Customer environment

working in a development company , our company have compliance products , out tech support some time need to download the customer data to our internal network to do some troubleshooting upgrades....ect
the tech support creates customer environment ( OS and related applications) and join it to the domain so that all GP applies to these environment ..
the tech support is asking is it possible to have these environments on a work group rather than joining them to the domain ? 
this request is based on a project we are working on to reduce the IT support part . so that the developers can create the VMs by them selves without the need for IT to join them to the domain ?
is this ok ? i mean from a security point of view ?
 

Answer:

From my point of view, there is no problem to separate the customer environment in a workgroup. But on this way, you will need to establish a local policy on each machine to implement access control and give access only to authorized people (it is obviously more easy with domains and GPOs). And if you have a hypervisor for the VMs, I would also be careful with the access to it. 
By the way, if you have a documented Access control policy (it is mandatory by the ISO 27001:2013 Annex A.9.1.1) you will need to include all of these issues related to the control access to the independent environment.
Finally, this article can be interesting for you "How to handle access control according to ISO 27001" : https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/