Control 8.31, Separation of development, testing and operational environments, aims to protect the production environment and production data from unauthorized or inappropriate change, exposure, or disruption. Development and testing activities often involve code changes, debugging, experimental configurations, test accounts, incomplete controls, and simulated transactions. If these activities occur directly in production, they can compromise confidentiality, integrity, and availability. Separation reduces the risk that untested software, test data, developer privileges, or debugging tools affect live systems and real business information. Control 5.13, Labelling of information, supports correct handling by communicating classification and protection needs, but it does not specifically protect production environments. Control 6.6, Confidentiality or non-disclosure agreements, supports legal and people-related confidentiality commitments, but it does not directly separate technical environments. The exam logic focuses on the control whose stated purpose is to protect production systems and data from risks introduced by development and testing. Therefore, option B is correct. References/Chapters: ISO/IEC 27002:2022, Control 8.31 Separation of development, testing and operational environments; Control 8.32 Change management; Control 8.29 Security testing in development and acceptance.
==========
