8.34 Protection of Information Systems During Audit Testing
Control
Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.
Purpose
Protection of information systems during audit testing in information security refers to the measures and procedures that are put in place to protect information systems while they are being tested during an audit.
Implementation Guidance
Audit testing is the process of evaluating the security controls of an information system to determine whether they are functioning as intended and whether they comply with the organisation's security policies and standards.During audit testing, the system may be put through a variety of tests, such as vulnerability scanning, penetration testing, or compliance testing. These tests can expose the system to potential security risks and can cause disruptions to the system's normal operation.To protect the system during audit testing, organisations can implement several measures:
- Use of test accounts: Use test accounts rather than real accounts to access the system during testing. This can help to prevent accidental or unauthorised changes to the system.
- Use of test data: Use test data rather than real data to perform the testing. This can help to protect sensitive or confidential data from being compromised.
- Isolation of test environment: Isolate the test environment from the production environment to prevent disruptions or damage to the production environment.
- Data backup: Perform a backup of the system before testing in case the system needs to be restored in the event of an unexpected problem.
- Monitoring: Monitor the system during testing to detect any issues or problems that may occur.
- Test plans: Have a detailed test plan and communicate it with the relevant parties, such as system administrators and other stakeholders. By implementing these measures, organisations can help to protect their information systems during audit testing, minimize the potential impact of any issues that may occur, and ensure that the testing process is conducted in a controlled and secure manner.
ISO 27001:2022
Technological Controls
AvISO will be updating and reviewing all the information regularly, so keep us bookmarked and keep checking!
Got a question or need help? Don't hesitate to reach out to our team.
27002:2022 Related Controls
CLick to view control
If you would like to know more about ISO Standards, Certification and the value of a good management system you can add to your business we would love to hear from you: Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk
