Requirement
Requirement lens
This control asks whether development, testing, and production environments are separated and secured so untested work cannot compromise live systems or information.
“Development, testing and production environments shall be separated and secured.”
Plain-language meaning
Developers need places to build and test. Production needs stability, integrity, and controlled access. These environments should not be casually mixed.
The organization should prevent test code, development tools, experimental configuration, or weak test controls from affecting live services. If production data is used outside production, the test environment must protect it properly.
Why this matters
Development and test environments often have weaker controls, more debugging access, incomplete monitoring, unstable code, and experimental settings. If they are connected too loosely to production, they can become a route into live systems or leak sensitive data.
The risk increases when production data is copied into test, when administrators share back-end services across environments, or when developers can deploy directly to production.
Implementation guidance
Implementer focus
Treat environment separation as a security architecture control, not just a naming convention like dev, test, and prod.
1. Define environment classes
Document development, test, staging, pre-production, production, support, and sandbox environments. Define the purpose, owner, data classification, access model, connectivity, logging, and change route for each.
2. Separate access and identities
Use separate access controls, roles, accounts, credentials, and approval routes where risk justifies it. Production access should be more restrictive than development or test access.
3. Control connectivity
Restrict network paths, shared services, management networks, CI/CD pipelines, administrative back ends, and database links between environments. Shared identity or admin platforms should be risk-assessed.
4. Protect production data
Avoid using sensitive production data in test. Where it is necessary and justified, apply masking, pseudonymisation, access restrictions, logging, and controls at least equivalent to the sensitivity of the data.
5. Use change control for promotion
Tested and verified solutions should move into production through controlled change and release processes. Developers should not bypass change control by manually modifying production.
6. Secure each environment
Development and test systems still need security baselines, access review, patching, logging, malware protection, configuration control, and vulnerability management appropriate to their risk.
Audit guidance
Auditor focus
Do not accept labels as proof. Check actual access, network paths, deployment rights, shared admin back ends, and use of production data.
Auditors should verify:
- development, test, and production environments are documented;
- separation is implemented through access, network, infrastructure, and process controls;
- untested software cannot be used in production without authorization;
- promotion into production follows change control;
- shared administration or identity services are risk-assessed;
- test environments with sensitive data have controls appropriate to that data;
- users of the environments understand expected behavior;
- background checks or special controls are considered for staff with access to secure development environments where risk justifies it.
Evidence examples
Evidence quality
Strong evidence proves separation exists in actual configuration and workflow, not only in architecture diagrams.
| Evidence | What it proves |
|---|---|
| Environment inventory | Environments are identified |
| Architecture/network diagrams | Separation design is documented |
| IAM/access reviews | Access differs by environment and role |
| Firewall/security group rules | Connectivity is controlled |
| CI/CD promotion records | Production changes follow controlled release |
| Test data approval/masking record | Production data use is justified and protected |
| Configuration baseline evidence | Environments are secured |
| Change/release records | Tested software is promoted formally |
Strong evidence
- Separate access roles exist for dev, test, and production.
- Production deployment requires approval and release controls.
- Test data is masked or formally approved with compensating controls.
- Environment connectivity is documented and technically restricted.
- Shared admin back ends are reviewed as part of the risk assessment.
- Developers and testers understand environment rules.
Weak evidence
- Environment names exist but access is shared.
- Developers have standing production admin access.
- Production data is copied into test without masking or approval.
- No evidence of deployment approval exists.
- Test systems are unmanaged because “they are not production.”
- Shared admin networks or identity services are ignored.
Common failures
Implementation watchouts
A.8.31 fails when separation is cosmetic. Different hostnames do not matter if the same people, credentials, networks, and pipelines can affect production without control.
| Failure | Why it matters |
|---|---|
| Shared credentials across environments | Compromise in test can reach production |
| Direct developer production changes | Change control is bypassed |
| Sensitive production data in test | Weaker test controls leak real information |
| No network separation | Lateral movement becomes easier |
| Shared admin back end not assessed | A hidden common path can defeat separation |
| Test security ignored | Test becomes the easiest attack path |
Exam traps
Exam focus
A.8.31 is about separating and securing environments. It is not only about having separate folders, branches, or labels.
| Trap | Correct interpretation |
|---|---|
| Dev/test/prod names prove separation | Actual access, network, and deployment controls must enforce separation |
| Test data is harmless | Production data in test can carry production-level sensitivity |
| Developers need production access for speed | Standing access creates integrity and accountability risk |
| Only production needs security controls | Dev and test need controls appropriate to their risk |
| CI/CD means separation is automatic | Pipelines can bypass separation if not controlled |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.9 Configuration Management
- A.8.15 Logging
- A.8.19 Installation of Software on Operational Systems
- A.8.25 Secure Development Life Cycle
- A.8.28 Secure Coding
- A.8.29 Security Testing in Development and Acceptance
- A.8.30 Outsourced Development
- A.8.11 Data Masking
- A.5.37 Documented Operating Procedures
- Risk Assessment
- Statement of Applicability
- Development Test Production Separation Checklist
- Test Data Security Approval Record
- A.8.31 Audit Evidence Pack
- A.8.31 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.31 protects production from untested work and protects sensitive data from weak non-production environments. Strong implementation proves actual separation through access, network, data, deployment, and change controls.
- Document each environment and its purpose.
- Separate access, roles, credentials, and network paths.
- Restrict production deployments through change control.
- Avoid production data in test unless justified and protected.
- Secure development and test systems according to risk.
- Review shared administration and CI/CD paths.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Environment separation
- Secure development
- Change control
Note Metadata
Aliases: A.8.31, Separation of Development Test and Production Environments, Separation of Development, Test and Production Environments
Source: 05 Annex A Technological Controls/A.8.31 Separation of Development Test and Production Environments.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.37 - Documented Operating Procedures
- A.8.31 Audit Evidence Pack
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.31 Separation of Development Test and Production Environments
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-040 - Outsourced Development and Environment Separation
- EXAM-041 - Change Test Information and Audit Testing
- ISO 27002 Annex A Control Interpretation Map
- A.8.31 Audit Checklist
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Test Data Security Approval Record
- Test Information Management Register
- Annex A Controls MOC