ISO 27001:2022 A 8.34 Protection of information systems during audit testing

Audit tests play a critical role in detecting and eliminating security risks and vulnerabilities in the information systems. However, the audit process, whether performed in operational, testing, or development environments, can expose sensitive information to the risks of unauthorized disclosure, or loss of integrity and availability. It is important to ensure that all IT controls and information security audits are planned events, rather than reactive ‘on-the-spot’ challenges. Audit requirements and activities involving verification of operational systems need to be carefully planned and agreed on to minimize disruptions to the business processes. Whenever carrying out tests and audit activities (e.g. vulnerability scans, penetration tests etc) on operational systems, consideration needs to be given to ensure that operations are not negatively impacted. Additionally, the scope and depth of testing must be defined. Any such auditing or testing of operational systems must be through a formal and appropriately authorized process.It is highly important that audit standards for access to systems and data should be negotiated with appropriate management. A technical Audit team must updated and control the information if there is any changes to the technical networks.


Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.


To minimize the impact of audit and other assurance activities on operational systems and business processes.

ISO 27002 Implementation Guidance

The following guidelines should be observed:

  1. agreeing audit requests for access to systems and data with appropriate management;
  2. agreeing and controlling the scope of technical audit tests;
  3. limiting audit tests to read-only access to software and data. If read-only access is not available to obtain the necessary information, executing the test by an experienced administrator who has the necessary access rights on behalf of the auditor;
  4. if access is granted, establishing and verifying the security requirements (e.g. antivirus and patching) of the devices used for accessing the systems (e.g. laptops or tablets) before allowing the access;
  5. only allowing access other than read-only for isolated copies of system files, deleting them when the audit is completed, or giving them appropriate protection if there is an obligation to keep such files under audit documentation requirements;
  6. identifying and agreeing on requests for special or additional processing, such as running audit tools;
  7. running audit tests that can affect system availability outside business hours;
  8. monitoring and logging all access for audit and test purposes.

Other information

Audit tests and other assurance activities can also happen on development and test systems, where such tests can impact for example the integrity of code or lead to disclosure of any sensitive information held in such environments.

Most organization undergo a series of security audits each year ranging from financial IT controls reviews to targeted assessments of critical systems.A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to an established set of criteria. Steps involved in a security audit. These five steps are generally part of a security audit:

  • Agree on goals. Include all stakeholders in discussions of what should be achieved with the audit.
  • Define the scope of the audit. List all assets to be audited, including computer equipment, internal documentation and processed data.
  • Conduct the audit and identify threats. List potential threats related to each Threats can include the loss of data, equipment or records through natural disasters, malware or unauthorized users.
  • Evaluate security and risks. Assess the risk of each of the identified threats happening, and how well the organization can defend against them.
  • Determine the needed controls. Identify what security measures must be implemented or improved to minimize risks.

A thorough audit typically assesses the security of the system’s physical configuration and environment, software, information handling processes and user practices. Auditors should take privacy regulations and risks into account when planning, performing, and reporting assurance and consulting assignments. Due to the increasing risk of reputation damage and litigation, Auditor/ System tester has to take a significant spectrum of privacy issues and ramifications into account when managing the audit function. Key areas of concern are the staff management process; audit planning; collecting, handling, and storing information when performing and reporting audit results; and potential data leaks. When hiring auditors, there is even a greater need for due diligence to ensure that newly hired auditors act in accordance with relevant laws and policies when using personal information during assurance or consulting engagements. Internal auditors must understand that it may be inappropriate, and in some cases illegal, to access, retrieve, review, manipulate, or use personal information when conducting internal audit engagements. Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the auditability of the computer system. Organizations must maintain a complete and accurate audit trail for network devices, servers and applications. This enables organizations to address how businesses identify root causes of issues that might introduce inaccuracy in reporting. Also, problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause. IT security administration must monitor and log security activity, and identify security violations to report to senior management. This control directly addresses the control for audit controls over information systems and networks. To fulfil this control objective, administrators must ensure all network devices, servers, and applications are properly configured to log to a centralized server. Administrators must also periodically review logging status to ensure that these devices, servers and applications are logging correctly. Finally, internal auditors should consider related privacy regulations, regulatory requirements, and legal considerations when reporting information outside the organization.

  1. What privacy laws and regulations impact the Audit /testing?
  2. What type of personal information does the Audit collect?
  3. Does it has privacy polices and procedures with respect to collection, use, retention, destruction, and disclosure of personal information?
  4. Does the auditing process have responsibility and accountability assigned for managing a privacy program?
  5. How is personal information protected?
  6. Is any personal information collected during the audit disclosed to third parties?
  7. Are auditor properly trained in handling privacy issues and concerns?
  8. Does the organization have adequate resources to develop, implement, and maintain an effective privacy program?
  9. Does the organization complete a periodic assessment to ensure that privacy policies and procedures are being

Audits that include testing activities can prove disruptive to users if any unforeseen outages occur as a result of testing or assessments. Through working with leadership, it should be possible to determine when audits will occur and obtain relevant information in advance about the specific IT controls that will be examined or tested. Develop an ‘audit plan’ for each audit that provides information relevant to each system and area to be assessed. These audit plans should take into consideration:

  • Asset Inventory with contact information for system administrators/owners;
  • Requirements for testing/maintenance windows;
  • Information about backups (if applicable) in case systems later need to be restored due to unplanned outages;
  • Checklists or other materials provided in advance by auditors, etc.

If applicable, work with IT and other departments to provide audit preparation services to ensure that everyone understands their roles in the audit and how to respond to auditors’ questions, issues, and concerns. Protecting sensitive information during audits is critical, and documents provided to auditors should be recovered if possible, shortly before audits are completed. Any and all audit activity, to assess an operational system, should always be managed to minimize any impact on the system during required hours of operation. Any testing of operating systems that could pose an adverse effect on the system should be conducted during off-hours. Organisations should consider:

  • Appropriate management and the auditor should agree on access to systems and information assets.
  • Agreement on the scope of technical audit tests to be performed.
  • Organisations can only provide read-only access to information and software. If it is not possible to use the read-only technique, an administrator with necessary access rights can gain access to systems or data on behalf of the auditor.
  • If an access request is authorized, organisations should first verify that devices used to access systems meet the security requirements before they provide access.
  • Access should only be provided for isolated copies of files extracted from the system. These copies should be permanently deleted once the audit is complete unless there is an obligation to retain those files. If read-only access is possible, this control does not apply.
  • Requests by auditors to perform special processing such as deploying audit tools should be agreed upon by the management.
  • If an audit runs the risk of impacting system availability, the audit should be carried out outside of business hours to maintain the availability of information.
  • Access requests made for audits should be logged for the audit trail.

When audits are performed on testing or development environments, organisations should be cautious against the following risks:

  • Compromise of the integrity of code.
  • Loss of confidentiality of sensitive information.

Leave a Reply