A.8.34 Protection of Information Systems During Audit Testing
What is this control?
ISO 27001 control A.8.34 Protection of Information Systems During Audit Testing ensures that audit activities involving verification of operational systems are carefully planned and agreed to minimise disruptions to business processes. The control requires audit scope agreement, controlled access for auditors via read-only roles, protection of audit tools and data, and scheduled testing windows avoiding peak business periods.
How to implement in Microsoft 365
Implement A.8.34 by requiring formal audit scope agreement before testing begins documenting systems in scope, access required, testing windows, and contact persons. Grant auditors read-only access via Entra ID Global Reader and Security Reader roles rather than administrative access. Schedule audit testing windows avoiding peak business periods and change freeze periods.
Protect audit tools and scripts in secure storage with access logging. Escort or monitor auditor access to sensitive systems. Review and revoke auditor access immediately after audit completion.
Document any issues or incidents during audit testing.
What an auditor looks for
Auditors will verify formal audit scope agreement exists before testing. They will check auditor access uses read-only roles like Global Reader and Security Reader. Auditors will verify testing windows were scheduled avoiding peak periods.
They will check audit tools and data are stored securely with access logging. Auditors will verify access was revoked after audit completion. They will check documentation of any issues during audit testing.