ISO/IEC 27001 Control 8.34: Protection of information systems during audit testing
Control
Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can use access control mechanisms to manage auditor access to systems.
Implementation Details
Role-based access control (RBAC) and organizational structure can be used to manage auditor access for regular audits, which will mostly apply to internal auditors. It can be used to pre-configure business roles for external auditors, which can be assigned and un-assigned as needed. Alternatively, external auditors can use access request and approval process to get necessary access in a controlled way. Activation schema can be used to assign access to auditor for a limited time period. Entitlements can be used to control auditor access on a fine level, assigning read-only access as necessary. Audit trail records all access rights assigned to auditors.
Rationale
This is both technological and organizational control, however midPoint can still assist with access control mechanisms.