Protection of information systems during audits
Ensure audit activities are planned and agreed with management to prevent system disruptions.
Plain language
This control is about making sure that when audits are conducted on your business's IT systems, they don't disrupt operations or expose sensitive information. It's important because unplanned audits can cause system crashes, data breaches, or loss of important information, which can seriously affect the business.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and management.
Why it matters
Unplanned audit testing on live systems can disrupt critical services, causing outages or data loss and harming business performance and reputation.
Operational notes
Plan and agree audit tests for operational systems in advance with management; schedule like a change, define scope/window, obtain approvals and monitor for disruption.
Implementation tips
- The IT manager should coordinate with management to ensure audit activities are scheduled at times that won't disrupt operations, like during off-peak hours. This involves creating a calendar of audit events and getting approval from management for the timing.
- Senior management should define clear agreements with those conducting audits about what systems and data they can access. This means specifying who can see what, and putting it all in a written agreement to avoid misunderstandings.
- The security team should ensure that auditors have only read-only access to data wherever possible. They should prepare isolated copies of system files for audits, so the real data remains untouched, and protect these copies with passwords or encryption.
- IT staff need to verify that any devices used for audits, like laptops or tablets, meet security standards. This includes checking that software is up to date and has antivirus protection, to prevent introducing security risks.
- Request any special access for auditors to run specific tests is tracked and authorised. This can be done by having a checklist that ensures these requests go through proper channels and get the right approval before access is given.
Audit / evidence tips
-
Askthe audit schedule and approvals from management
Goodshows no unexpected audits disrupting operations
-
Goodwould show clear limits on what auditors were allowed to view or do
-
Asklogs of system access during audit periods. Look over these logs to see if only authorised accounts accessed data and no excessive permissions were granted
Gooddemonstrates restricted and monitored access
-
Goodincludes specific measures taken to secure every device used for audit purposes
-
Askrecords of any additional processing or tests done by auditors. Review these records to ensure they were authorised and controlled
Goodconsists of proper documentation and limited tests conducted during audits
Cross-framework mappings
How Annex A 8.34 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1524 | Annex A 8.34 requires audit tests and other assurance activities involving operational systems to be planned and agreed between testers a... | |
| ISM-1563 | Annex A 8.34 requires audit tests and other assurance activities involving operational systems to be planned and agreed with management | |
| ISM-1967 | Annex A 8.34 requires audit tests and assurance activities involving operational systems to be planned and agreed with management | |
| handshake Supports (2) expand_less | ||
| ISM-1564 | ISM-1564 requires the system owner to produce a plan of action and milestones (POA&M) at the conclusion of a security assessment to remed... | |
| ISM-1636 | ISM-1636 requires system owners, in consultation with the authorising officer, to ensure each system and its operating environment underg... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.