Separation of Development, Test, and Production Environments
Ensure development, testing, and production systems are separate to avoid disrupting live services.
Plain language
Imagine having your rehearsal for a play mixed up with the actual performance on stage! Keeping development, testing, and the real software you use separate is just like that. It ensures that your everyday work isn't disrupted by unpredictable changes or errors, which helps keep things running smoothly and securely.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
18 May 2026
Maturity levels
N/A
Official control statement
Development, testing and production environments shall be separated and secured.
Why it matters
Mixing development and production increases the risk of downtime and data breaches when untested changes affect live services.
Operational notes
Regularly confirm dev/test accounts, tools, and pipelines cannot access or run in production, and review environment boundaries.
Implementation tips
- The IT manager should ensure that development, testing, and production systems are kept in separate environments. This can be done by using different servers or virtual spaces for each, ensuring no overlap. According to ISO 27002:2022, this separation protects your live systems from being affected by new developments or tests.
- The security officer must verify that there are strict access controls in place between these environments. This involves setting up permissions so only authorised personnel can access these systems, aligned with Australian standards such as CPS 234. This helps prevent unauthorised changes or data breaches.
- The software development team should implement a change management process to track and authorise changes from development to production. This involves documenting all changes and getting approval before pushing them live, as suggested by ISO 27002:2022 guidance.
- The IT security team should regularly patch and update all tools in the development and testing environments. Following the Australian Cyber Security Centre's guidelines ensures these systems are not vulnerable to security threats.
- The operations manager should conduct regular reviews and training to make sure the environment is accurately labelled. This involves clearly marking which environment is which, to avoid human error as outlined in ISO 27002:2022.
Audit / evidence tips
- AskRequest to see the environment separation policy. GoodThe policy is comprehensive, with clear guidelines that align with the ISO 27001 requirements.
- AskObtain access logs for the development and production environments. GoodAccess is consistently restricted based on roles, and logs are regularly reviewed.
- AskRequest the change management records for recent deployments. GoodEach change is well-documented, authorised, and includes testing evidence.
- AskReview the system update and patch management schedules for development tools. GoodPatch management is actively maintained and demonstrates consistent updating.
- AskRequest a demonstration of environment identification practices. GoodEnvironments are clearly labelled, reducing the risk of confusion and errors.
Cross-framework mappings
How Annex A 8.31 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-RA-ML1.6 | Annex A 8.31 requires development, testing and production environments to be separated and secured | |
| E8-RA-ML1.7 | Annex A 8.31 requires development, test and production environments to be separated and secured to prevent inappropriate access and impac... | |
| E8-RA-ML2.3 | Annex A 8.31 requires organisations to separate and secure development, test and production environments | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1970 | ISM-1970 mandates the use of a dedicated environment for analysing malicious code to prevent interference with other systems | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0385 | ISM-0385 requires servers to maintain effective functional separation from other servers so they can operate independently | |
| ISM-1273 | Annex A 8.31 requires development, testing and production environments to be separated and secured | |
| ISM-1420 | ISM-1420 requires that production data is only used in non-production environments when those environments are secured to at least the sa... | |
| handshake Supports (3) expand_less | ||
| ISM-1274 | Annex A 8.31 requires separation and security controls between development, test and production environments to prevent compromise or dis... | |
| ISM-1689 | Annex A 8.31 requires development, testing and production environments to be separated and secured | |
| ISM-1816 | ISM-1816 requires protecting the authoritative software source from unauthorised modification | |
| link Related (2) expand_less | ||
| ISM-0400 | Annex A 8.31 requires development, testing and production environments to be separated and secured | |
| ISM-1419 | ISM-1419 requires development and modification of software to occur only in development environments, to protect production integrity | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.