ISO 27001 Annex A Control 8.34

ISO 27001 control 8.34 Protection of information systems during audit testing

The basics

ISO 27001 control A.8.34 Protection of information systems during audit testing requires companies to agree with the auditor on what kind of methods and IT audit tools are allowed. This is important because the audit may not affect the performance or security of operational IT systems.

Documentation

ISO 27001 control A.8.34 Protection of information systems during audit testing can be documented:

  • for smaller and mid-sized companies by writing an Internal audit procedure
  • for larger companies by writing a Procedure for Protection of Information Systems During Audit Testing.

This procedure is not a mandatory document but is recommended for all companies.

Implementation

In order to comply with control A.8.34 Protection of information systems during audit testing you might implement the following:

  • Technology — the technology to protect information systems during audit testing in most cases will be already available in the company. Companies of all sizes will probably be able to protect information systems during audit testing by using the same access control, backup, and monitoring tools used on daily operations to limit the impact of an audit on information systems.
  • Organization/processes — you should set up a process for defining which tools must be used according to the defined audit scope, and how to protect data and systems to be audited. You can document those processes through an Internal Audit Procedure or a Procedure for Protection of Information Systems During Audit Testing.
  • People — make employees aware of why data and information systems need to be protected during audit activities, and train internal auditors on how to plan and perform audits on information systems in a secure manner.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.34 Protection of information systems during audit testing: if audit tests and other assurance activities related to the assessment of operational systems are planned and agreed upon between testers and management.