ISO 27001 Annex A 8.34: The Ultimate Guide

With the increasing number of cyber threats and attacks, it has become crucial for organisations to implement robust security measures.

You should not only consider external factors, but internal factors as well. In particular the protection of information systems during audit testing.

ISO 27001 Annex A 8.34 deals specifically with this requirement.

In this ultimate guide, we will explore the requirements of ISO 27001 Annex A 8.34 and delve into the various strategies and best practices for protecting information systems during audit testing.

Understanding the Requirements of ISO 27001 Annex A 8.34

ISO 27001 Annex A 8.34 sets out specific requirements for protecting information systems during audit testing.

It emphasises the need to plan and agree any audit or assurance activities that involve operational systems, such as:

• Audits
• Vulnerability assessments
• Configuration compliance assessments
• Penetration tests

The purpose of ISO 27001 Annex A 8.34 is to establish a systematic approach to protecting information systems during audit testing to minimize the impact on operational systems and business processes.

‍

Evaluating Potential Risks When Protecting Information Systems During Audit Testing

ISO27001 Annex A 8.34 and your Risk Assessments

One of the key requirements outlined in ISO 27001 Annex A 8.34 is the identification of potential risks.

This involves identifying vulnerabilities and threats that could compromise the security of their systems.

Organisations must conduct a comprehensive risk assessment to identify vulnerabilities and threats to their information systems, particularly during audit testing.

By understanding and evaluating these risks, organisations can develop effective protection plans.

During the risk assessment process, organisations should consider both internal and external factors that can pose a risk to their information systems.

Internal factors may include:

• inadequate security controls,
• weak passwords, or
• lack of employee awareness.

External factors, on the other hand, may include:

• cyber attacks,
• data breaches, or
• natural disasters.

Once the risks have been identified, organisations need to evaluate their potential impact.

This involves assessing the likelihood of each risk occurring and the potential consequences if it does.

By quantifying the risks, organisations can prioritize their efforts and allocate resources effectively to mitigate the most significant threats.

ProTip - Log each of the risks that you've identified in your risk register. Failing to do this may impact your compliance with ISO 27001.

ISO27001 Annex A 8.34 and your Risk Treatment Plan

Based on the risk assessment, organisations can then develop protection plans that align with ISO 27001 Annex A 8.34 requirements.

These plans should include a combination of physical, technical, and organizational safeguards to ensure comprehensive protection of information systems.

Physical safeguards may include measures such as:

• secure access controls,
• CCTV surveillance, and
• secure storage facilities.

Technical safeguards, on the other hand, may involve:

• implementing firewalls,
• intrusion detection systems, and
• encryption technologies.

Whereas, organisational safeguards focus on establishing policies, procedures, and training programs to promote a culture of security awareness among employees.

It's fair to say that implementing these protection plans is not a singular effort, it requires a collaborative effort from all levels of the organisation.

It is essential for organisations to involve key stakeholders, such as IT personnel, management, and employees, in the development and implementation of security controls.

This ensures that everyone understands their roles and responsibilities in maintaining the security of information systems.

ISO27001 Annex A 8.34 and Continuous Improvement

Regular monitoring and review of the implemented security controls are also crucial to ensure their effectiveness.

Organisations should conduct periodic audits and assessments to identify any gaps or weaknesses in their security measures.

By continuously improving and updating their security controls, organizations can stay ahead of emerging threats and maintain the integrity of their information systems.

‍

Crafting a Comprehensive Protection Plan for Information Systems During Audit Testing

Once potential risks have been identified and evaluated, organisations can develop a comprehensive protection plan.

This plan should outline the security controls and measures needed to safeguard information systems during audit testing.

The protection plan may include implementing strong access controls, such as user authentication and authorization mechanisms.

It may also involve establishing strict security policies and procedures that govern the usage and handling of sensitive information.

Regular security audits and assessments should be conducted to ensure compliance with the protection plan.

‍

6 Best Practices for Protecting Information Systems During Audit Testing

To comply with ISO 27001 Annex A.84 and enhance the protection of information systems during audit testing, organisations should adopt these 6 best practices.

1. Build an Audit Plan
2. Develop an Audit Procedure
3. Control the Scope
4. Apply Zero Trust Principles for Access
5. Use Secure Connections During Audit Testing
6. Ensure Data Security During Audit Testing

Let's explore each of these best practices in more depth.

Best Practice #1 - Build an Audit Plan

To minimise disruption to both operational systems and business processes, make sure you develop an audit plan and agree it with appropriate management.

Having a plan will make the experience a whole lot smoother and ensure that there is a shared understanding between all interested parties.

If possible, create a 12 month audit plan that maps out what audit and assurance activities will happen and when.

If you really want to supercharge your audit and assurance activities look at how you can combine controls (not just within ISO27001 but other standards and frameworks too) to optimise resource and increase impact.

Your plan should answer the following key questions:

• What is the scope of the audit?
• What assets, systems and/or data will be affected?
• When will the audit be taking place?
• Who will be required to support the audit?
• What (if any) tools will need to be deployed to support the audit?
• What access will be required to perform the audit?
• What information will be required to support the audit?

ProTip - Don't forget to align this to your Control of Documented Information Procedure (ISO/IEC 27001:2022 Clause 7.5). Failing to do this may impact your compliance with ISO 27001.

Best Practice #2 - Develop an Audit Procedure

Audit - in all its forms - is a fundamental component of an effective ISMS and ISO 27001.

Having an Audit Procedure helps you develop a systematic approach to audit testing, as well as provide a vehicle for communicating to stakeholders and driving continuous improvement of the audit process itself.

ProTip - Don't forget to align this to your Control of Documented Information Procedure (ISO/IEC 27001:2022 Clause 7.5). Failing to do this may impact your compliance with ISO 27001.

Best Practice #3 - Control the Scope

It's really important to ensure that the scope of the audit is controlled.

The process needs to be managed to ensure that you deliver against the objective of the audit and to avoid going down any rabbit holes.

Remember - Audit testing can be resource intensive and costly exercise. It's important that the audit delivers against its objective in an efficient and effective way.

Best Practice #4 - Apply Zero Trust Principles for Auditor Access

You don't want any actions by the tester or auditor to compromise the integrity or the availability of your systems or processes.

Apply Zero Trust Principles to control access to software and data. These include:

• Verify explicitly - Always authenticate and authorise based on all available data points, including user identity, location, device health, data classification or anomalies.
• Use "least privilege" access - Limit access with "Just In Time" and "Just Enough" (JIT/JEA) access policies to help secure both data and productivity.
• Assume breach - Develop strategies for detecting and responding to unauthorised access during audit testing.

If read-only access is not available to obtain the necessary information to complete the audit test, my advise is to enable an experienced and authorised member of your team to gather the necessary information on behalf of the auditor.

ProTip - Your auditor is your friend. Work them to make sure that they get the access they require, whilst minimising the risk to your organisation.

Best Practice #5 - Use Secure Connections During Audit Testing

Remote audit testing has become increasingly common, especially in today's remote work environment.

Organisations must establish secure connections to ensure the confidentiality and integrity of audit testing processes.

Some areas to consider:

• Virtual Private Networks (VPNs) - VPNs create an encrypted "tunnel" between the remote auditor and the organisation's information systems, protecting data transmission from potential eavesdropping or interception.
• Firewalls - Firewalls act as a barrier between your internal network and external networks, such as the internet. Firewalls monitor and control incoming and outgoing network traffic, blocking unauthorised access attempts and filtering potentially harmful data packets.
• Remote Access Tools (such as Remote Desktop or VDI) - Remote Access Tools provide a virtual workspace for the Auditor to perform their work. These can be controlled in such a way that apply the principle of "Least Privilege" whilst ensuring that data doesn't leave your network.

Best Practice #6 - Ensure Data Security During Audit Testing

A significant aspect of protecting information systems during audit testing is ensuring data security.

Key areas to think about:

• Securing data at rest - ISO 27001 Annex A 8.34 emphasizes the importance of encryption as a means to safeguard sensitive data. Leveraging encryption ensures the confidentiality and integrity of information during audit testing.
• Securing data in transit - It's common that information will need to be sent to the Auditor before, during or after an audit. Ensure that you use a secure method that prevents unauthorised access or potential data breach.
• Data loss prevention (DLP) - Consider the use of data loss prevention (DLP) tools such as Microsoft Purview as a means of dynamically identify, classify and protect data. This helps protect your data and mitigate the risk of data leakage.
• Backup and recovery - Backup strategies are crucial for protecting information systems during audit testing. Backups should be performed regularly and stored in secure, offsite locations.

‍

Conclusion

In summary, protecting information systems during audit testing is a multifaceted endeavour.

By understanding the requirements of ISO 27001 Annex A 8.34 and implementing suitable protection strategies, organisations can safeguard their sensitive information from potential security breaches.

Ultimately, by following the guidance provided in this ultimate guide, organizations can enhance the security of their information systems and contribute to a safer digital landscape.