A.8.33 Test Information
What is this control?
ISO 27001 control A.8.33 Test Information ensures that test information is appropriately selected, protected, and managed. The control prohibits use of production data in test environments unless explicitly authorised with appropriate protection, requires synthetic or anonymised test data, implements access controls on test environments, and ensures test data is securely deleted when no longer required.
How to implement in Microsoft 365
Implement A.8.33 by establishing policy prohibiting production data in test environments as default. Require CISO approval for any production data use in testing with documented business justification. When production data is approved for testing, apply equivalent access controls and encryption as production.
Generate synthetic test data using data generation tools matching production schema. Anonymise or pseudonymise any production data used in testing to remove PII. Restrict test environment access via Entra ID RBAC to authorised testers only.
Delete test data per retention schedule with documented destruction.
What an auditor looks for
Auditors will verify policy prohibits production data in test environments. They will check CISO approval documentation for any production data use in testing. Auditors will verify equivalent protection applied when production data is used.
They will check evidence of synthetic test data generation or anonymisation processes. Auditors will verify test environment access is restricted via RBAC. They will check test data deletion records per retention schedule.