Table of contents
What is ISO 27001 Protection of information systems during audit testing?
ISO 27001 Annex A 8.34 Protection of information systems during audit testing is an ISO 27001 control that requires us to plan and agree audit tests and to not impact operational systems or business processes.
Purpose
ISO 27001 Annex A 8.34 is a preventive control to minimise the impact of audit and other assurance activities on operational systems and business processes.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.34 as:
Audit tests and other assurance activities involving assessment of operational systems should be
planned and agreed between the tester and appropriate management.
ISO27001:2022 Annex A 8.34 Protection of information systems during audit testing
Implementation Guide
The requirement here really comes from the premise that when auditors and testers do stuff for information security, don’t fk stuff up.
It shouldn’t need saying really but it does.
Some of the tests, especially the technical test can be dangerous and cause a lot of harm and damage.
When implementing you want to make sure that agreements are in place, across the board, that agree to the audit and the tests.
That appropriate access controls are in place and access control processes are followed to access the thing being audited.
That anything that is accessing and auditing, specifically technology, is meeting your information security and technical standards and requirements such as patching and antivirus levels before they get access.
That tests involving data only test read only versions of data where possible and where that is not possible that experienced administrators perform the test under the direction and observation of the auditor.
That the running of any tools or technology to facilitate the audit are agreed and documented as agreed.
That audits and tests are conducted outside operational peak operating times such as out of business hours.
That all audit and tests are monitored and logged.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to comply
To comply with ISO 27001 Annex A 8.34 you are going to implement the ‘how’ to the ‘what’ the control is expecting.
Joint Planning
The plan will be a collaborative plan between the auditor and management that sets out clearly what the scope and nature of the audit tests will be and how they will be conducted. This should be documented, signed and approved.
Access Management
Access management and access will be agreed ahead of time that covers the specific systems and data that is to be assessed.
Access will be limited and where possible read only access will be provided to minimise risks of unauthorised or accidental changes to systems and data.
Administrative rights should not be granted and where required the auditor should observe an actual administrator perform under their direction.
Auditor Device Security Check
Before the auditor is allowed any access, their device will be tested thoroughly to ensure it meets the security requirements of the organisation. If it does not, access will not be granted.
Limit Access To Live Data
Where possible and practical the auditor should be provided copies of data and systems, not actual live data and systems.
What the auditor will check
The auditor will check the information security requirements of the Information Security Management System (ISMS) and the Annex A Controls that you have recorded as in scope. They will check these against the in-scope environment.
The auditor will check based on the defined scope that you have agreed and should not venture outside that scope.
Ironically for this control the auditor will in effect audit their own audit engagement and break the Segregation of Duty requirements covered in ISO 27001 Annex A Control 5.3 Segregation of duties. Don’t worry though, they are highly unlikely to highlight this as an issue.
Top 3 Mistakes People Make
1. You let the auditor in but didn’t check their devices
This comes down to having a smooth process and not ruffling feathers but technically before the auditor or tester gains access to your systems you need to do a security check and the biggest mistake we see is, you didn’t
2. You didn’t agree and sign off the scope of the test
Letting people audit and test against ‘best practice’ is too loose a definition. You need agree exactly what will be tested and exactly what tests will be carried out and these needs formalising in a written agreement that is is signed by all parties.
3. You gave them admin access
If they ask for admin access, they are probably testing you and the answer should be no. IF, and this is a big IF, they need it then follow all your normal approval processes and access control processes being diligent on your documentation and evidence. Never, ever, just grant it.
Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | System and Network Security | Governance and Ecosystem |
| Integrity | Information Protection | Protection | ||
| Availability |