ISO 27001 Annex A 8.34 Protection of information systems during audit testing

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.34 Protection of information systems during audit testing

What is ISO 27001 Protection of information systems during audit testing?

ISO 27001 Annex A 8.34 Protection of information systems during audit testing is an ISO 27001 control that requires us to plan and agree audit tests and to not impact operational systems or business processes.

Purpose

ISO 27001 Annex A 8.34 is a preventive control to minimise the impact of audit and other assurance activities on operational systems and business processes.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.34 as:

Audit tests and other assurance activities involving assessment of operational systems should be

planned and agreed between the tester and appropriate management.

ISO27001:2022 Annex A 8.34 Protection of information systems during audit testing

Implementation Guide

The requirement here really comes from the premise that when auditors and testers do stuff for information security, don’t fk stuff up.

It shouldn’t need saying really but it does.

Some of the tests, especially the technical test can be dangerous and cause a lot of harm and damage.

When implementing you want to make sure that agreements are in place, across the board, that agree to the audit and the tests.

That appropriate access controls are in place and access control processes are followed to access the thing being audited.

That anything that is accessing and auditing, specifically technology, is meeting your information security and technical standards and requirements such as patching and antivirus levels before they get access.

That tests involving data only test read only versions of data where possible and where that is not possible that experienced administrators perform the test under the direction and observation of the auditor.

That the running of any tools or technology to facilitate the audit are agreed and documented as agreed.

That audits and tests are conducted outside operational peak operating times such as out of business hours.

That all audit and tests are monitored and logged.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

How to comply

To comply with ISO 27001 Annex A 8.34 you are going to implement the ‘how’ to the ‘what’ the control is expecting.

Joint Planning

The plan will be a collaborative plan between the auditor and management that sets out clearly what the scope and nature of the audit tests will be and how they will be conducted. This should be documented, signed and approved.

Access Management

Access management and access will be agreed ahead of time that covers the specific systems and data that is to be assessed.

Access will be limited and where possible read only access will be provided to minimise risks of unauthorised or accidental changes to systems and data.

Administrative rights should not be granted and where required the auditor should observe an actual administrator perform under their direction.

Auditor Device Security Check

Before the auditor is allowed any access, their device will be tested thoroughly to ensure it meets the security requirements of the organisation. If it does not, access will not be granted.

Limit Access To Live Data

Where possible and practical the auditor should be provided copies of data and systems, not actual live data and systems.

What the auditor will check

The auditor will check the information security requirements of the Information Security Management System (ISMS) and the Annex A Controls that you have recorded as in scope. They will check these against the in-scope environment.

The auditor will check based on the defined scope that you have agreed and should not venture outside that scope.

Ironically for this control the auditor will in effect audit their own audit engagement and break the Segregation of Duty requirements covered in ISO 27001 Annex A Control 5.3 Segregation of duties. Don’t worry though, they are highly unlikely to highlight this as an issue.

Top 3 Mistakes People Make

1. You let the auditor in but didn’t check their devices

This comes down to having a smooth process and not ruffling feathers but technically before the auditor or tester gains access to your systems you need to do a security check and the biggest mistake we see is, you didn’t

2. You didn’t agree and sign off the scope of the test

Letting people audit and test against ‘best practice’ is too loose a definition. You need agree exactly what will be tested and exactly what tests will be carried out and these needs formalising in a written agreement that is is signed by all parties.

3. You gave them admin access

If they ask for admin access, they are probably testing you and the answer should be no. IF, and this is a big IF, they need it then follow all your normal approval processes and access control processes being diligent on your documentation and evidence. Never, ever, just grant it.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Stuart - High Table - ISO 27001 Strategy Call
Stuart and Fay - Directors at High Table

Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectSystem and Network SecurityGovernance and Ecosystem
IntegrityInformation ProtectionProtection
Availability

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing