Separation of production, testing and development environments

Critical
High
Normal
Low

Software under development, testing and production is run in differentiated technical environments in order to ensure the quality of development work in an environment that adapts to the production environment and, on the other hand, the production environment is not disturbed by unfinished development.

Sensitive or personal data of users is not copied and used in a development environment.

Connected other frameworks and requirements:
14.2.6: Secure development environment
ISO 27001
12.1.4: Separation of development, testing and operational environments
ISO 27001
12.5: Control of operational software
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
PR.DS-7: The development and testing environments
NIST CSF

Listing authorized users for publishing code changes

Critical
High
Normal
Low

Only pre-defined, authorized users are allowed to post changes to the code.

Connected other frameworks and requirements:
14.2.7: Outsourced development
ISO 27001
14.2.2: System change control procedures
ISO 27001
12.5: Control of operational software
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
8.30: Outsourced development
ISO 27001

Authorized users and rules for installing software and libraries

Critical
High
Normal
Low

Unmanaged installations of software on computers can lead to vulnerabilities and security breaches.

The organization should determine what types of software or updates each user can install. The instructions may include e.g. the following guidelines:

  • only specially designated persons may install new software on the devices
  • programs previously designated as secure may be installed by anyone
  • use of certain software may be impossible for everyone
  • existing software updates and security patches are allowed to be installed by anyone
Connected other frameworks and requirements:
12.6.2: Restrictions on software installation
ISO 27001
DE.CM-5: Unauthorized mobile code detection
NIST CSF
8.19: Installation of software on operational systems
ISO 27001

Maintaining a release log

Critical
High
Normal
Low

An event log should be kept for all updates to production or customer software or in-house IT services.

Connected other frameworks and requirements:
12.5: Control of operational software
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
8.19: Installation of software on operational systems
ISO 27001
No items found.