GRCWatch
Sign inStart free trial

ISO 27001 Control 8.31: Separation of Development, Test and Production Environments

Production data breaches often start in uncontrolled dev or test environments. ISO 27001 8.31 requires strict separation between these environments to eliminate a common attack vector. For SMBs, this means isolating infrastructure, access controls, and data flows before they threaten your live systems.

What this means

Development, testing, and production environments must operate independently with separate security controls. This prevents developers from accidentally or maliciously modifying production data, deploying untested code, or gaining unnecessary access to customer information. Each environment should have its own infrastructure, credentials, and change management processes.

How to comply

  1. 1.Create separate infrastructure (servers, databases, networks) for dev, test, and production environments
  2. 2.Implement distinct access controls—developers should not have production credentials or database access
  3. 3.Use isolated data sets in development and testing; never copy production data without masking sensitive information
  4. 4.Establish separate change management workflows for each environment with appropriate approval levels
  5. 5.Monitor and log all access and changes within each environment independently
  6. 6.Document environment configurations and access policies; review quarterly
  7. 7.Automate promotion of code from dev → test → production to reduce manual errors

Evidence auditors look for

  • Network diagrams showing logical separation between environments
  • Access control matrices documenting user roles per environment
  • Change logs from dev, test, and production systems showing independent histories
  • Data masking policies applied to non-production databases
  • CI/CD pipeline configuration enforcing staged deployments
  • System access audit reports by environment
  • Approved access request forms with environment-specific approvals

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically detects unauthorized access attempts across dev, test, and production environments and flags policy violations in real-time, eliminating manual log reviews.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 8.1 — User Access ManagementISO 27001 8.2 — User ResponsibilitiesISO 27001 8.3 — Access ControlISO 27001 8.6 — Access ReviewISO 27001 8.7 — Removal of Access RightsISO 27001 8.33 — Protection of Information Systems Testing Facilities