This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.18 Use of privileged utility programs.
ISO 27001: 2022 Control Description
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
Purpose
To ensure utility programs do not compromise system and application controls, maintaining information security.
Guidance on implementation
When using utility programs that have the capability to override system and application controls, follow these guidelines:
- Limit Access:
- Restrict the use of utility programs to a minimal number of trusted, authorised users.
- Identification and Authorisation:
- Implement identification, authentication, and authorisation procedures for accessing utility programs. Ensure each user is uniquely identified when using these tools.
- Document Authorisation Levels:
- Clearly define and document the levels of authorisation required for using utility programs.
- Control Ad Hoc Use:
- Require specific authorisation for any ad hoc use of utility programs.
- Segregate Duties:
- Ensure that utility programs are not accessible to users who work in environments where segregation of duties is necessary.
- Remove Unnecessary Programs:
- Disable or remove any utility programs that are not needed.
- Segregate Utility Programs:
- Keep utility programs logically separate from application software. Where possible, segregate network communications of these programs from regular application traffic.
- Limit Availability:
- Restrict the availability of utility programs to the duration of an authorised change or task.
- Log Usage:
- Ensure all use of utility programs is logged for accountability.
Other Information
Most information systems include utility programs that can override system and application controls. Examples include diagnostics, patching tools, antivirus software, disk defragmenters, debuggers, backup tools, and network utilities. Proper control and restriction of these programs are crucial for maintaining security.