GRCWatch
Sign inStart free trial

ISO 27001 Control 8.34: Protection of Information Systems During Audit Testing

Audit testing and assurance activities create operational risk if not carefully controlled. Control 8.34 requires you to plan and coordinate audit activities to minimize system disruption while preventing unauthorized access—balancing thorough compliance verification with business continuity.

What this means

This control mandates that any audit, assessment, or testing of your operational systems must be pre-planned and formally agreed upon with relevant stakeholders. The goal is two-fold: reduce unplanned downtime and security incidents, and ensure testers only access what's necessary. You're establishing a framework where audit work happens by exception and design, not surprise.

How to comply

  1. 1.Document and communicate audit testing schedules in advance to system owners and operations teams
  2. 2.Define scope, duration, and impact assessment for each audit or assurance activity before execution
  3. 3.Establish approval gates requiring sign-off from IT, security, and business stakeholders
  4. 4.Implement access controls during testing—restrict tester permissions to audit scope only
  5. 5.Monitor and log all audit activities for unauthorized access detection
  6. 6.Conduct post-audit reviews to verify disruption stayed within acceptable limits
  7. 7.Create a central audit calendar to coordinate overlapping assessments and prevent system overload

Evidence auditors look for

  • Audit testing schedule or audit plan signed by system owner and IT leadership
  • Scope of work documents defining systems, data, and access levels for each audit
  • Access request and approval forms tied to specific audit engagements
  • Audit activity logs showing timestamps and tester identities
  • Post-audit impact assessments documenting any downtime or incidents
  • Risk assessments performed before high-impact audit activities
  • Remediation records for unauthorized access attempts during audit testing

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates audit scheduling and approval workflows, centralizing test plans and access logs so you log controlled testing in minutes instead of managing email chains and spreadsheets.

See how GRCWatch handles this control automatically

Start free trial