In this ultimate how to implement guide to ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Separation of development, test and production environments Implementation Checklist
- 1. Enforce Network-Level Segmentation
- 2. Implement Strict Role-Based Access Control (RBAC)
- 3. Mandate CI/CD Deployment Pipelines
- 4. Segregate Configuration Secrets
- 5. Sanitise Test Data
- 6. Differentiate Environments Visually
- 7. Restrict Compilers and Dev Tools in Prod
- 8. Implement “Break-Glass” Procedures
- 9. Lock Down Deployment Endpoints
- 10. Separate Backups and Archives
- ISO 27001 Annex A 8.31 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 8.31 requires the rigid separation of development, testing, and production environments to maintain system integrity. This control mandates network-level segmentation and strict access restrictions to ensure code is verified before deployment. The critical business benefit is effectively preventing unauthorized changes and confidential data leakage.
ISO 27001 Separation of development, test and production environments Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.31. This control necessitates a rigid logical and physical separation between development, test, and production environments to prevent unauthorised changes and data leakage.
1. Enforce Network-Level Segmentation
Control Requirement: Production environments must be isolated on the network level from development and test environments.
Required Implementation Step: Configure distinct VLANs or VPCs (Virtual Private Clouds) for Prod, Stage, and Dev. Implement ‘Deny All’ firewall rules between the Development network and the Production database ports; developers must not have a direct network route to production data stores.
Minimum Requirement: A `ping` from a development server to a production database server must timeout.
2. Implement Strict Role-Based Access Control (RBAC)
Control Requirement: Access rights must be restricted based on the environment’s classification.
Required Implementation Step: Audit your Identity Provider (IdP) groups. Remove ‘Write’ and ‘Execute’ permissions for the ‘Developers’ group in the Production environment; developers should only have access to view logs or metrics, not to modify infrastructure or data.
Minimum Requirement: Developers have Read-Only access to Production; only DevOps/SRE or CI/CD service accounts have Write access.
3. Mandate CI/CD Deployment Pipelines
Control Requirement: Changes to production must not be made manually by individuals.
Required Implementation Step: Disable SSH/RDP access for code deployment. Configure a CI/CD pipeline (e.g., Jenkins, GitLab CI, GitHub Actions) that is the only authorised mechanism to promote code from Staging to Production, ensuring an audit trail of every release.
Minimum Requirement: Direct editing of code on production servers is technically blocked.
