ISO 27001:2022 Annex A Control 8.31

Separation of Development, Test and Production Environments

Book a demo

team,at,work.,group,of,young,business,people,in,smart

Failing to separate development, test, and production environments accurately could lead to a loss of availability, confidentiality, and integrity of information assets.

For instance, Uber mistakenly put up a code repository on Github which included passwords from their production environment, thus compromising the confidentiality of sensitive data.

Organisations should establish suitable protocols and regulations to firmly separate development, testing, and production settings in order to eradicate security hazards.

Purpose of ISO 27001:2022 Annex A 8.31

ISO 27001:2022 Annex A 8.31 facilitates organisations in preserving the confidentiality, integrity, and availability of sensitive information assets via suitable processes, controls, and regulations. It does this by isolating development, testing, and production environments.

Ownership of Annex A 8.31

The Chief Information Security Officer, with the assistance of the development team, shall be ultimately responsible for adhering to ISO 27001:2022 Annex A 8.31, which requires the establishment and implementation of organisation-wide processes and controls to separate different software environments.

General Guidance on ISO 27001:2022 Annex A 8.31 Compliance

Organisations should consider the production issues that should be avoided when deciding on the necessary degree of separation between the three environments.

Annex A 8.31 suggests organisations bear in mind seven criteria:

  1. Segregation of development and production systems to a satisfactory level is recommended. For instance, utilising distinct virtual and physical environments for production could be a viable solution.
  2. Rules and authorisation procedures must be drafted, documented and implemented regarding the use of software in the production environment after it has passed through the development environment.
  3. Organisations should evaluate and trial alterations to applications and production systems in an isolated test setting, excluded from the production environment, prior to implementing them in the production environment.
  4. No testing in production environments should occur unless it has been precisely defined and authorised beforehand.
  5. Development resources, such as compilers and editors, should not be available in production environments unless it is absolutely essential.
  6. To reduce mistakes, correct environment labels should be prominently featured in menus.
  7. No sensitive information assets should be transferred into any dev or testing systems unless equivalent security measures are in place.

Guidance on Protection of Development and Testing Environments

Organisations should safeguard development and testing environments from potential security hazards, considering the following:

  • Ensure all development, integration and testing tools, e.g. builders, integrators and libraries, are regularly patched and kept up to date.
  • Ensure all systems and software are securely set up.
  • Appropriate controls must be in place for access to environments.
  • Changes to environments and their codes should be monitored and reviewed.
  • Secure monitoring and review of environments should be undertaken.
  • Environments should be safeguarded with backups.

No individual should be granted the prerogative to make changes to both development and production environments without obtaining approval beforehand. To avoid this, organisations can separate access rights or put in place and execute access controls.

Organisations can contemplate further technical controls, such as logging all access activities and monitoring access to these environments in real-time.

Supplementary Guidance on Annex A 8.31

If organisations do not take the necessary steps, their information systems can be exposed to substantial security hazards.

Developers and testers with access to the production environment may make unintended alterations to files or system settings, run unauthorised code, or inadvertently reveal sensitive data.

Organisations require a steady setting to perform thorough testing on their code, barring developers from accessing production environments that store and process sensitive real-world data.

Organisations should assign specific roles and enforce separation of duties.

The development and testing teams can risk compromising the confidential production data if using the same computing devices. Inadvertent changes to sensitive information or software programs may be made.

Organisations are urged to set up aiding processes to use production data in testing and development systems in agreement with ISO 27001:2022 Annex A 8.33.

Organisations should consider the measures discussed in this Annex A Control when carrying out end-user training in training settings.

Lastly, organisations can obscure the boundaries between development, testing and production settings. For instance, testing may be conducted in a development environment, or staff may test the product by actually using it.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.31 replaces ISO 27001:2013 Annex A 12.1.4 and ISO 27001:2013 Annex A 14.2.6. This revision makes the necessary adjustments to bring the standard in line with the most current practices.

The two versions share a great deal in common, but two differences are noteworthy.

ISO 27001:2013 Annex A 14.2.6 Provided More Detailed Guidance on Secure Development Environments

ISO 27001:2013 Annex A 14.2.6 deals with secure development environments and outlines 10 recommendations for organisations to consider when constructing a development environment.

In comparison, ISO 27001:2022 Annex A 8.33 does not include certain proposals, like having a back-up at a distant location and limitations on data transfer.

ISO 27001:2022 Annex A 8.31 Addresses Product Testing and the Use of Production Data

In comparison to ISO 27001:2013, ISO 27001:2022 Annex A 8.31 offers guidance on product testing and utilisation of production data in line with ISO 27001:2022 Annex A 8.33.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.Online provides support for the entirety of ISO 27001 implementation, from risk assessment to the creation of policies, procedures, and guidelines to adhere to the standard.

ISMS.Online offers a convenient approach for recording discoveries and sharing them with colleagues online. It further enables you to craft and store checklists for each ISO 27001 task, enabling you to monitor your organisation’s security program effortlessly.

We also provide organisations with an automated tool-set which facilitates compliance with the ISO 27001 standard. Its user-friendly design makes it simple to prove conformance.

Get in touch with us now to arrange a demonstration.

We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.

Andrew Bud
Founder, iproov

Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.