Memory cue
Last-day cue
A.8.30 = govern supplier development. A.8.31 = separate and secure dev, test, and production.
What the exam is likely testing
| Control | Exam cue |
|---|---|
| A.8.30 | Outsourced development must be directed, monitored, and reviewed by the organization |
| A.8.31 | Dev/test/prod separation must be enforced through access, network, data, and change controls |
Common wrong answers
- Assuming a supplier contract alone satisfies outsourced development control.
- Treating supplier security as fully delegated.
- Accepting supplier deliverables based only on functionality.
- Treating environment names as proof of separation.
- Allowing production data in test without masking, approval, or equivalent controls.
- Ignoring shared CI/CD, identity, or admin paths between environments.
Quick comparison
| Topic | A.8.30 Outsourced development | A.8.31 Environment separation |
|---|---|---|
| Main risk | Supplier development visibility and control gaps | Test/development exposure affecting production |
| Core evidence | Contract requirements, monitoring, supplier test/review evidence | Access, network, data, deployment, and change control evidence |
| Common trap | “The supplier owns it” | “Dev/test/prod labels are enough” |
| Strong proof | Supplier findings are tracked and reviewed before acceptance | Untested code and sensitive data cannot cross boundaries casually |
Related notes
- Iso27001
- Exam
- Outsourced development
- Environment separation
Note Metadata
Aliases: EXAM-040
Source: 09-Exam-Preparation/EXAM-040-Outsourced-Development-and-Environment-Separation.md