ISO 27701 – Clause 6.11.3 – Test Data

Clause 6.11.3 of ISO/IEC 27701 emphasises the need to use anonymized or synthetic data for testing purposes to prevent exposure of PII, and requires stringent security measures if real PII must be used in test environments.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 25 February 2025
LinkedIn Twitter Twitter

Introduction to Clause 6.11.3: Safeguarding Test Data

Test data (whether dedicated or sourced from an operational environment) needs to be closely managed and logged, to ensure that privacy information is not used inappropriately, or compromised in any way when moving from one environment to another.

What’s Covered in ISO 27701 Clause 6.11.3

ISO 27701 6.11.3 contains one sub-clause that deals with the protection of test data (ISO 27701 6.11.3.1).

There are no additional PIMS or PII-specific guidelines to adhere to, and a single UK GDPR article to consider alongside guidance from ISO 27002 (see below).

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.



Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


ISO 27701 Clause 6.11.3.1 – Protection of Test Data

References ISO 27002 Control 8.33

Organisations should carefully select test data to ensure that testing activity is both reliable, and secure. Organisations should pay extra attention to ensuring that PII is not copied into the development and testing environments.

In order to protect operational data throughout testing activities, organisations should:

  • Utilise a homogenous set of access control procedures across testing and operational environments.
  • Ensure that authorisation is required every time operational data is copied to a test environment.
  • Log the copying and use of operational data.
  • Safeguard privacy information through techniques such as masking (see ISO 27002 Control 8.11).
  • Removing operational data from a testing environment, once it’s no longer needed (see ISO 27002 Control 8.10).
  • Securely store test data, and ensure that employees are aware that it is only to be used for testing purposes.

Applicable GDPR Articles

  • Article 5 – (1)(f)

Relevant ISO 27002 Controls

  • ISO 27002 8.10
  • ISO 27002 8.11

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27002 Requirement Associated GDPR Articles
6.11.3.1 Protection of Test Data 8.33 – Test Information for ISO 27002 Article (5)

How ISMS.online Helps

ISMS.online makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation.

On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.

Find out more by booking a hands on demo.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!