What the auditor wants to verify
Audit objective
Verify that test information is appropriately selected, protected, managed, logged, and deleted when no longer needed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Test data selection rules | Shows governance of test information |
| Test information register | Shows test data instances |
| Live-data approval records | Shows authorization |
| Masking/anonymisation evidence | Shows exposure reduction |
| Test environment access review | Shows access control |
| Test logs and output handling | Shows traceability and output protection |
| Deletion/destruction records | Shows data removed after use |
| Privacy/legal review | Shows personal data requirements considered |
Strong evidence
- Synthetic or masked data is the default.
- Each live-data use is authorized.
- Test environments protect sensitive data appropriately.
- Logs, caches, screenshots, and debug files are controlled.
- Test information is securely deleted after use.
Weak evidence
- Production data is copied to test for convenience.
- Masking is assumed but not verified.
- Test outputs are broadly accessible.
- Deletion after testing is not evidenced.
- Privacy/legal review is missing for personal data.
Sample interview questions
- What data is normally used for testing?
- When is production data allowed in test?
- Who approves live-data testing?
- How are logs, debug files, and test outputs protected?
- How is test data deleted after use?
- How do you ensure tests remain reproducible?
Common nonconformities
- Live data used without approval.
- Sensitive test data lacks access controls.
- Test outputs leak sensitive information.
- No deletion evidence exists.
- Legal/privacy requirements are not assessed.
Related notes
- Audit
- Evidence
- A8 33
- Iso27001
Note Metadata
Aliases: A.8.33 Evidence
Source: 04 Audit Evidence Packs/A.8.33 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.