ISO 27001 Control 8.31: Separation of Development, Test and Production Environments
Production data breaches often start in uncontrolled dev or test environments. ISO 27001 8.31 requires strict separation between these environments to eliminate a common attack vector. For SMBs, this means isolating infrastructure, access controls, and data flows before they threaten your live systems.
What this means
Development, testing, and production environments must operate independently with separate security controls. This prevents developers from accidentally or maliciously modifying production data, deploying untested code, or gaining unnecessary access to customer information. Each environment should have its own infrastructure, credentials, and change management processes.
How to comply
- 1.Create separate infrastructure (servers, databases, networks) for dev, test, and production environments
- 2.Implement distinct access controls—developers should not have production credentials or database access
- 3.Use isolated data sets in development and testing; never copy production data without masking sensitive information
- 4.Establish separate change management workflows for each environment with appropriate approval levels
- 5.Monitor and log all access and changes within each environment independently
- 6.Document environment configurations and access policies; review quarterly
- 7.Automate promotion of code from dev → test → production to reduce manual errors
Evidence auditors look for
- Network diagrams showing logical separation between environments
- Access control matrices documenting user roles per environment
- Change logs from dev, test, and production systems showing independent histories
- Data masking policies applied to non-production databases
- CI/CD pipeline configuration enforcing staged deployments
- System access audit reports by environment
- Approved access request forms with environment-specific approvals
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically detects unauthorized access attempts across dev, test, and production environments and flags policy violations in real-time, eliminating manual log reviews.
See how GRCWatch handles this control automatically
Start free trial