When to use this
Use this standard to define the minimum security expectations for development, test, staging, and production environments.
Related controls
- A.8.31 Separation of Development Test and Production Environments
- A.8.19 Installation of Software on Operational Systems
- A.8.9 Configuration Management
Environment rules
| Environment | Purpose | Data allowed | Access model | Network restrictions | Change route | Logging required |
|---|---|---|---|---|---|---|
| Development | Build and unit test | Synthetic / masked unless approved | Developers | Restricted from production | Pull request / pipeline | TBD |
| Test | Functional/security testing | Synthetic / masked unless approved | QA / testers | Restricted from production | Test release | TBD |
| Staging | Pre-production validation | Production-like, controlled | Limited release roles | Controlled paths only | Change/release process | TBD |
| Production | Live service | Approved production data | Restricted operations roles | Production-only controls | Approved change | Required |
Minimum requirements
- Environments are inventoried.
- Access differs by environment.
- Production access is restricted and reviewed.
- Network paths between environments are documented and controlled.
- Shared admin or identity services are risk-assessed.
- Production data outside production requires approval.
- Promotion to production follows change control.
- Non-production systems have security baselines appropriate to risk.
- Template
- Iso27001
- Environment separation
- Secure development
Note Metadata
Aliases: Dev Test Prod Separation Standard
Source: 90 Templates/Development Environment Separation Standard.md
Related Notes
- A.8.31 Audit Evidence Pack
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- Templates MOC