UnixTime

Research Note

ISO 27001 A.8.31 - Separation of Development Test and Production Environments

Developers need places to build and test. Production needs stability, integrity, and controlled access. These environments should not be casually mixed.

On this page

Requirement

Requirement lens

This control asks whether development, testing, and production environments are separated and secured so untested work cannot compromise live systems or information.

“Development, testing and production environments shall be separated and secured.”

Plain-language meaning

Developers need places to build and test. Production needs stability, integrity, and controlled access. These environments should not be casually mixed.

The organization should prevent test code, development tools, experimental configuration, or weak test controls from affecting live services. If production data is used outside production, the test environment must protect it properly.

Why this matters

Development and test environments often have weaker controls, more debugging access, incomplete monitoring, unstable code, and experimental settings. If they are connected too loosely to production, they can become a route into live systems or leak sensitive data.

The risk increases when production data is copied into test, when administrators share back-end services across environments, or when developers can deploy directly to production.

Implementation guidance

Implementer focus

Treat environment separation as a security architecture control, not just a naming convention like dev, test, and prod.

1. Define environment classes

Document development, test, staging, pre-production, production, support, and sandbox environments. Define the purpose, owner, data classification, access model, connectivity, logging, and change route for each.

2. Separate access and identities

Use separate access controls, roles, accounts, credentials, and approval routes where risk justifies it. Production access should be more restrictive than development or test access.

3. Control connectivity

Restrict network paths, shared services, management networks, CI/CD pipelines, administrative back ends, and database links between environments. Shared identity or admin platforms should be risk-assessed.

4. Protect production data

Avoid using sensitive production data in test. Where it is necessary and justified, apply masking, pseudonymisation, access restrictions, logging, and controls at least equivalent to the sensitivity of the data.

5. Use change control for promotion

Tested and verified solutions should move into production through controlled change and release processes. Developers should not bypass change control by manually modifying production.

6. Secure each environment

Development and test systems still need security baselines, access review, patching, logging, malware protection, configuration control, and vulnerability management appropriate to their risk.

Audit guidance

Auditor focus

Do not accept labels as proof. Check actual access, network paths, deployment rights, shared admin back ends, and use of production data.

Auditors should verify:

  • development, test, and production environments are documented;
  • separation is implemented through access, network, infrastructure, and process controls;
  • untested software cannot be used in production without authorization;
  • promotion into production follows change control;
  • shared administration or identity services are risk-assessed;
  • test environments with sensitive data have controls appropriate to that data;
  • users of the environments understand expected behavior;
  • background checks or special controls are considered for staff with access to secure development environments where risk justifies it.

Evidence examples

Evidence quality

Strong evidence proves separation exists in actual configuration and workflow, not only in architecture diagrams.

Evidence What it proves
Environment inventory Environments are identified
Architecture/network diagrams Separation design is documented
IAM/access reviews Access differs by environment and role
Firewall/security group rules Connectivity is controlled
CI/CD promotion records Production changes follow controlled release
Test data approval/masking record Production data use is justified and protected
Configuration baseline evidence Environments are secured
Change/release records Tested software is promoted formally

Strong evidence

  • Separate access roles exist for dev, test, and production.
  • Production deployment requires approval and release controls.
  • Test data is masked or formally approved with compensating controls.
  • Environment connectivity is documented and technically restricted.
  • Shared admin back ends are reviewed as part of the risk assessment.
  • Developers and testers understand environment rules.

Weak evidence

  • Environment names exist but access is shared.
  • Developers have standing production admin access.
  • Production data is copied into test without masking or approval.
  • No evidence of deployment approval exists.
  • Test systems are unmanaged because “they are not production.”
  • Shared admin networks or identity services are ignored.

Common failures

Implementation watchouts

A.8.31 fails when separation is cosmetic. Different hostnames do not matter if the same people, credentials, networks, and pipelines can affect production without control.

Failure Why it matters
Shared credentials across environments Compromise in test can reach production
Direct developer production changes Change control is bypassed
Sensitive production data in test Weaker test controls leak real information
No network separation Lateral movement becomes easier
Shared admin back end not assessed A hidden common path can defeat separation
Test security ignored Test becomes the easiest attack path

Exam traps

Exam focus

A.8.31 is about separating and securing environments. It is not only about having separate folders, branches, or labels.

Trap Correct interpretation
Dev/test/prod names prove separation Actual access, network, and deployment controls must enforce separation
Test data is harmless Production data in test can carry production-level sensitivity
Developers need production access for speed Standing access creates integrity and accountability risk
Only production needs security controls Dev and test need controls appropriate to their risk
CI/CD means separation is automatic Pipelines can bypass separation if not controlled

KB-ready summary

Mentor takeaway

A.8.31 protects production from untested work and protects sensitive data from weak non-production environments. Strong implementation proves actual separation through access, network, data, deployment, and change controls.

  • Document each environment and its purpose.
  • Separate access, roles, credentials, and network paths.
  • Restrict production deployments through change control.
  • Avoid production data in test unless justified and protected.
  • Secure development and test systems according to risk.
  • Review shared administration and CI/CD paths.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Environment separation
  • Secure development
  • Change control

Note Metadata

Aliases: A.8.31, Separation of Development Test and Production Environments, Separation of Development, Test and Production Environments

Source: 05 Annex A Technological Controls/A.8.31 Separation of Development Test and Production Environments.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.