A.8.31 Separation of Development Test and Production Environments
What is this control?
ISO 27001 control A.8.31 Separation of Development, Test and Production Environments ensures that development, testing, and operational environments are separated to reduce risks of unauthorised access or changes to the operational environment. The control implements separate Azure subscriptions or tenants for each environment with distinct access controls, prevents production data in non-production environments, and maintains environment parity for valid testing.
How to implement in Microsoft 365
Implement A.8.31 by maintaining separate Azure subscriptions for Development, Test, and Production with distinct RBAC assignments. Use separate Microsoft 365 Test Tenant for non-production M365 development and testing. Implement Azure Policies preventing cross-environment resource deployment.
Prohibit production data in development and test environments; require synthetic or anonymised data. Grant developers access to development and test only; production access via PIM with approval. Deploy via CI/CD pipelines with environment-specific approvals in Azure DevOps.
Document environment architecture showing separation boundaries.
What an auditor looks for
Auditors will verify separate Azure subscriptions exist for Development, Test, and Production. They will check RBAC assignments differ between environments with production restricted. Auditors will verify Test Tenant is used for M365 non-production activities.
They will check Azure Policies prevent cross-environment deployment. Auditors will verify no production data exists in development or test environments. They will check developer access is limited to non-production with production via PIM.
They will review environment architecture documentation showing separation.