Separation of Development, Test and Production Environments - ISO 27001 Annex A Control

ISO 27001 Annex A 8.31

Mixing environments mixes risks - keep them separate or accept the consequences.

ISO 27001 Annex A 8.31 - Separation of Development, Test and Production Environments

Mixing environments mixes risks. Development environments where engineers iterate need flexibility that would be unsafe in production. Test environments need realistic data and configurations but should not affect real customers. Production environments need stability and tight change control. The control asks for these to be separated and secured according to their distinct needs.

Practical separation typically involves separate infrastructure (different servers, networks, cloud accounts), separate access controls (different identity populations and permission levels), separate data (test data should not be production data unless masked), and separate change paths (production changes go through a controlled pipeline rather than ad-hoc deployment).

Modern development with infrastructure as code makes environment parity easier - the same definitions create development, test and production environments with controlled differences. Container and microservice architectures increase the number of environments managed but maintain the separation principle. The technical mechanisms have evolved; the underlying control remains the same.

Test environments containing real production data is the separation issue I see most often. The justification is realistic testing, the consequence is a test environment with production-level sensitivity but development-level access controls. The fix is masked or synthetic data under A.8.11, with real production data only where there is a specific, controlled exception.

Practical Compliance Guidance

Environment separation is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider development arrangements. Infrastructure documentation and access records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the separation requirements between development, test and production. Use as the source for the environment baseline.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How separate do environments need to be?

Sufficient that activity in one environment cannot affect another. Separate authentication, separate data, separate network paths where appropriate. Cloud accounts or projects per environment provide a strong default separation. Shared infrastructure with logical separation is workable for lower-risk situations but needs additional controls.

What about access by development staff to production?

Production access by development staff is a separate question - it should be possible for legitimate operational reasons (incident response, deployment) but should follow the privileged access controls under A.8.2 with logging and time limits. Routine development work should not require production access.

How is environment separation tested?

Through configuration review (the documented separation matches the live state), access reviews (people only have access to the environments their role requires), and traffic analysis (the environments are not communicating in unexpected ways). Penetration testing often probes environment boundaries.

Further Resources