Ensure Non-Production Databases Match Production Security
Production data can only be used in non-production areas if they are secured equally as well.
Plain language
When using copies of your main, everyday database for testing or development, those copies need to be protected just as well as the original. If not, sensitive information could be leaked, leading to privacy breaches or other security issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for database systemsSection
DatabasesOfficial control statement
Database contents from production environments are not used in non-production environments unless the non-production environment is secured to at least the same level as the production environment.
Why it matters
Using production data in a less-secure non-production environment can expose sensitive records, causing breaches, loss of trust and compliance penalties.
Operational notes
Do not copy production data into dev/test unless the environment meets production-equivalent controls (access, logging, encryption). Otherwise use masked/synthetic data.
Implementation tips
- System owners should collaborate with IT teams to classify the sensitivity of data in the production database. This involves identifying what data is considered sensitive and needs protection, such as personal information or financial data.
- IT teams should replicate security settings from production to non-production databases. This means using the same access controls and monitoring tools to prevent unauthorised access.
- Managers should ensure staff handling non-production databases are trained in data privacy and security policies. This training should include understanding what data should remain confidential and why safeguarding it is critical.
- Security officers should perform regular checks to verify that non-production databases are as secure as production databases. They can do this by reviewing access logs and implementing security updates simultaneously on all environments.
- Procurement teams should ensure any third-party tools or services used with non-production databases conform to the same security standards as those used with production databases. They should validate this during the vendor selection process by asking for security certifications.
Audit / evidence tips
-
Askthe non-production database security policy: Request documentation that describes security measures applied to non-production databases
Goodwould be a document that lists identical security protocols across environments
-
Askto see access logs for non-production databases: Request access records to check who has accessed these databases
Goodshows logs that align access controls with production databases
-
Asktraining records: Request records showing which staff have been trained in handling non-production data securely
Goodincludes recent training on data security relevant to their role
-
Askregular security review reports: Request documentation from security officers on their database checks
Goodshows regular audits with issues identified and resolved
-
Askvendor compliance certificates: Request documentation from procurement about third-party vendor compliance
Goodincludes up-to-date certificates from trusted cybersecurity standards
Cross-framework mappings
How ISM-1274 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.31 | ISM-1274 requires that production database contents are not used in non-production unless the non-production environment is secured to at... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.