Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological Preventive Identify High Priority

A.8.31 Separation of Development Test and Production Environments

M365 Admin Path: Azure Portal > Subscriptions

Evidence Source: Azure

What is A.8.31 Separation of Development Test and Production Environments?

ISO 27001 control A.8.31 Separation of Development, Test and Production Environments ensures that development, testing, and operational environments are separated to reduce risks of unauthorised access or changes to the operational environment. The control implements separate Azure subscriptions or tenants for each environment with distinct access controls, prevents production data in non-production environments, and maintains environment parity for valid testing.

How to implement A.8.31 in Microsoft 365

Implement A.8.31 by maintaining separate Azure subscriptions for

Implement A.8.31 by maintaining separate Azure subscriptions for Development, Test, and Production with distinct RBAC assignments. Use separate Microsoft 365 Test Tenant for non-production M365 development and testing.

Implement Azure Policies preventing cross-environment resource deployment

Implement Azure Policies preventing cross-environment resource deployment. Prohibit production data in development and test environments; require synthetic or anonymised data. Grant developers access to development and test only; production access via PIM with approval.

Deploy via CI/CD pipelines with environment-specific approvals in

Deploy via CI/CD pipelines with environment-specific approvals in Azure DevOps. Document environment architecture showing separation boundaries.

What an auditor checks for A.8.31

  • Auditors will verify separate Azure subscriptions exist for Development, Test, and Production.
  • They will check RBAC assignments differ between environments with production restricted.
  • Auditors will verify Test Tenant is used for M365 non-production activities.
  • They will check Azure Policies prevent cross-environment deployment.
  • Auditors will verify no production data exists in development or test environments.
  • They will check developer access is limited to non-production with production via PIM.
  • They will review environment architecture documentation showing separation.

See how your organisation scores against A.8.31 and all 93 ISO 27001 controls.

Get Your Free Assessment