What the auditor wants to verify
Audit objective
Verify that development, test, and production environments are separated and secured through real access, network, data, deployment, and change controls.
Evidence to request
| Evidence | Purpose |
|---|---|
| Environment inventory | Shows environment scope |
| Architecture/network diagrams | Shows separation design |
| IAM/access review | Shows role separation |
| Firewall/security group rules | Shows connectivity restrictions |
| CI/CD and release records | Shows controlled promotion |
| Change approvals | Shows production updates are authorized |
| Test data approval/masking evidence | Shows sensitive data is protected |
| Configuration/compliance reports | Shows non-production environments are secured |
| User/developer interviews | Shows expected behavior is understood |
Strong evidence
- Access differs between development, test, and production.
- Production deployments require approval and release records.
- Network and administrative paths are restricted and documented.
- Production data in test is avoided, masked, or formally approved with safeguards.
- Shared services and admin back ends are risk-assessed.
Weak evidence
- Dev/test/prod are separate only by name.
- Developers have standing production admin access.
- Production data is copied into test without approval.
- Test systems are unmanaged.
- CI/CD can deploy to production without approval or traceability.
Sample interview questions
- How are development, test, staging, and production separated?
- Who can access production compared with development and test?
- How does code move into production?
- Is production data ever used outside production?
- What shared identity, network, or admin services connect environments?
- How are non-production systems patched, monitored, and reviewed?
Common nonconformities
- Environment separation is undocumented or not enforced.
- Production data exists in test without masking or approval.
- Production deployment bypasses change control.
- Shared credentials or admin paths cross environments.
- Development/test environments are excluded from security baseline controls without risk justification.
Related notes
- Audit
- Evidence
- A8 31
- Iso27001
Note Metadata
Aliases: A.8.31 Evidence
Source: 04 Audit Evidence Packs/A.8.31 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.31 Separation of Development Test and Production Environments
- A.8.31 Audit Checklist
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Test Data Security Approval Record
- Audit Evidence Index