Skip to contentCYBERINFO
|

Control 8.34 : Protection of Information Systems During Audit Testing

Summary

Audit requirements and activities involving checks on operational systems should be planned and agreed between the tester and appropriate management. This prevents audit activities (like vulnerability scans) from causing system instability or performance degradation.

Applicability

In-Scope: Mandatory for organizations undergoing internal or external security audits. It ensures that the act of checking the security does not itself create an availability or integrity incident.

Out-of-Scope: Never out-of-scope for any organization committed to regular security reviews.

Implementation Guidance

Microsoft 365 / Entra ID

  • Scoped Access: Create a dedicated auditor account in Entra ID with read-only permissions, and use Conditional Access to limit that account's access to a specific time window and IP address.

  • Scan Scheduling: Schedule intensive vulnerability scans or penetration tests via Microsoft Defender during off-peak hours to minimize the impact on business operations.

  • Monitoring: Utilize the Microsoft 365 Service Health dashboard to monitor system performance in real-time while audit tools are active.

Evidence Checklist

  • Audit Plan: A documented agreement defining the scope, tools, and timing of audit activities.

  • Management Approval: Evidence (emails or meeting minutes) showing that the technical team authorized the audit activities on production systems.

  • Audit Impact Logs: Performance monitoring records from the period during which the audit was conducted.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What process is in place to immediately halt an audit test if it begins to impact the performance of a critical business service?

  • How do you ensure that the tools used by an auditor (e.g., scanners) do not introduce new vulnerabilities or leave backdoors in the system?

  • Were the specific accounts used by the auditor disabled or deleted immediately following the conclusion of the audit?

  • Can you provide evidence that the read-only restriction for the auditor was technically enforced and monitored?