IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they share the same Security Capability Level and purpose, the same applies to databases between different services.
Specification
Every newly deployed server has a maximum of one role.
ISO 27001 & 27002:2022
A5.8,
A5.36,
A5.37
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.01 Security Baselines