Table of contents
- ISO 27002 Test Information
- What is ISO 27002:2022 Control 8.33
- Definition of ISO 27002 Control 8.33
- Purpose of ISO 27002 Control 8.33
- Ownership of ISO 27002 Control 8.33
- Compliance Guidance
- Supplementary Guidance on of ISO 27002 Control 8.33
- Changes and Differences to ISO 27002:2013
- ISO 27002 Control 8.33 FAQ
- ISO 27002 Control 8.33 Attributes Table
ISO 27002 Test Information
Test environments, crucial for developing robust software, often pose significant security risks due to the presence of real data and inadequate safeguards.
For instance, developers may utilise easily guessable credentials like “admin” for both username and password in these testing environments, where sensitive information resides.
This vulnerability can be exploited by malicious actors to gain unauthorised access to the staging environment and potentially steal valuable data.
Consequently, organisations must implement robust controls and procedures to safeguard real-world data utilised in testing environments.
To address these concerns, Test Information provides specific guidance on safeguarding sensitive information during testing activities. By following these guidelines, organisations can ensure the security and integrity of their data throughout the testing process.
What is ISO 27002:2022 Control 8.33
ISO 27002:2022 Control 8.33 provides implementation guidance on how to implement ISO 27001 Annex A 8.33 Test Information.
Definition of ISO 27002 Control 8.33
ISO 27002 defines ISO 27002 Control 8.33 as – The confidentiality, integrity, and availability of test information must be ensured through appropriate selection, protection, and management.
Purpose of ISO 27002 Control 8.33
This is a preventive control designed to safeguard operational information during testing and ensure test relevance. It’s purpose is that the confidentiality of all information used within the testing environment must be strictly maintained. Furthermore, test information must be carefully selected and utilised to ensure reliable and accurate test results.
Ownership of ISO 27002 Control 8.33
The Information Security Officer is responsible for collaborating closely with the development team to establish appropriate controls and procedures for selecting, protecting, and managing the most relevant test information.
Compliance Guidance
When implementing Test Information the following ISO 27002:2022 Control 8.33 the following guidance should be considered:
Organisations must minimise the use of sensitive information, including personal data, within development and testing environments.
Access controls applied in production environments should be mirrored in test environments.
A dedicated authorisation process for copying real data into test environments must be established and enforced.
All activities involving the copying and use of sensitive information in test environments should be diligently logged for audit trail purposes.
When necessary, sensitive information used in testing must be protected through appropriate measures, such as data masking or removal.
Upon completion of testing, all information used within the test environment must be securely and permanently removed to prevent unauthorised access.
Additionally, organisations must implement robust measures to ensure the secure storage of all information assets.
Supplementary Guidance on of ISO 27002 Control 8.33
It’s important to note that system and acceptance testing may require a significant amount of test information, potentially comparable to the volume of operational data.
Changes and Differences to ISO 27002:2013
While the 2022 version of ISO 27002 retains many similarities to its predecessor, a key distinction emerges:
New Requirement for appropriate controls
ISO 27002:2022 Control 8.33 supersedes the earlier 2013 version’s Control 14.3.1 which addressed the protection of test data.
While both standards share similarities, a key distinction in the 2022 edition is the explicit requirement for robust security measures within test environments. This includes the mandatory implementation of appropriate controls, such as data masking or removal, to safeguard sensitive information.
This specific requirement was notably absent in the 2013 version of the standard.
ISO 27002 Control 8.33 FAQ
ISO 27001 Annex A 8.33 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.33 is the implementation guidance for the control.
Yes, Test Information is a required information security control for ISO 27001 certification if you perform testing involving information or data.
ISO 27002 Control 8.33 Attributes Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Information Protection | Protection |
Integrity |