The basics
ISO 27001 control A.8.33 Test information requires companies to select, protect, and manage test information. This is important to protect test information in case it is sensitive.
Documentation
ISO 27001 control A.8.33 Test information can be documented:
- for smaller and mid-sized companies by writing a Secure Development Policy
- for larger companies by writing a Procedure for Using Test Information
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.33 Test information you might implement the following:
- Technology — the technology to enable the protection of test information in most cases may include software (e.g., sample generation software, monitoring and logging tools, wiping software, etc.) and hardware (e.g., separated physical servers and network devices). Small companies will probably be able to protect test information by implementing strict access control rules to access and use them, while bigger companies may use sample generation software to create properly de-characterized or anonymized data based on data from the production environment.
- Organization/processes — you should set up a process for defining criteria to select data for testing, how data should be prepared for test, and how test data should be protected against unauthorized access. You can document those processes through a Secure Development Policy or a Procedure for Using Test Information.
- People — make employees aware of why protecting test data is important, and train developers on how to select, prepare, and protect them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.33 Test information: if the information used for testing information systems is properly selected and protected.
