1. Framework FAQs

ISO 27001: 2022 A.8.19 Installation of software on operational systems

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.19 Installation of software on operational systems.

ISO 27001: 2022 Control Description

Procedures and measures shall be implemented to securely manage software installation on operational systems.

Purpose

To maintain the integrity of operational systems and prevent the exploitation of technical vulnerabilities.

Guidance on implementation

Follow these guidelines to securely manage the installation and updating of software on operational systems:

  1. Authorised Updates:
    • Ensure that only trained administrators perform software updates, and only with appropriate management approval.
  2. Approved Software Only:
    • Install only approved executable code on operational systems. Avoid using development code or compilers.
  3. Thorough Testing:
    • Only install and update software after it has been extensively and successfully tested.
  4. Update Source Libraries:
    • Ensure that all related program source libraries are updated alongside the operational software.
  5. Use Configuration Control:
    • Implement a configuration control system to manage all operational software and related system documentation.
  6. Define a Rollback Strategy:
    • Establish a clear rollback strategy before implementing any changes.
  7. Maintain Audit Logs:
    • Keep an audit log of all software updates to track changes.
  8. Archive Old Versions:
    • Archive old software versions along with all necessary information, configuration details, and procedures. This serves as a contingency measure and ensures compatibility with archived data.
  9. Evaluate Upgrades:
    • Consider business needs and the security of new software releases before upgrading. Apply patches that address information security vulnerabilities.
  10. Monitor External Dependencies:
    • Monitor and control externally supplied software and packages to prevent unauthorised changes that could introduce security vulnerabilities.
  11. Vendor-Supported Software:
    • Maintain vendor-supplied software at a level supported by the supplier. Evaluate the risks of relying on unsupported software, including open-source software, which may no longer be maintained.
  12. Supplier Access:
    • When suppliers are involved in installing or updating software, ensure they have only necessary access, with appropriate authorisation. Monitor their activities.
  13. User Installation Rules:
    • Define and enforce strict rules on the types of software users are allowed to install.
  14. Least Privilege Principle:
    • Apply the principle of least privilege to software installations. Identify which types of installations are permitted, such as updates and security patches, and which are prohibited, such as personal software or potentially malicious software. Grant installation privileges based on user roles.