ISO 27001 Annex A 8.34 – Protection of Information Systems During Audit Testing

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.34 – Protection of Information Systems During Audit Testing

ISO 27001 Protection of information systems during audit testing

In this ultimate guide to ISO 27001 Annex A 8.34 Protection of information systems during audit testing you will learn

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 8.34?

ISO 27001 Annex A 8.34 Protection of information systems during audit testing is an ISO 27001 Annex A control that requires organisations to plan and agree audit tests and to not impact operational systems or business processes.

Purpose

This is a preventive control to minimise the impact of audit and other assurance activities on operational systems and business processes.

Definition

ISO 27001 defines ISO 27001 Annex A 8.34 as:

Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.

ISO27001:2022 Annex A 8.34 Protection of information systems during audit testing

Ownership

The Information Security Officer in collaboration with the IT management team is responsible for developing, approving, and implementing appropriate audit procedures.

ISO 27001 Toolkit

Implementation Guide

The requirement here really comes from the premise that when auditors and testers do stuff for information security, don’t fk stuff up.

It shouldn’t need saying really but it does.

Some of the tests, especially the technical test can be dangerous and cause a lot of harm and damage.

When implementing you want to make sure that:

  • Agreements are in place, across the board, that agree to the audit and the tests.
  • That appropriate access controls are in place and access control processes are followed to access the thing being audited.
  • That anything that is accessing and auditing, specifically technology, is meeting your information security and technical standards and requirements such as patching and antivirus levels before they get access.
  • That tests involving data only test read only versions of data where possible and where that is not possible that experienced administrators perform the test under the direction and observation of the auditor.
  • That the running of any tools or technology to facilitate the audit are agreed and documented as agreed.
  • That audits and tests are conducted outside operational peak operating times such as out of business hours.
  • That all audit and tests are monitored and logged.

Implementation Checklist

Protection of information systems during audit testing ISO 27001 Annex A 8.34 Implementation Checklist

Risk Management

Challenge:

Identifying and mitigating all potential risks, especially within complex IT environments, presents a significant challenge.

Solution:

  • Comprehensive Risk Assessments: Conduct thorough risk assessments tailored to the specific audit context.
  • Enhanced Access Controls: Implement strict access controls for audit-related activities. Ensure that access is granted only to authorised personnel on a “need-to-know” basis.
  • Continuous Monitoring: Deploy and maintain robust monitoring systems that provide real-time alerts for any unusual activity or anomalies.

System Integrity

Challenge:

Maintaining system integrity during audits poses significant challenges. Audit procedures often require interaction with live systems, increasing the risk of inadvertent disruptions or instability.

Solution:

  • Establish Clear Guidelines: Develop and enforce strict guidelines for auditors, outlining permissible actions and limitations to minimise the risk of unintended system modifications.
  • Utilise Controlled Environments: Conduct audits within controlled environments or on system replicas whenever feasible.
  • Implement Continuous Monitoring: Continuously monitor systems during audits to detect any unauthorised changes. Ensure that any necessary changes are reversible and properly documented with appropriate approvals.

Data Protection and Confidentiality

Challenge:

Safeguarding sensitive data during audits is crucial, especially when dealing with personal information, intellectual property, or other confidential material.

Solution:

  • Implement Data Encryption: Encrypt all sensitive data accessed during audits.
  • Restrict Data Access: Utilise role-based access controls to limit data access to authorised auditors.
  • Conduct Training: Regularly train internal staff and external auditors on confidentiality and data protection protocols.
  • Maintain Audit Logs: Maintain detailed logs of data access activities, ensuring a comprehensive audit trail.

Audit Preparation and Planning

Challenge:

Preparing for and executing an audit effectively requires meticulous planning and coordination across the organisation, especially in complex environments.

Solution:

  • Develop a comprehensive audit plan: Create a detailed plan that includes risk assessments, system readiness checks, and inter-team coordination.
  • Schedule audits strategically: Conduct audits during periods of low system activity to minimise potential disruption.
  • Prepare for contingencies: Ensure the availability of backup systems and robust recovery plans to maintain business continuity during the audit.
  • Foster inter-team collaboration: Ensure all relevant teams are prepared and coordinated.

Monitoring and Response

Challenge:

Continuous monitoring during audits is crucial for timely incident detection and response. This can be difficult due to limited resources, extensive audit scope, and the need to minimise false alarms.

Solution:

  • Advanced Monitoring Tools: Utilise tools for real-time system activity tracking and immediate alerts on suspicious behaviour.
  • Automated Alerts: Configure automated alerts for potential risks and breaches to enable rapid response.
  • Prepared Incident Response Team: Ensure the incident response team is trained and ready to effectively handle security incidents.
  • Post-Audit Reviews: Analyse the effectiveness of monitoring and response protocols and identify areas for improvement .

Audit Checklist

Protection of information systems during audit testing ISO 27001 Annex A 8.34 Audit Checklist

Risk Management

  • Check if a thorough risk assessments tailored to the specific audit context has been performed and if it considered identifying and addressing potential vulnerabilities and threats.
  • Review access controls as they apply to audit-related activities and ensure that access is granted only to authorised personnel on a “need-to-know” basis.
  • Walkthrough monitoring systems and gain evidence that they provide real-time alerts for any unusual activity or anomalies

System Integrity

  • Check for guidelines for auditors and that they are outlining permissible actions and limitations to minimise the risk of unintended system modifications.
  • Utilise Controlled Environments: Conduct audits within controlled environments or on system replicas whenever feasible.
  • Implement Continuous Monitoring: Continuously monitor systems during audits to detect any unauthorised changes. Ensure that any necessary changes are reversible and properly documented with appropriate approvals.

Data Protection and Confidentiality

  • Review Data Encryption and that they encrypt all sensitive data accessed during audits.
  • Check role-based access controls and that they limit data access to authorised auditors.
  • Assess that they regularly train internal staff and external auditors on confidentiality and data protection protocols.
  • Review Audit Logs and detailed logs of data access activities, ensuring a comprehensive audit trail.

Audit Preparation and Planning

  • Check the audit plan and if it includes risk assessments, system readiness checks, and inter-team coordination.
  • Review audit schedules and if audits are conducted during periods of low system activity.
  • Check for contingencies and the availability of backup systems and robust recovery plans to maintain business continuity during the audit.
  • Asses inter-team collaboration and are all relevant teams are prepared and coordinated.

Monitoring and Response

  • Review the use of Advanced Monitoring Tools for real-time system activity tracking and immediate alerts on suspicious behaviour.
  • Walkthrough Automated Alerts and check if they are configured for automated alerts for potential risks and breaches.
  • Asses if they prepared the Incident Response Teams and the team is trained and ready to effectively handle security incidents.
  • Analyse the effectiveness of monitoring and response protocols.

How to comply

To comply withISO 27001 Annex A 8.34 you are going to implement the ‘how’ to the ‘what’ the control is expecting.

Joint Planning

The plan will be a collaborative plan between the auditor and management that sets out clearly what the scope and nature of the audit tests will be and how they will be conducted. This should be documented, signed and approved.

Access Management

Access management and access will be agreed ahead of time that covers the specific systems and data that is to be assessed.

Access will be limited and where possible read only access will be provided to minimise risks of unauthorised or accidental changes to systems and data.

Administrative rights should not be granted and where required the auditor should observe an actual administrator perform under their direction.

Auditor Device Security Check

Before the auditor is allowed any access, their device will be tested thoroughly to ensure it meets the security requirements of the organisation. If it does not, access will not be granted.

Limit Access To Live Data

Where possible and practical the auditor should be provided copies of data and systems, not actual live data and systems.

What the auditor will check

The auditor will check the information security requirements of the Information Security Management System (ISMS) and the Annex A Controls that you have recorded as in scope. They will check these against the in-scope environment.

The auditor will check based on the defined scope that you have agreed and should not venture outside that scope.

Ironically for this control the auditor will in effect audit their own audit engagement and break the Segregation of Duty requirements covered in ISO 27001 Annex A 5.3 Segregation of duties. Don’t worry though, they are highly unlikely to highlight this as an issue.

Top 3 Mistakes People Make

Inadequate Device Security Checks for Auditors

Issue: You allowed the auditor access to your systems without conducting proper security checks on their devices.
Explanation: Before an auditor or tester gains access to your systems, a thorough security check on their devices is crucial. This may include checks for malware, unauthorised software, and adherence to your organisation’s security policies.
Consequence: Neglecting this step can expose your systems to potential risks.

Lack of Defined and Agreed-Upon Scope

Issue: You did not formally agree and document the scope of the audit or test.
Explanation: Allowing audits or tests based on vague terms like “best practice” creates ambiguity and potential for disagreement later.
Recommendation: Establish a clear and concise scope of work, outlining the specific objectives, methodologies, and deliverables. This scope should be formally documented and signed by all parties involved.

Uncontrolled Granting of Administrative Access

Issue: You granted the auditor administrative access to your systems without proper authorisation and controls.
Explanation: Granting administrative access should never be done without a rigorous approval process and adherence to established access control procedures.
Recommendation: If administrative access is absolutely necessary, follow all established procedures, document the request and approval process thoroughly, and ensure all access controls are strictly enforced.

ISO 27001 Templates

Implementing ISO 27001 can be a significant undertaking and incur significant ISO 27001 Costs. To streamline the process and potentially save valuable time and resources, consider utilising pre-written ISO 27001 templates. This ISO 27001 Toolkit offers a comprehensive set of resources specifically designed for those seeking to achieve ISO 27001 certification independently. With this toolkit, you can potentially build your Information Security Management System (ISMS) within a week and be ready for certification within 30 days

ISO 27002:2022 Control 8.34

ISO 27002:2022 Control 8.34 provides implementation guidance for Protection of Information Systems During Audit Testing

ISO 27001 Annex A 8.34 Attributes Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectSystem and Network SecurityGovernance and Ecosystem
IntegrityInformation ProtectionProtection
Availability

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools

Share to...