Implementing restrictions on software installation using ISO 27001 control A.12.6.2

Currently, in all companies around the world, it is necessary to install software (operating systems, office applications, financial applications, applications development, etc.). But, in general, the installation of this software is not sufficiently controlled, which can lead to certain risks. ISO 27001:2013 can help these companies with the implementation of an Information Security Management System based on the standard and control 12.6.2 of the Annex. Let’s see how.

The basic principle

As a basic principle– the recommendation (as a best practice) is that the software should be installed only by authorized personnel (usually IT staff). This can be applied with the help of the information security policy, or any other rules or best practices established in the organization (although this way implies that each employee applies these rules). To verify this, the organization could make periodic checks to analyze the software installed in the equipment of an employee selected at random.

Another way to apply it is to limit user privileges to a minimum, although this will not always be possible, because there are profiles that need to have administrator privileges in the systems to manage them. These privileges also must be checked periodically, since an employee can change area, department, etc., which can mean that you have to enable new privileges, and/or disable others.

For those companies that are small, the best practice recommendation is the same. Or, the software could be installed by each employee, but before the installation, a responsible party should be notified and information should be registered in an inventory.

By the way, general practice is that the organizations establish a rule that the software installed on the corporate equipment is only for professional use, because the software always consumes resources. Further more, all type of software is affected by threats, so the use of non-professional software in your organization could unnecessarily increase the risks.

And again, if your organization is small, other situations could be possible (for example, employees with personal equipment), but in this case there are also risks and you need to manage them.


Rules for the installation of software

For the installation of new software, the recommendation is that you always follow the same rules, which could be defined in a policy (although ISO 27001:2013 only requires you to establish a control and you do not need to have a documented policy for this, it’s recommendable) with the following content as an example:

  1. Employees can not download software from the Internet, or bring software from home without authorization. It is prohibited.
  2. When an employee detects the need for use of a particular software, a request needs to be transmitted to the IT department. The request can be stored as a record or as evidence.
  3. The IT department shall determine if the organization has license of the software requested.
  4. If there is license, the IT department notifies the employee and will proceed to install the software on the computer of the user who requested it.
  5. If there is no license, a responsible party must assess whether the requested software is really necessary for the performance of the duties of the employee. For the evaluation, the financial feasibility of the software purchase must also be analyzed, when the software costs money.
  6. If the software costs money, an analysis should be made as to whether there is another similar tool on the market that is cheaper or even free (Total Cost of Ownership must be calculated).
  7. Top management should participate in the decision on the acquisition of new software.
  8. Once the decision has been made, the IT department will proceed to include the software in their inventory and will install the software.

Repository applications and software inventory

If you are using anasset-based risk management methodology (it is a best practice recommendation), the software can also be considered as an asset in your inventory during the risk assessment, because as you know there are many threats/vulnerabilities related to software.

For more information about the inventory of assets, please read more in the article How to handle Asset register (Asset inventory) according to ISO 27001.

It is recommended that the IT department defines a repository – only for internal use – to store all corporative and definitive versions of applications used by the organization. This repository should be accessed only by authorized personnel. The main idea is that this repository is accessible by authorized personnel only from the internal network of the organization, which will be easier for the installation of the software on the equipment of employees when needed.

It is also important to identify all software that is installed inside the organization. For this purpose we can use (discovery) tools that analyze what software is installed on each of the computers through the internal network. These tools will allow us to check if someone has installed software in an uncontrolled way, i.e., without opening a request in accordance with the rules established in a previous section.

If your organization is very small and/or this repository cannot be established, the recommendation could be to identify in a simple list the software installed on each piece of equipment.

Risks about software installation without ISO 27001:2013 A.12.6.2

Software has become something so widely used that no one considers its security implications anymore; however, software can be and is dangerous – if you don’t handle it properly it can become the main source of malicious code in your company.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.