UnixTime

Research Note

A.8.31 Audit Evidence Pack

- Access differs between development, test, and production. - Production deployments require approval and release records. - Network and administrative paths are restricted and...

On this page

What the auditor wants to verify

Audit objective

Verify that development, test, and production environments are separated and secured through real access, network, data, deployment, and change controls.

Evidence to request

Evidence Purpose
Environment inventory Shows environment scope
Architecture/network diagrams Shows separation design
IAM/access review Shows role separation
Firewall/security group rules Shows connectivity restrictions
CI/CD and release records Shows controlled promotion
Change approvals Shows production updates are authorized
Test data approval/masking evidence Shows sensitive data is protected
Configuration/compliance reports Shows non-production environments are secured
User/developer interviews Shows expected behavior is understood

Strong evidence

  • Access differs between development, test, and production.
  • Production deployments require approval and release records.
  • Network and administrative paths are restricted and documented.
  • Production data in test is avoided, masked, or formally approved with safeguards.
  • Shared services and admin back ends are risk-assessed.

Weak evidence

  • Dev/test/prod are separate only by name.
  • Developers have standing production admin access.
  • Production data is copied into test without approval.
  • Test systems are unmanaged.
  • CI/CD can deploy to production without approval or traceability.

Sample interview questions

  • How are development, test, staging, and production separated?
  • Who can access production compared with development and test?
  • How does code move into production?
  • Is production data ever used outside production?
  • What shared identity, network, or admin services connect environments?
  • How are non-production systems patched, monitored, and reviewed?

Common nonconformities

  • Environment separation is undocumented or not enforced.
  • Production data exists in test without masking or approval.
  • Production deployment bypasses change control.
  • Shared credentials or admin paths cross environments.
  • Development/test environments are excluded from security baseline controls without risk justification.