Table of contents
- ISO 27002 Separation of Development, Test and Production Environments
- What is ISO 27002:2022 Control 8.31?
- Definition of ISO 27002 Control 8.31
- Purpose of ISO 27002 Control 8.31
- Ownership of ISO 27002 Control 8.31
- Compliance Guidance
- Supplementary Guidance on ISO 27002 Control 8.3 1
- Changes and Differences to ISO 27002:2013
- ISO 27002 Control 8.31 FAQ
- ISO 27002 Control 8.31 Attributes Table
ISO 27002 Separation of Development, Test and Production Environments
Separating and managing development, testing, and production environments is crucial for safeguarding the confidentiality, integrity, and availability of information. By keeping these environments distinct, organisations minimise the risk of accidental or unauthorised changes to production systems and data throughout the software development lifecycle
What is ISO 27002:2022 Control 8.31?
ISO 27002 Control 8.31 Separation of Development, Test and Production Environments provides implementation guidance on how to implement ISO 27001 Annex A 8.31.
Definition of ISO 27002 Control 8.31
ISO 27002 defines ISO 27002 Control 8.31 as – Development, testing and production environments should be separated and secured.
Purpose of ISO 27002 Control 8.31
This is a preventive control designed to safeguard the production environment and data from risks associated with development and testing activities.
Ownership of ISO 27002 Control 8.31
To ensure compliance with Control 8.31, which mandates the establishment and implementation of organisation-wide processes and controls for segregating different software environments, the Chief Information Security Officer (CISO), in collaboration with the development team, is ultimately accountable.
Compliance Guidance
To prevent production issues, organisations must establish and maintain appropriate separation between production, testing, and development environments. Key considerations include:
Environment Isolation:
- Isolate development and production systems, such as through separate virtual or physical environments.
- Define and enforce strict rules and authorisations for software deployments across environments.
- Conduct thorough testing of all changes in dedicated testing or staging environments before deploying to production.
- Strictly prohibit testing in production environments except in pre-defined and approved circumstances.
- Restrict access to development tools (compilers, editors, etc.) from production systems when not necessary.
- Implement clear environment identification labels (e.g., in menus) to minimise the risk of errors.
- Ensure that sensitive information copied into development and testing environments has equivalent security controls.
Environment Security:
- Maintain all development, integration, and testing tools (builders, integrators, compilers, etc.) with the latest patches and updates.
- Securely configure all systems and software within these environments.
- Implement robust access control mechanisms for each environment.
- Monitor changes to the environment and stored code.
- Securely monitor all environment activities.
- Maintain regular backups of all development and testing environments.
Change Control:
- Prevent single individuals from making changes to both development and production environments without prior review and approval. This can be achieved through access control segregation or by enforcing and monitoring change control rules.
- Implement additional safeguards in exceptional situations, such as detailed logging.
Supplementary Guidance on ISO 27002 Control 8.31
Developers and testers with access to production systems pose significant risks, including accidental data breaches, system instability, and unauthorised code execution.
Therefore, organisations need a stable environment for testing their code. This helps prevent developers from accessing the main systems where important, real-world data is stored and used.
Key recommendations:
- Strict separation: Isolate development, testing, and production environments to minimise risks.
- Access control: Implement strong access controls, including role-based access and segregation of duties.
- Robust monitoring: Continuously monitor all activities within the production environment.
- Flexible approaches: Consider alternative testing methods like controlled rollouts and live user testing within the organisation.
- Data security: Implement secure processes for handling production data in development and testing environments.
Other important considerations:
- Testing within development: In some cases, testing can be done within the development environment.
- Real-world testing: Organisations can also test their products by having employees use them in real-world situations.
- Training environments: The security principles outlined in this Control should also be considered when setting up training environments for users.
Changes and Differences to ISO 27002:2013
ISO 27002:2022/8.31 now covers the material previously found in 27002:2013/(12.1.4 and 14.2.6). While these versions are mostly the same, there are some key differences:
Less Detail on Secure Development Environments:
The 2013 version (Control 14.2.6) provided more detailed guidance on building secure development environments, including recommendations like off-site backups and data transfer restrictions. These specific recommendations are not included in the 2022 version.
Focus on Product Testing:
Unlike the 2013 version, Control 8.31 in the 2022 version now includes guidance on how to properly test products and how to use production data for testing, aligning with the requirements of Control 8.33.
ISO 27002 Control 8.31 FAQ
ISO 27001 Annex A 8.31 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.31 is the implementation guidance for the control.
Yes, Separation of Development, Test and Production Environments is a required information security control for ISO 27001 certification.
ISO 27002 Control 8.31 Attributes Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Application Security | Protection |
Integrity | System and Network Security | |||
Availability |