ISO 27001 Annex A 8.33 Test Information

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.33 Test Information

What is ISO 27001 Test Information?

ISO 27001 Annex A 8.33 Test Information is an ISO 27001 control that requires us to protect production and operational information when used for testing.


ISO 27001 Annex A 8.33 is a preventive control to ensure relevance of testing and protection of operational information used for testing.


The ISO 27001 standard defines ISO 27001 Annex A 8.33 as:

Test information should be appropriately selected, protected and managed.

ISO27001:2022 Annex A 8.33 Test Information

Implementation Guide

When it comes to testing information, in other words the information that you use in testing, the best advice for implementation is to not use production data, confidential data, personal data. Think of it this way, don’t use any data or information in test that could get you in hot water.

If you have to then you have to but here I would recommend using things such as data masking or specialist tools that turn data into test data.

What we need to do is select data and information that will ensure reliability of test results including the confidentiality, integrity and availability of the production and operational information.

Consider here the requirements of ISO 27001 Annex A 8.31 Separation of development, test and production environments

General considerations would include

  • Access Control – having access control in place that mirrors the production environment
  • Authorisation – having a process of authorising the transfer of data between environments
  • Logging – having logs of the transfer of information between environments
  • Deletion – deleting testing data immediately after use
  • Test data is for testing only.

Depending on the test data that you have chosen then remember here that all of the annex a controls will apply to it as it does in production. Not using ‘real data’ is the best way to meet this control and mitigate risk.

If you have to use ‘real data’ then the advice would be to have a risk register item, manage through the risk management process, even if that is accepting the risk.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.


All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition