Audit tests play a critical role in detecting and eliminating security risks and vulnerabilities in the information systems.
However, the audit process, whether performed in operational, testing, or development environments, can expose sensitive information to the risks of unauthorised disclosure, or loss of integrity and availability.
Control 8.34 deals with how organisations can maintain the security of information assets during audit tests.
Control 8.34 enables organisations to eliminate and mitigate risks to the security of information systems and to the continuity of business operations by establishing and applying suitable measures and controls such as access restrictions and read-only access limitations.
Control 8.34 is preventive in nature as it requires the upper management and the auditor to plan and agree on audit testing procedures, restrictions, and controls prior to carrying out audits.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System and Network Security #Information Protection | #Governance and Ecosystem #Protection |
The IT management team should be responsible to plan and agree on audit procedures and to create and apply necessary measures.
Control 8.34 lists eight specific requirements organisations should consider:
When audits are performed on testing or development environments, organisations should be cautious against the following risks:
27002:2022/8.34 replace 27002:2013/(12.7.1)
Although the 2022 version is similar to the 2013 version to great extent, there are two key differences.
2022 version introduces the following requirement that was not referred to in the 2013 version:
If an access request is authorised, organisations should first verify that devices used to access systems meet the security requirements before they provide access.
In the Supplementary Guidance, the 2022 version cautions organisations against the security risks due to audits performed on testing and development environments. The 2013 version, on the contrary, did not refer to the testing and development environments.
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Our platform is intuitive and easy-to-use. It’s not just for highly technical people; it’s for everyone in your organisation. We encourage you to involve staff at all levels of your business in the process of building your ISMS, because that helps you to build a truly sustainable system.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
