Skip to content
AuditFront
A.8.31 ISO 27001

ISO 27001 A.8.31: Separation of development, test and production environments

What This Control Requires

Development, testing and production environments shall be separated and secured.

In Plain Language

Running dev, test, and production on the same infrastructure is a recipe for trouble. A developer debugging an issue accidentally takes down a production database. Someone copies live customer data into a test environment with weaker access controls. An experimental config change bleeds into the live system. Development environments are inherently less secure - they need to be, so people can experiment and troubleshoot freely. If they share infrastructure or data with production, those relaxed controls become a direct path to compromise or data exposure. Separation needs to happen at multiple levels: infrastructure (different servers, networks, databases), access control (different people get different rights per environment), and data (production data should never appear in dev or test without proper masking).

How to Implement

Create clear separation between development, testing, staging, and production. Each environment should have its own infrastructure (separate servers, VMs, or cloud accounts), network segments, databases, access controls, and CI/CD pipeline stages with promotion gates. Set up access controls per environment. Production access goes to operations personnel and on-call developers only. Development access is limited to active team members. Staging mirrors production restrictions. Test environments can be broader but still controlled. Keep production data out of non-production environments. Do not copy production data directly to dev or test. Use data masking (see A.8.11) to generate realistic but anonymised test data. If production data is absolutely needed for testing, apply strict controls: temporary access, audit logging, and prompt deletion when finished. Build promotion controls between environments. Changes flow from development through testing, staging, and into production via a defined process. Use CI/CD pipelines with automated testing at each stage. Require approvals for production deployments. Block any path for direct modifications to production from development tools. Apply security controls proportionate to each environment. Production gets the highest security. Staging should mirror production security closely. Test environments need reasonable controls, especially if any sensitive data is involved. Development can be more permissive but still needs baseline security. Use infrastructure as code and containerisation to keep environments consistent while maintaining separation. Define configurations in code for repeatable deployments. Use container orchestration for isolated environments. In cloud setups, leverage account-level or namespace-level separation.

Evidence Your Auditor Will Request

  • Environment separation architecture documentation
  • Access control configurations showing different access for each environment
  • Data masking records showing production data is not used directly in non-production
  • CI/CD pipeline configuration showing promotion controls between environments
  • Evidence that production cannot be directly modified from development tools

Common Mistakes

  • Development and production share the same infrastructure or database servers
  • Production data is used in test environments without masking
  • Developers have direct access to production systems
  • No controlled promotion process for moving changes between environments
  • Development environments connect to production services or APIs

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC8.1 Related
GDPR Art.32 Partial overlap
NIS2 Art.21(2)(e) Partial overlap

Frequently Asked Questions

Can we use the same cloud account for different environments?
Separate cloud accounts or subscriptions for production, staging, and development is best practice. It gives you the strongest isolation for access controls, network boundaries, and blast radius. If that is not feasible, use separate VPCs or virtual networks, enforce strict IAM boundaries, and tag resources by environment. But whatever you do, never share databases or storage between production and non-production.
Is it acceptable to give developers read-only access to production?
It can work if properly controlled. Implement time-limited access requests, log every production access action, restrict direct access to sensitive data, and use separate tooling for production versus development access. In practice, most debugging needs can be met through application performance monitoring and centralised logging without ever touching the production database directly. That is the cleaner approach and what most auditors prefer to see.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment