ISO/IEC 27001 Control 8.34: Protection of information systems during audit testing

Control

Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

MidPoint can use access control mechanisms to manage auditor access to systems.

Implementation Details

Role-based access control (RBAC) and organizational structure can be used to manage auditor access for regular audits, which will mostly apply to internal auditors. It can be used to pre-configure business roles for external auditors, which can be assigned and un-assigned as needed. Alternatively, external auditors can use access request and approval process to get necessary access in a controlled way. Activation schema can be used to assign access to auditor for a limited time period. Entitlements can be used to control auditor access on a fine level, assigning read-only access as necessary. Audit trail records all access rights assigned to auditors.

Rationale

This is both technological and organizational control, however midPoint can still assist with access control mechanisms.

Was this page helpful?
YES NO
Thanks for your feedback