What is ISO27001 Test Information?

ISO27001 Annex A 8.33 Test Information is an ISO27001 control that requires us to protect production and operational information when used for testing.


ISO27001 Annex A 8.33 is a preventive control to ensure relevance of testing and protection of operational information used for testing.


The ISO27001 standard defines ISO27001 Annex A 8.33 as:

Test information should be appropriately selected, protected and managed.

ISO27001:2022 Annex A ISO27001 Annex A 8.33 Test Information

Implementation Guide

When it comes to testing information, in other words the information that you use in testing, the best advice for implementation is to not use production data, confidential data, personal data. Think of it this way, don’t use any data or information in test that could get you in hot water.

If you have to then you have to but here I would recommend using things such as data masking or specialist tools that turn data into test data.

What we need to do is select data and information that will ensure reliability of test results including the confidentiality, integrity and availability of the production and operational information.

Consider here the requirements of ISO27001 Annex A 8.31 Separation of development, test and production environments

General considerations would include

  • Access Control – having access control in place that mirrors the production environment
  • Authorisation – having a process of authorising the transfer of data between environments
  • Logging – having logs of the transfer of information between environments
  • Deletion – deleting testing data immediately after use
  • Test data is for testing only.

Depending on the test data that you have chosen then remember here that all of the annex a controls will apply to it as it does in production. Not using ‘real data’ is the best way to meet this control and mitigate risk.

If you have to use ‘real data’ then the advice would be to have a risk register item, manage through the risk management process, even if that is accepting the risk.