PR.DS-7: The development and testing environment(s) are separate from the production environment

Organizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services.

Policies and procedures shall be established for managing the risks associated with applying changes to: Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or…

Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements.