Ensure Non-Production Security Matches Production
Data from live systems can't be used in test setups unless test setups are just as secure.
Plain language
This control ensures that if you want to use real data from your live systems for testing purposes, your test environment must be just as secure as your live environment. If the test setup isn’t up to par, sensitive information could be exposed, leading to privacy breaches or data loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Data from production environments is not used in non-production environments unless the non-production environment is secured to at least the same level as the production environment.
Why it matters
If non-production isn’t secured like production, using production data in test/dev can expose sensitive information and cause a breach.
Operational notes
Only use production data in non-production when controls match production; verify via audits and apply equivalent access, logging and patching.
Implementation tips
- The IT team should review the security settings of the non-production environment. They need to do a thorough comparison between the test environment’s and the production environment’s security configurations to make sure they are on the same level.
- Managers should ensure that staff are aware of the policy of not using live data in test environments without proper security. This can be done through regular training sessions and updates to internal policy documents.
- System administrators should put in place configurable alerts to detect any data transfers from production to non-production environments that happen outside of approved processes. They can use simple software tools that track data flows and alert on anomalies.
- The legal team should draft agreements or internal policies clearly outlining the restrictions and conditions for using production data in non-production contexts. These documents should be easily accessible to all staff members.
- System auditors should conduct regular checks to confirm that test environments are updated to the same security standard as production. They can follow a checklist that compares the applied security patches and permissions settings between environments.
Audit / evidence tips
-
Askthe security configuration documentation for both production and non-production environments
Goodsetup shows encryption and access controls that match in both environments
-
Goodshows a log with only authorised and documented transfers
-
Askrecent security update records applied to both environments
Goodresult is a matching list of updates showing no lag between environments
-
Goodshows regular sessions with updated materials covering the control
-
Askdocumentation of the oversight mechanisms in place to ensure compliance with this control
Goodincludes detailed reports showing ongoing compliance and any issues being addressed
Cross-framework mappings
How ISM-1420 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.31 | ISM-1420 requires that production data is only used in non-production environments when those environments are secured to at least the sa... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.8 | Annex A 5.8 requires security to be built into project management, including environment design and testing practices | |
| Annex A 5.14 | ISM-1420 requires controlling the movement of production data so it is not placed into non-production unless the receiving environment is... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.15 | ISM-1420 requires organisations to ensure non-production environments meet production-equivalent security before using production data in... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.