The A.12.1.4 standard from ISO/IEC 27001 focuses on the separation of development, testing, and operational environments.
This standard emphasizes the importance of keeping these environments separate to ensure that the organization’s operations run smoothly and securely.
In this article, we will provide a sample checklist that will help you review your organization’s policies, procedures, practices, associated records, and architectures related to the separation of these environments.
- Review the policies, procedures, practices, and associated records related to the separation of development, testing, and operational ICT environments. Are they up to date, comprehensive, and well-documented?
- How is separation achieved to an adequate assurance level according to the risks? Review the controls that isolate each environment, such as production/business networks segregated from other networks used for development, testing, and management, including security, logging, monitoring, and alerting.
- Check access controls for these environments. Confirm that only authorized workers have access through appropriately differentiated user profiles to each of these environments.
- How is software promoted and released? Review evidence of approval of requests before granting access and periodic access reviews. Check that change management applies to the authorization and migration of software, data, metadata, and configurations between environments in either direction (e.g., production data copied into development or test environments).
- Consider the information risk and security aspects, including compliance. For instance, privacy implications if personal data are moved to less secure environments or outside the EU. Ensure that the organization complies with the necessary regulations and laws.
- Who is responsible for ensuring that new/changed software does not disrupt the infrastructure, other systems, networks, and operations? Identify the individuals responsible for ensuring that any new or modified software is thoroughly tested and verified before release into production.
The A.12.1.4 standard is essential to ensuring that an organization’s development, testing, and operational environments are adequately separated to prevent any disruptions or security breaches.
The checklist provided in this article will help you assess your organization’s current policies, procedures, practices, associated records, and architectures related to the separation of these environments.
By implementing these best practices, you can ensure that your organization is well-prepared to handle any software development or operational challenges that may arise.