ISO/IEC 27001 Control 8.34: Protection of information systems during audit testing
Control
Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can use access control mechanisms to manage auditor access to systems.
Implementation Details
Role-based access control (RBAC) and organizational structure can be used to manage auditor access for regular audits, which will mostly apply to internal auditors. It can be used to pre-configure business roles for external auditors, which can be assigned and un-assigned as needed. Alternatively, external auditors can use the access request and approval process to get necessary access in a controlled way. Activation schema can be used to assign access to the auditor for a limited time period. Entitlements can be used to control auditor access on a fine level, assigning read-only access as necessary. Clearance mechanism can be used to make sure auditors have appropriate credentials to conduct audits. E.g. external auditors may need NDA clearance, internal auditors might need clearance attesting that the person passed GDPR training, has clear criminal record, is not in conflict of interests, etc. Audit trail records all access rights assigned to auditors.
Rationale
This is both technological and organizational control, however midPoint can still assist with access control mechanisms.