What the auditor wants to verify
Audit objective
Verify that audit tests and assurance activities on operational systems are planned, agreed, authorized, logged, and protected.
Evidence to request
| Evidence | Purpose |
|---|---|
| Audit testing plan | Shows scope and safeguards |
| Management authorization | Shows operational agreement |
| Rules of engagement | Shows tester limits |
| Tool approval/validation record | Shows tools are controlled |
| Access and activity logs | Shows traceability |
| Stop/escalation criteria | Shows disruption control |
| Audit result access controls | Shows findings are protected |
| Independence record | Shows assurance objectivity considered |
Strong evidence
- Operational testing is planned before execution.
- Scope, tools, timing, contacts, and stop criteria are documented.
- Appropriate management authorizes the activity.
- Tool use and access are logged.
- Audit results are stored with restricted access.
- Independence is documented where relevant.
Weak evidence
- Production scans occur without written approval.
- Tool use is not logged.
- No stop criteria or escalation contacts exist.
- Results are stored in open folders.
- Audit testing changes data without explicit approval.
Sample interview questions
- How are operational system audit tests approved?
- Who agrees the scope and timing?
- What tools are allowed?
- How is disruption minimized?
- How are audit results protected?
- How is independence considered?
Common nonconformities
- Testing scope is not agreed.
- Operational management has not authorized testing.
- Audit tools are uncontrolled.
- Access and tool use are not logged.
- Audit outputs are not protected.
Related notes
- Audit
- Evidence
- A8 34
- Iso27001
Note Metadata
Aliases: A.8.34 Evidence
Source: 04 Audit Evidence Packs/A.8.34 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.34 Protection of Information Systems During Audit Testing
- A.8.34 Audit Checklist
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- Audit Evidence Index