. Monitoring and Response

Top 3 Mistakes People Make

1. Inadequate Device Security Checks for Auditors

Issue

Explanation

Consequence

2. Lack of Defined and Agreed-Upon Scope

Issue

Explanation

Recommendation

3. Uncontrolled Granting of Administrative Access

Issue

Explanation

Recommendation

ISO 27001 Protection of Information Systems During Audit Testing FAQ

ISO 27002:2022 Control 8.34

Related ISO 27001 Controls

Further Reading

ISO 27001 Annex A 8.34 Attributes Table

About the author