Test Information - ISO 27001 Annex A Control

ISO 27001 Annex A 8.33

Test data deserves the same protection as the production data it represents.

ISO 27001 Annex A 8.33 - Test Information

Test data has the protection problem that production data has plus the additional problem of being held in environments with weaker controls. The control asks for test data to be selected appropriately - that is, real production data should not be used as test data unless there is a specific, controlled reason - and managed with the same care as production data when it is.

The preferred approach is masked or synthetic data. Masking under A.8.11 substitutes sensitive values with format-preserving alternatives. Synthetic data generates realistic but artificial values from scratch. Either reduces the risk in test environments significantly without compromising the realism needed for testing.

Where real production data is genuinely needed, the test environment should be brought up to production-equivalent controls for that data, the use should be time-limited, and the data should be removed when no longer needed. The exception should be documented and reviewed rather than becoming a default.

The simplest fix for most test data issues is to mask the data once at copy time and then refresh as needed. The masking adds time to the initial copy but eliminates the recurring concern about test environments holding production data. Where the masking can be automated as part of the data refresh process, the control becomes part of the routine rather than an extra step.

Practical Compliance Guidance

Test data management is described in the IMS1 manual at section 8.5 alongside the Information Security Policy. The personal data register records the test data position for personal data flows.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS24 Personal Data Register	The personal data register listing data categories and processing arrangements. Use to record the test data position for each personal data category - synthetic, masked, or real with controls.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Can we use real production data for testing?

Generally not as a default. Where real data is genuinely needed (debugging issues that depend on production characteristics, performance testing at scale), the use should be controlled - time-limited, environment hardened, removed when no longer needed - and recorded as an exception rather than the standard practice.

How is test data managed in long-running test environments?

Through periodic refresh from production with masking applied at refresh time. The refresh schedule should match the rate at which the test environment drifts from useful relevance. Where personal data is involved, the refresh and retention should be reflected in the personal data register.

What about debugging in production?

Debugging that requires access to production data should follow the privileged access controls under A.8.2 - logged, time-limited, by named individuals. Copying production data to a developer's local environment for debugging tends to escape these controls and creates uncontrolled copies.

Further Resources