This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.33 Test information.
ISO 27001: 2022 Control Description
Test information shall be appropriately selected, protected and managed.
Purpose
To ensure that test data is relevant and that any operational information used for testing is properly protected.
Guidance on implementation
When selecting test data, it’s important to ensure that it reflects real-world scenarios while safeguarding the confidentiality of operational information. Sensitive data, such as personally identifiable information, should not be copied into development or testing environments.
Guidelines for Protecting Test Information
Whether your test environment is in-house or hosted on a cloud service, the following guidelines should be followed to protect operational information used for testing:
- Access Control - apply the same access control measures to test environments as you do to operational environments.
- Separate Authorisation - require separate authorisation every time operational information is copied into a test environment.
- Audit Trail - log all instances of copying and using operational information to create an audit trail.
- Sensitive Data Protection - protect sensitive data by either removing or masking it before using it in tests.
- Data Deletion - immediately delete operational information from the test environment once testing is complete to prevent unauthorised access.
Additional Considerations
Test data should be securely stored to prevent tampering, which could invalidate test results. It should only be used for testing purposes and not for any other activities.
System and acceptance testing often require large amounts of test data that closely resemble the actual operational data. However, this data must still be managed carefully to ensure its integrity and security.