- See ISO 27002:2022 Control 8.31 for more information.
- See ISO 27001:2013 Annex A 12.1.4 for more information.
- See ISO 27001:2013 Annex A 14.2.6 for more information.
ISO 27001 Annex A 8.31: Why Separating Development, Test, and Production Environments is Critical
Failing to separate development, test, and production environments accurately could lead to a loss of availability, confidentiality, and integrity of information assets.
For instance, Uber mistakenly put up a code repository on Github which included passwords from their production environment, thus compromising the confidentiality of sensitive data.
Organisations should establish suitable protocols and regulations to firmly separate development, testing, and production settings in order to eradicate security hazards.
Purpose of ISO 27001:2022 Annex A 8.31
ISO 27001:2022 Annex A 8.31 facilitates organisations in preserving the confidentiality, integrity, and availability of sensitive information assets via suitable processes, controls, and regulations. It does this by isolating development, testing, and production environments.
Ownership of Annex A 8.31
The Chief Information Security Officer, with the assistance of the development team, shall be ultimately responsible for adhering to ISO 27001:2022 Annex A 8.31, which requires the establishment and implementation of organisation-wide processes and controls to separate different software environments.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance on ISO 27001:2022 Annex A 8.31 Compliance
Organisations should consider the production issues that should be avoided when deciding on the necessary degree of separation between the three environments.
Annex A 8.31 suggests organisations bear in mind seven criteria:
- Segregation of development and production systems to a satisfactory level is recommended. For instance, utilising distinct virtual and physical environments for production could be a viable solution.
- Rules and authorisation procedures must be drafted, documented and implemented regarding the use of software in the production environment after it has passed through the development environment.
- Organisations should evaluate and trial alterations to applications and production systems in an isolated test setting, excluded from the production environment, prior to implementing them in the production environment.
- No testing in production environments should occur unless it has been precisely defined and authorised beforehand.
- Development resources, such as compilers and editors, should not be available in production environments unless it is absolutely essential.
- To reduce mistakes, correct environment labels should be prominently featured in menus.
- No sensitive information assets should be transferred into any dev or testing systems unless equivalent security measures are in place.
Guidance on Protection of Development and Testing Environments
Organisations should safeguard development and testing environments from potential security hazards, considering the following:
- Ensure all development, integration and testing tools, e.g. builders, integrators and libraries, are regularly patched and kept up to date.
- Ensure all systems and software are securely set up.
- Appropriate controls must be in place for access to environments.
- Changes to environments and their codes should be monitored and reviewed.
- Secure monitoring and review of environments should be undertaken.
- Environments should be safeguarded with backups.
No individual should be granted the prerogative to make changes to both development and production environments without obtaining approval beforehand. To avoid this, organisations can separate access rights or put in place and execute access controls.
Organisations can contemplate further technical controls, such as logging all access activities and monitoring access to these environments in real-time.
Supplementary Guidance on Annex A 8.31
If organisations do not take the necessary steps, their information systems can be exposed to substantial security hazards.
Developers and testers with access to the production environment may make unintended alterations to files or system settings, run unauthorised code, or inadvertently reveal sensitive data.
Organisations require a steady setting to perform thorough testing on their code, barring developers from accessing production environments that store and process sensitive real-world data.
Organisations should assign specific roles and enforce separation of duties.
The development and testing teams can risk compromising the confidential production data if using the same computing devices. Inadvertent changes to sensitive information or software programs may be made.
Organisations are urged to set up aiding processes to use production data in testing and development systems in agreement with ISO 27001:2022 Annex A 8.33.
Organisations should consider the measures discussed in this Annex A Control when carrying out end-user training in training settings.
Lastly, organisations can obscure the boundaries between development, testing and production settings. For instance, testing may be conducted in a development environment, or staff may test the product by actually using it.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 8.31 replaces ISO 27001:2013 Annex A 12.1.4 and ISO 27001:2013 Annex A 14.2.6. This revision makes the necessary adjustments to bring the standard in line with the most current practices.
The two versions share a great deal in common, but two differences are noteworthy.
ISO 27001:2013 Annex A 14.2.6 Provided More Detailed Guidance on Secure Development Environments
ISO 27001:2013 Annex A 14.2.6 deals with secure development environments and outlines 10 recommendations for organisations to consider when constructing a development environment.
In comparison, ISO 27001:2022 Annex A 8.33 does not include certain proposals, like having a back-up at a distant location and limitations on data transfer.
ISO 27001:2022 Annex A 8.31 Addresses Product Testing and the Use of Production Data
In comparison to ISO 27001:2013, ISO 27001:2022 Annex A 8.31 offers guidance on product testing and utilisation of production data in line with ISO 27001:2022 Annex A 8.33.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
How ISMS.online Help
ISMS.Online provides support for the entirety of ISO 27001 implementation, from risk assessment to the creation of policies, procedures, and guidelines to adhere to the standard.
ISMS.Online offers a convenient approach for recording discoveries and sharing them with colleagues online. It further enables you to craft and store checklists for each ISO 27001 task, enabling you to monitor your organisation’s security program effortlessly.
We also provide organisations with an automated tool-set which facilitates compliance with the ISO 27001 standard. Its user-friendly design makes it simple to prove conformance.
Get in touch with us now to arrange a demonstration.
