What is ISO27001 Protection of information systems during audit testing?

ISO27001 Annex A 8.34 Protection of information systems during audit testing is an ISO27001 control that requires us to plan and agree audit tests and to not impact operational systems or business processes.


ISO27001 Annex A 8.34 is a preventive control to minimise the impact of audit and other assurance activities on operational systems and business processes.


The ISO27001 standard defines ISO27001 Annex A 8.34 as:

Audit tests and other assurance activities involving assessment of operational systems should be

planned and agreed between the tester and appropriate management.

ISO27001:2022 Annex A ISO27001 Annex A 8.34 Protection of information systems during audit testing

Implementation Guide

The requirement here really comes from the premise that when auditors and testers do stuff for information security, don’t fk stuff up.

It shouldn’t need saying really but it does.

Some of the tests, especially the technical test can be dangerous and cause a lot of harm and damage.

When implementing you want to make sure that agreements are in place, across the board, that agree to the audit and the tests.

That appropriate access controls are in place and access control processes are followed to access the thing being audited.

That anything that is accessing and auditing, specifically technology, is meeting your information security and technical standards and requirements such as patching and antivirus levels before they get access.

That tests involving data only test read only versions of data where possible and where that is not possible that experienced administrators perform the test under the direction and observation of the auditor.

That the running of any tools or technology to facilitate the audit are agreed and documented as agreed.

That audits and tests are conducted outside operational peak operating times such as out of business hours.

That all audit and tests are monitored and logged.