Ensure Non-Production Databases Match Production Security
Production data can only be used in non-production areas if they are secured equally as well.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Database contents from production environments are not used in non-production environments unless the non-production environment is secured to at least the same level as the production environment.
Source: ASD Information Security Manual (ISM)
Plain language
When using copies of your main, everyday database for testing or development, those copies need to be protected just as well as the original. If not, sensitive information could be leaked, leading to privacy breaches or other security issues.
Why it matters
Using production data in a less-secure non-production environment can expose sensitive records, causing breaches, loss of trust and compliance penalties.
Operational notes
Do not copy production data into dev/test unless the environment meets production-equivalent controls (access, logging, encryption). Otherwise use masked/synthetic data.
Implementation tips
- System owners should collaborate with IT teams to classify the sensitivity of data in the production database. This involves identifying what data is considered sensitive and needs protection, such as personal information or financial data.
- IT teams should replicate security settings from production to non-production databases. This means using the same access controls and monitoring tools to prevent unauthorised access.
- Managers should ensure staff handling non-production databases are trained in data privacy and security policies. This training should include understanding what data should remain confidential and why safeguarding it is critical.
- Security officers should perform regular checks to verify that non-production databases are as secure as production databases. They can do this by reviewing access logs and implementing security updates simultaneously on all environments.
- Procurement teams should ensure any third-party tools or services used with non-production databases conform to the same security standards as those used with production databases. They should validate this during the vendor selection process by asking for security certifications.
Audit / evidence tips
-
Ask: the non-production database security policy: Request documentation that describes security measures applied to non-production databases
Good: would be a document that lists identical security protocols across environments
-
Ask: to see access logs for non-production databases: Request access records to check who has accessed these databases
Good: shows logs that align access controls with production databases
-
Ask: training records: Request records showing which staff have been trained in handling non-production data securely
Good: includes recent training on data security relevant to their role
-
Ask: regular security review reports: Request documentation from security officers on their database checks
Good: shows regular audits with issues identified and resolved
-
Ask: vendor compliance certificates: Request documentation from procurement about third-party vendor compliance
Good: includes up-to-date certificates from trusted cybersecurity standards
Cross-framework mappings
How ISM-1274 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.31 | ISM-1274 requires that production database contents are not used in non-production unless the non-production environment is secured to at... | |