UnixTime

Research Note

EXAM-040 - Outsourced Development and Environment Separation

- Assuming a supplier contract alone satisfies outsourced development control. - Treating supplier security as fully delegated. - Accepting supplier deliverables based only on f...

On this page

Memory cue

Last-day cue

A.8.30 = govern supplier development. A.8.31 = separate and secure dev, test, and production.

What the exam is likely testing

Control Exam cue
A.8.30 Outsourced development must be directed, monitored, and reviewed by the organization
A.8.31 Dev/test/prod separation must be enforced through access, network, data, and change controls

Common wrong answers

  • Assuming a supplier contract alone satisfies outsourced development control.
  • Treating supplier security as fully delegated.
  • Accepting supplier deliverables based only on functionality.
  • Treating environment names as proof of separation.
  • Allowing production data in test without masking, approval, or equivalent controls.
  • Ignoring shared CI/CD, identity, or admin paths between environments.

Quick comparison

Topic A.8.30 Outsourced development A.8.31 Environment separation
Main risk Supplier development visibility and control gaps Test/development exposure affecting production
Core evidence Contract requirements, monitoring, supplier test/review evidence Access, network, data, deployment, and change control evidence
Common trap “The supplier owns it” “Dev/test/prod labels are enough”
Strong proof Supplier findings are tracked and reviewed before acceptance Untested code and sensitive data cannot cross boundaries casually
  • Iso27001
  • Exam
  • Outsourced development
  • Environment separation

Note Metadata

Aliases: EXAM-040

Source: 09-Exam-Preparation/EXAM-040-Outsourced-Development-and-Environment-Separation.md