Introduction to Clause 6.11.3: Safeguarding Test Data
Test data (whether dedicated or sourced from an operational environment) needs to be closely managed and logged, to ensure that privacy information is not used inappropriately, or compromised in any way when moving from one environment to another.
What’s Covered in ISO 27701 Clause 6.11.3
ISO 27701 6.11.3 contains one sub-clause that deals with the protection of test data (ISO 27701 6.11.3.1).
There are no additional PIMS or PII-specific guidelines to adhere to, and a single UK GDPR article to consider alongside guidance from ISO 27002 (see below).
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
ISO 27701 Clause 6.11.3.1 – Protection of Test Data
References ISO 27002 Control 8.33
Organisations should carefully select test data to ensure that testing activity is both reliable, and secure. Organisations should pay extra attention to ensuring that PII is not copied into the development and testing environments.
In order to protect operational data throughout testing activities, organisations should:
- Utilise a homogenous set of access control procedures across testing and operational environments.
- Ensure that authorisation is required every time operational data is copied to a test environment.
- Log the copying and use of operational data.
- Safeguard privacy information through techniques such as masking (see ISO 27002 Control 8.11).
- Removing operational data from a testing environment, once it’s no longer needed (see ISO 27002 Control 8.10).
- Securely store test data, and ensure that employees are aware that it is only to be used for testing purposes.
Applicable GDPR Articles
- Article 5 – (1)(f)
Relevant ISO 27002 Controls
- ISO 27002 8.10
- ISO 27002 8.11
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.11.3.1 | Protection of Test Data | 8.33 – Test Information for ISO 27002 | Article (5) |
How ISMS.online Helps
ISMS.online makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation.
On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.
Find out more by booking a hands on demo.
