A.8.31 / A.8.32 — Is change management formal with separation of dev/test/production?
Demonstrate that the organization maintains formally documented change management procedures with enforced segregation of development, testing, and production environments, and that changes follow this process consistently.
Description
What this control does
This control requires organizations to implement a formal change management process that enforces logical and physical separation between development, test, and production environments. Changes must follow documented procedures including authorization, testing in non-production environments, and controlled promotion through defined stages before deployment to production. The separation prevents untested or unauthorized code from directly affecting operational systems and ensures changes undergo proper review, reducing the likelihood of service disruption or security vulnerabilities introduced through poorly managed deployments.
Control objective
What auditing this proves
Demonstrate that the organization maintains formally documented change management procedures with enforced segregation of development, testing, and production environments, and that changes follow this process consistently.
Associated risks
Risks this control addresses
- Unauthorized changes deployed directly to production systems bypass security reviews and introduce exploitable vulnerabilities
- Developers with direct production access accidentally deploy untested code causing service outages or data corruption
- Malicious insiders exploit lack of separation to inject backdoors or malware into production systems without detection
- Inadequate testing due to shared environments results in production failures that impact business operations and customer trust
- Lack of change tracking and audit trails prevents forensic analysis following security incidents or compliance violations
- Production data accessed in development/test environments exposes sensitive information to unauthorized personnel or insecure systems
- Simultaneous changes deployed without coordination create conflicting configurations that destabilize production infrastructure
Testing procedure
How an auditor verifies this control
- Obtain and review the formal change management policy and procedures documentation, verifying it explicitly addresses environment separation and promotion workflows
- Request network diagrams and access control matrices showing logical or physical separation between development, test, and production environments
- Interview system administrators and developers to understand the practical workflow for promoting changes and identify any bypass mechanisms or emergency procedures
- Select a representative sample of 15-20 changes from the past 90 days across different system types and criticality levels from the change management system
- For each sampled change, trace the complete lifecycle from request through approval, testing evidence, and production deployment, verifying adherence to documented procedures
- Review access logs and privilege assignments to confirm developers lack direct write access to production systems and deployments occur through authorized release processes
- Examine configuration management or deployment automation tools to verify technical controls enforce the separation and prevent unauthorized cross-environment access
- Test a recent emergency change to verify expedited procedures still maintain separation principles and include post-implementation review documentation