The QA team copies the production database to the test environment for integration testing. Six months later, the copy is still there — unmasked, unmonitored and accessible to twenty developers, three interns and two contractors. The test server has no disk encryption. A.8.33 requires that test information is carefully selected, protected and securely deleted after use.
Test data management is where data protection and development efficiency collide. This control ensures that testing remains effective while protecting sensitive information from unnecessary exposure.
What does the standard require?
- Avoid copying production data. Sensitive operational information should not be copied into test environments unless absolutely necessary.
- Apply equivalent controls. If production data is used, apply the same access controls and protection measures as in the production environment.
- Obtain authorization. Copying production data to test environments requires separate, documented approval.
- Log all actions. Record what data was copied, by whom, to where and when.
- Mask or anonymize. When real data is used, apply masking or anonymization to remove sensitive content while preserving test relevance.
- Delete after testing. Securely delete test data when it is no longer needed.
In practice
Default to synthetic or masked data. Make synthetic data generation or data masking the standard approach. Only escalate to production data when there is a documented justification that synthetic data is insufficient.
Automate test data provisioning. Build a test data pipeline: extract from production, mask sensitive fields, load into the test environment. Automate this end-to-end to eliminate manual steps where masking might be skipped.
Restrict access to test environments with real data. If production data must be used (even masked), restrict test environment access to team members who need it. Do not grant broader access than production.
Enforce cleanup after testing. Build automated cleanup into your CI/CD pipeline or test management process. Test data should be deleted within a defined period after the test cycle completes.
Typical audit evidence
Auditors typically expect the following evidence for A.8.33:
- Test data policy — documented rules for test data selection, protection and deletion (see Secure Software Development Policy in the Starter Kit)
- Masking/anonymization evidence — proof that production data is masked before use
- Authorization records — documented approvals for using production data
- Access controls — evidence that test environment access is restricted
- Deletion records — evidence that test data is securely deleted after use
KPI
Percentage of test environments using anonymized or synthetic test data
Measured as a percentage: how many of your test environments use masked, anonymized or synthetic data instead of raw production data? Target: 100%.
Supplementary KPIs:
- Number of test environments with unmasked production data (target: zero)
- Mean age of test data (target: fresh, within the current test cycle)
- Percentage of test data provisioning pipelines with automated masking
BSI IT-Grundschutz
A.8.33 maps to BSI modules for development and testing:
- CON.8 (Software Development) — requirements for handling test data, including restrictions on using production data.
- OPS.1.1.6 (Software Testing and Approval) — test environment management and data protection during testing.
Related controls
- A.8.11 — Data Masking: Masking techniques applied to test data.
- A.8.31 — Separation of Development, Test and Production Environments: Environment separation as the context for test data protection.
- A.8.10 — Information Deletion: Secure deletion of test data after use.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.8.33 — Test information
- ISO/IEC 27002:2022 Section 8.33 — Implementation guidance for test information
- BSI IT-Grundschutz, CON.8 — Software Development