top of page

ISO 27001 Control 8.31: Separation of Development, Test & Production Environments

Writer's picture: Alan ParkerAlan Parker

Separation of Development, Test, and Production Environments

To protect the production environment and data from compromise by development and test activities, ensuring that unauthorised changes, security risks, and potential operational disruptions are minimised. By maintaining a clear separation between these environments, organisations can ensure better risk management, compliance with industry standards, and a more structured approach to software development and deployment.



Guidance

The level of separation between production, testing, and development environments must be identified and implemented based on the organisation’s operational and security needs. Proper separation ensures stability, security, and compliance with best practices in application and system security.


The following considerations should be taken into account:


1. Environment Separation and Security

  • Operate development and production systems in separate domains, either through virtual or physical separation.

  • Implement firewalls and network segmentation to restrict communication between environments.

  • Define and enforce strict policies regarding the deployment of software from development to production.

  • Ensure testing is conducted in a dedicated testing or staging environment before deployment to production (see Clause 8.29).

  • Restrict production data access to only authorised personnel and prevent unnecessary replication of sensitive information in non-production environments.

  • Limit or eliminate testing in production environments unless explicitly approved under defined conditions and controlled procedures.


2. Restriction of Development Tools and Access

  • Prohibit direct access to compilers, editors, and development tools from production systems unless explicitly required.

  • Implement environment-specific identification labels to prevent errors and ensure clarity between environments.

  • Ensure that sensitive data is not copied into development and testing environments unless equivalent security controls are in place.

  • Introduce an approval-based process for moving changes from development to production to maintain a structured workflow and accountability.

  • Automate configuration management and deployment pipelines to reduce the risk of manual errors and inconsistencies.


3. Security Measures for Development and Testing Environments

  • Regularly patch and update all development, integration, and testing tools, including build systems, compilers, and configuration management tools.

  • Apply secure configurations to all systems and software within development and testing environments, ensuring they align with production security policies.

  • Control access to development and testing environments based on the principle of least privilege, granting access only when necessary.

  • Monitor changes in the environment, including code modifications, configuration changes, and deployments.

  • Ensure secure logging and monitoring of all activities in development, testing, and staging environments to detect and respond to security incidents.

  • Implement routine backups to safeguard development and testing environments from data loss and unauthorised modifications.

  • Use containerisation and virtualisation technologies to create isolated environments that reduce risks associated with shared resources.


4. Enforcing Segregation of Duties

  • Prevent a single person from having the ability to modify both development and production environments without prior review and approval.

  • Implement segregation of access rights to enforce accountability and maintain security integrity.

  • Establish monitoring mechanisms, such as logging, audit trails, and real-time oversight, to detect unauthorised changes.

  • Require peer reviews, approvals, and automated code validation before any changes are promoted to production.

  • Introduce multi-factor authentication (MFA) for privileged access to development and production environments to enhance security.


Additional Considerations

Without appropriate separation measures, developers and testers can introduce significant risks, including:


  • Accidental or unauthorised modifications to files or system configurations, leading to system instability.

  • Execution of untested or unauthorised code in the production environment, creating potential security vulnerabilities.

  • Data integrity and availability issues arising from improper testing practices or direct interaction with production systems.

  • Disclosure of confidential data due to unrestricted access to production systems or lack of access controls.


To mitigate these risks, organisations should define clear roles, implement strict access controls, and ensure continuous monitoring of activities within all environments. Additionally, supporting processes must be in place for the secure use of production data in development and testing environments (see Clause 8.33 for guidance on protecting test information).


Best Practices for Managing Environment Separation

  • Use dedicated accounts for different environments to enforce logical access control.

  • Implement Infrastructure as Code (IaC) principles to ensure consistent and automated environment deployment.

  • Utilise DevSecOps practices to integrate security into every stage of development, reducing risks before production deployment.

  • Conduct regular security awareness training for development and testing teams to reinforce best practices.

  • Implement secure coding guidelines and require developers to follow industry-standard frameworks for security.

  • Establish a rollback plan and disaster recovery procedures in case a production deployment fails or introduces critical vulnerabilities.


Alternative Approaches

While strict separation is generally advisable, there are cases where controlled overlap between environments may be necessary:


  • Pilot testing can be conducted in a controlled manner with live users to evaluate real-world performance and usability.

  • Some organisations may implement rolling deployments, canary releases, or blue-green deployment models to ensure minimal downtime and facilitate controlled feature rollouts.

  • Controlled testing in live environments can be performed under strict monitoring and rollback procedures, particularly in Agile and DevOps-driven development cycles.

  • Implement feature flagging mechanisms to test new features in production with a limited user base before full deployment.


Organisations should also apply these principles when managing training environments, ensuring that production data remains protected and system stability is maintained during training sessions. Additionally, policies should be established to regulate the use of real-world production data in non-production settings, implementing data anonymisation and masking techniques where necessary.


For further details on best practices, refer to ISO/IEC 27002:2022 and related cybersecurity guidelines. Staying aligned with industry standards ensures compliance, operational efficiency, and enhanced security in software development and deployment processes.

Kommentare

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page