ISO 27001 Test Information: Annex A 8.33

Home / ISO 27001 Annex A Controls / ISO 27001 Test Information: Annex A 8.33

ISO 27001 Test Information
Implementation Guide
Implementation Checklist
Audit Checklist
FAQ
ISO 27002:2022 Control 8.33
ISO 27001 Annex A 8.33 Attributes Table

ISO 27001 Test Information

ISO 27001 Test Information is an ISO 27001 Annex A control that requires an organisation to protect production and operational information when used for testing.

Purpose

This is a preventive control to ensure relevance of testing and protection of operational information used for testing.

Definition

ISO 27001 defines ISO 27001 Annex A 8.33 as:

Test information should be appropriately selected, protected and managed.
ISO27001:2022 Annex A 8.33 Test Information

Implementation Guide

When it comes to testing information, in other words the information that you use in testing, the best advice for implementation is to not use production data, confidential data, personal data. Think of it this way, don’t use any data or information in test that could get you in hot water.

If you have to then you have to but here I would recommend using things such as data masking or specialist tools that turn data into test data.

What we need to do is select data and information that will ensure reliability of test results including the confidentiality, integrity and availability of the production and operational information.

Consider here the requirements of ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments.

General considerations would include

Access Control – having access control in place that mirrors the production environment
Authorisation – having a process of authorising the transfer of data between environments
Logging – having logs of the transfer of information between environments
Deletion – deleting testing data immediately after use
Test data is for testing only.

Depending on the test data that you have chosen then remember here that all of the annex a controls will apply to it as it does in production. Not using ‘real data’ is the best way to meet this control and mitigate risk.

If you have to use ‘real data’ then the advice would be to have a risk register item, manage through the risk management process, even if that is accepting the risk.

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

Implementation Checklist

Test Information ISO 27001 Annex A 8.33 Implementation Checklist

1. Test Data Management

Challenge

Employing production data within testing environments elevates the potential for data breaches or unauthorised access.

Solution

Implement rigorous data sanitisation and data masking techniques.
Utilise synthetic data whenever possible.
Encrypt all production data utilised for testing purposes.
Establish robust access controls to safeguard test data.

2. Data Anonymisation and Data Masking

Challenge

Anonymising or masking data effectively is complex and requires constant attention to prevent re-identification risks.

Solution

Utilise sophisticated tools to effectively anonymise or mask sensitive data.
Regularly assess the effectiveness of masking techniques and ensure compliance with laws and relevant regulations.
Continuously monitor systems for potential vulnerabilities and weaknesses that could lead to re-identification.

3. Access Control

Challenge

Managing access rights in large organisations, especially when collaborating with external partners, can create significant security vulnerabilities.

Solution

Implement Role-Based Access Control (RBAC): Utilise RBAC to efficiently manage and control access permissions based on an individual’s role and responsibilities within the organisation.
Regularly review access rights: Conduct periodic reviews of access rights to ensure they remain appropriate and aligned with current business needs.
Monitor access logs: Continuously monitor access logs to detect and promptly respond to any unauthorised access attempts.

4. Environment Separation

Challenge

Maintaining distinct development, testing, and production environments can be challenging, particularly within agile development methodologies.

Solution

Establish and enforce strict environment separation policies: Implement Separation of Development, Test and Production Environments.
Leverage automation: Utilise automated tools to prevent accidental or unauthorised movement of code or data between environments.
Conduct regular audits: Regularly review and assess the effectiveness of environment separation controls.

5. Compliance and Security Requirements

Challenge

Maintaining compliance in test environments while adapting to constantly evolving regulations presents a significant challenge.

Solution

Utilise compliance management tools: Employ specialised tools to track and monitor regulatory changes and ensure compliance adherence.
Integrate compliance into the ISMS: Incorporate compliance requirements directly into the Information Security Management System (ISMS) framework.
Provide continuous training: Regularly train security teams on the latest regulatory requirements and best practices for maintaining compliance in test environments.

6. Documentation and Audit

Challenge

Maintaining comprehensive and audit-ready documentation can be time-consuming and resource-intensive.

Solution

Automate documentation processes: Utilise automated tools to streamline documentation tasks, such as generating reports and tracking changes.
Conduct regular reviews: Regularly review and update documentation to ensure accuracy, completeness, and compliance with relevant standards (e.g., ISO 27001).

Audit Checklist

Test Information ISO 27001 Annex A 8.33 Audit Checklist

1. Test Data Management

Review and test data sanitisation and masking techniques.
Check the use of synthetic data.
Evidence that encryption of all production data utilised for testing purposes is in place.
Walkthrough the access controls that are in place to safeguard test data.

2. Data Anonymisation and Data Masking

Document the tools to effectively anonymise or mask sensitive data.
Assess the effectiveness of masking techniques and ensure compliance with relevant regulations.
Walkthrough systems for potential vulnerabilities and weaknesses that could lead to re-identification.

3. Access Control

Ensure Role-Based Access Control (RBAC) is used to manage and control access permissions based on an individual’s role and responsibilities within the organisation.
Review access rights: Conduct a review of access rights to ensure they remain appropriate and aligned with documented business needs.
Check access logs

4. Environment Separation

Review the environment separation policies and check for clear rules and procedures for managing and accessing each environment.
Assess automation and the use of automated tools to prevent accidental or unauthorised movement of code or data between environments.
Check there have been regular audits that review and assess the effectiveness of environment separation controls.

5. Compliance and Security Requirements

Review compliance management tools and how they track and monitor regulatory changes and ensure compliance adherence.
Ensure that compliance is integrated into the ISMS
Asses continuous training and that regular training is in place for security teams on the latest regulatory requirements and best practices for maintaining compliance in test environments.

6. Documentation and Audit

Ensure that reviews and internal audits are in place and evidenced
Assess the documentation framework, inputs and outputs.

FAQ

What is the purpose of ISO 27001 Annex A 8.33: Test Information?

To ensure the appropriate selection, protection, and management of test information, minimising the risk of data breaches and maintaining the confidentiality, integrity, and availability of sensitive data during testing activities.

Why is protecting test information important?

Data Breaches: Test environments often contain sensitive production data, making them a target for attackers.
Compliance: Improper handling of test data can lead to non-compliance with data privacy regulations (e.g., GDPR).
Reputational Damage: A data breach involving test data can severely damage an organisation’s reputation and erode customer trust.

What types of information are considered “test information”?

Production data used in test environments (e.g., customer data, financial information).
Test scripts and data sets.
System logs and audit trails generated during testing.

What are the key principles for protecting test information?

Data Minimisation: Only use the necessary amount of production data for testing purposes.
Data Masking and Anonymization: Employ techniques to mask or anonymise sensitive data before using it in test environments.
Access Control: Implement strong access controls to restrict access to test data and environments.
Data Encryption: Encrypt sensitive data both in transit and at rest.
Secure Data Disposal: Securely delete or destroy test data after testing is complete.

How can organisations ensure the confidentiality of test information?

Implementing strong access controls, including least privilege and multi-factor authentication.
Utilising secure communication channels for data transfer.
Encrypting data both in transit and at rest.

How can organisations ensure the integrity of test information?

Implementing data validation and integrity checks.
Using checksums and hash functions to verify data integrity.
Regularly backing up and restoring test data.

What are the key considerations for data masking and anonymization?

Selecting appropriate masking techniques based on the sensitivity of the data.
Ensuring that masked data is still suitable for testing purposes.
Regularly reviewing and updating masking rules.

How can organisations demonstrate compliance with ISO 27001 Annex A 8.33?

Documenting and implementing policies and procedures for handling test information.
Conducting regular security audits and assessments of test environments.
Monitoring and logging access to test data and environments.
Maintaining records of all data masking and anonymization activities.

What are the potential consequences of inadequate test information security?

Data breaches and loss of sensitive information.
Non-compliance with data privacy regulations.
Reputational damage and loss of customer trust.
Financial penalties and legal action.

How can organisations improve their test information security practices?

Regularly review and update security policies and procedures.
Conduct security awareness training for employees involved in testing activities.
Stay informed about emerging threats and best practices in data security.
Continuously monitor and improve security controls related to test information.

ISO 27002:2022 Control 8.33

ISO 27002 Control 8.33 provides implementation guidance for ISO 27001 Test Information.

ISO 27001 Annex A 8.33 Attributes Table

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Protect	Information Protection	Protection
	Integrity

Confidentiality Information Protection Integrity Preventive Protect Protection

Stop Spanking £10,000s on consultants and ISMS online-tools.

ISO 27001 Toolkit

About the author

I am Stuart Barker the ISO 27001 Ninja.

You can connect with me on Linked In, stalk me, check me out and join my network.

I am an information security practitioner of over 30 years. I hold a Software Engineering degree and started my career in software development. In 2010 I started my first cyber security consulting business that I sold in 2018. I worked for over a decade for GE, leading a data governance team across Europe and since then have gone on to deliver hundreds of client engagements and audits.

I regularly mentor and train professionals on information security and run a successful ISO 27001 YouTube channel where I show people how they can do it themselves. I am passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In my personal life I am active and a hobbyist kickboxer.

My specialisms are ISO 27001 and SOC 2 and my niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Test Information: Annex A 8.33

Table of contents

ISO 27001 Test Information

Purpose

Definition

Implementation Guide

Implementation Checklist

1. Test Data Management

Challenge

Solution

2. Data Anonymisation and Data Masking

Challenge

Solution

3. Access Control

Challenge

Solution

4. Environment Separation

Challenge

Solution

5. Compliance and Security Requirements

Challenge

Solution

6. Documentation and Audit

Challenge

Solution

Audit Checklist

1. Test Data Management

2. Data Anonymisation and Data Masking

3. Access Control

4. Environment Separation

5. Compliance and Security Requirements

6. Documentation and Audit

FAQ

ISO 27002:2022 Control 8.33

ISO 27001 Annex A 8.33 Attributes Table

About the author

Free 30 minute ISO27001 strategy session.