Requirement
Requirement lens
This control asks whether test information is selected, protected, managed, and removed appropriately.
“Test information shall be appropriately selected, protected and managed.”
Plain-language meaning
Test data should be chosen deliberately. Synthetic or fictitious data is usually safer. If production data is used for testing, it must be justified, authorized, protected, logged, retained only as needed, and securely deleted afterward.
Why this matters
Test environments often have weaker controls than production. Using live personal, customer, financial, confidential, or operational data in test can create serious confidentiality, privacy, legal, and integrity risk.
Testing also creates secondary data: logs, debug files, screenshots, caches, exports, test results, recordings, and temporary files. These can leak sensitive information even when the primary test database is protected.
Implementation guidance
Implementer focus
Start with synthetic data. Use production data only when there is a clear reason, documented approval, matching controls, and a deletion plan.
1. Prefer synthetic or masked data
Use fictitious, synthetic, masked, tokenised, or anonymised data where possible. Avoid live data unless testing cannot be meaningful without it.
2. Authorize live-data use every time
Each use of operational data for testing should be approved. The approval should explain the business reason, data involved, controls, retention, and deletion method.
3. Protect test information according to sensitivity
Apply access control, encryption, logging, retention limits, environment separation, masking, monitoring, and deletion controls appropriate to the data sensitivity.
4. Control secondary test outputs
Protect logs, debug output, caches, screenshots, exports, test reports, and recorded sessions because they can contain the same sensitive information as the test data.
5. Preserve reproducibility without over-retention
Tests should be reproducible, but test information should not be retained indefinitely. Keep what is needed for retesting and evidence, then securely delete it.
6. Consider legal and privacy requirements
Personal data used for testing may require anonymisation, explicit permission, minimization, retention controls, and privacy review.
Audit guidance
Auditor focus
Follow one test involving sensitive or production-derived information from approval to access control, logging, use, output protection, and secure deletion.
Auditors should verify:
- test data selection is deliberate and risk-based;
- live production data is discouraged and justified when used;
- each use of live data is authorized;
- sensitive data is masked, tokenised, anonymised, or otherwise protected where possible;
- test environments with sensitive data have appropriate controls;
- logs, debug files, caches, and test outputs are protected;
- access to test systems is controlled and logged;
- test data is securely removed when no longer needed;
- legal/privacy requirements are considered.
Evidence examples
Evidence quality
Strong evidence proves test information is controlled across its full lifecycle, including copies and outputs.
| Evidence | What it proves |
|---|---|
| Test data selection rules | Data choice is governed |
| Test data approval record | Live data use is justified |
| Masking/anonymisation evidence | Sensitive data exposure is reduced |
| Test environment access review | Access is restricted |
| Test logs | Actions are traceable |
| Retention/deletion record | Data is removed after testing |
| Privacy/legal review | Legal requirements were considered |
| Test output handling rules | Logs and artifacts are protected |
Strong evidence
- Synthetic or masked data is the default.
- Live data use has explicit approval per occasion.
- Test environment controls match data sensitivity.
- Test outputs and logs are protected.
- Data deletion is evidenced after test completion.
- Privacy/legal requirements are assessed for personal data.
Weak evidence
- Production data is copied into test because it is convenient.
- Masking is claimed but not verified.
- Test logs contain sensitive data and are widely accessible.
- No deletion record exists after testing.
- Test environments have broad developer access.
- Privacy implications are not reviewed.
Common failures
Implementation watchouts
A.8.33 often fails through forgotten copies: logs, exports, screenshots, caches, and debug files.
| Failure | Why it matters |
|---|---|
| Live data used by default | Test becomes a confidentiality and privacy exposure |
| No approval per use | Risk owner cannot judge necessity |
| Weak test access controls | Non-production users see sensitive data |
| Logs/debug files ignored | Sensitive data leaks through secondary outputs |
| No secure deletion | Test data remains after purpose ends |
| Irreproducible tests | Retesting and defect verification become unreliable |
Exam traps
Exam focus
A.8.33 is about selecting, protecting, managing, and deleting test information. It is not just a development convenience issue.
| Trap | Correct interpretation |
|---|---|
| Test data is lower risk because it is non-production | Sensitivity follows the data, not the environment label |
| Anonymised data is always safe | Anonymisation quality and re-identification risk matter |
| Only the database matters | Logs, caches, reports, and debug files can contain sensitive data |
| One approval covers all future live-data testing | Each use should be justified and authorized |
| Deleting the test database is enough | Copies and secondary outputs also need handling |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.11 Data Masking
- A.8.10 Information Deletion
- A.8.31 Separation of Development Test and Production Environments
- A.8.29 Security Testing in Development and Acceptance
- A.5.34 Privacy and Protection of PII
- Risk Assessment
- Statement of Applicability
- Test Information Management Register
- Test Data Protection Checklist
- Test Data Security Approval Record
- A.8.33 Audit Evidence Pack
- A.8.33 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.33 protects information used for testing. Strong implementation prefers synthetic data, controls live-data exceptions, protects outputs, logs access, and deletes test information when no longer needed.
- Prefer synthetic, masked, or anonymised test data.
- Authorize every live-data use.
- Protect test data according to sensitivity.
- Control logs, debug files, exports, and caches.
- Make tests reproducible without unnecessary retention.
- Securely delete test information after use.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Test information
- Test data
Note Metadata
Aliases: A.8.33, Test Information
Source: 05 Annex A Technological Controls/A.8.33 Test Information.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.34 - Privacy and Protection of PII
- A.8.33 Audit Evidence Pack
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.33 Test Information
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-041 - Change Test Information and Audit Testing
- ISO 27002 Annex A Control Interpretation Map
- A.8.33 Audit Checklist
- Test Data Protection Checklist
- Test Data Security Approval Record
- Test Information Management Register
- Annex A Controls MOC