Protection of information systems during audits
Ensure audit activities are planned and agreed with management to prevent system disruptions.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and management.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure that when audits are conducted on your business's IT systems, they don't disrupt operations or expose sensitive information. It's important because unplanned audits can cause system crashes, data breaches, or loss of important information, which can seriously affect the business.
Why it matters
Unplanned audit testing on live systems can disrupt critical services, causing outages or data loss and harming business performance and reputation.
Operational notes
Plan and agree audit tests for operational systems in advance with management; schedule like a change, define scope/window, obtain approvals and monitor for disruption.
Implementation tips
- The IT manager should coordinate with management to ensure audit activities are scheduled at times that won't disrupt operations, like during off-peak hours. This involves creating a calendar of audit events and getting approval from management for the timing.
- Senior management should define clear agreements with those conducting audits about what systems and data they can access. This means specifying who can see what, and putting it all in a written agreement to avoid misunderstandings.
- The security team should ensure that auditors have only read-only access to data wherever possible. They should prepare isolated copies of system files for audits, so the real data remains untouched, and protect these copies with passwords or encryption.
- IT staff need to verify that any devices used for audits, like laptops or tablets, meet security standards. This includes checking that software is up to date and has antivirus protection, to prevent introducing security risks.
- Request any special access for auditors to run specific tests is tracked and authorised. This can be done by having a checklist that ensures these requests go through proper channels and get the right approval before access is given.
Audit / evidence tips
-
Ask: the audit schedule and approvals from management
Good: shows no unexpected audits disrupting operations
-
Good: would show clear limits on what auditors were allowed to view or do
-
Ask: logs of system access during audit periods. Look over these logs to see if only authorised accounts accessed data and no excessive permissions were granted
Good: demonstrates restricted and monitored access
-
Good: includes specific measures taken to secure every device used for audit purposes
-
Ask: records of any additional processing or tests done by auditors. Review these records to ensure they were authorised and controlled
Good: consists of proper documentation and limited tests conducted during audits
Cross-framework mappings
How Annex A 8.34 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-1524 | Annex A 8.34 requires audit tests and other assurance activities involving operational systems to be planned and agreed between testers a... | |
| ISM-1563 | Annex A 8.34 requires audit tests and other assurance activities involving operational systems to be planned and agreed with management | |
| ISM-1967 | Annex A 8.34 requires audit tests and assurance activities involving operational systems to be planned and agreed with management | |
| Supports (2) | ||
| ISM-1564 | ISM-1564 requires the system owner to produce a plan of action and milestones (POA&M) at the conclusion of a security assessment to remed... | |
| ISM-1636 | ISM-1636 requires system owners, in consultation with the authorising officer, to ensure each system and its operating environment underg... | |