ISMS Compliance
CyFun BasicProtect

PR.DS-7: Dev/test separation

The development and testing environment(s) are separate from the production environment

PROTECTPR.DS-7

Requirement

No requirements are identified for the assurance level 'Basic', but guidelines are provided to increase information security.

Our Implementation

Development and production environments are strictly separated with distinct databases, credentials, API keys, and infrastructure projects across all cloud providers. The Git branching workflow controls deployments — only code merged to the main branch is deployed to production via Vercel's automated CI/CD pipeline.

Test and development environments use synthetic or dummy data only. Production data is never copied to development environments. Each environment has its own Supabase project with separate PostgreSQL databases, ensuring complete data isolation.

Gaps / Planned improvements:

  • No formal documented policy for environment separation — implemented in practice but not written down (NEX-376)

Evidence

ImplementedL2 — Repeatable

PR.DS-3: Asset disposal

Assets are formally managed throughout removal, transfers, and disposition

PR.IP-4: Backup management

Backups of information are conducted, maintained, and tested

On this page

RequirementOur ImplementationEvidence