The basics
ISO 27001 control A.8.18 Use of privileged utility programs requires companies to control the use of programs that can override or change security configurations, in order to prevent the bypass of security controls.
Documentation
ISO 27001 control A.8.18 Use of privileged utility programs can be documented:
- for smaller and mid-sized companies by writing Security Procedures for IT Department
- for larger companies by writing a Privileged Access Procedure
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.8.18 Use of privileged utility programs you might implement the following:
- Technology — the technology to enable management of the use of privileged utility programs mainly involves software (e.g., user management systems, logging and monitoring tools, etc.). Companies may use access management features available on their local computers to set users’ access to privileged utility programs, and may use networked systems to allow centralized and remote management of the use of privileged utility programs.
- Organization/processes — you should set up a process for defining which privileged utility programs can be used, how access to them is provisioned, reviewed, modified, and removed. You can document those processes through Security Procedures for IT Department or a Privileged Access Procedure.
- People — make employees aware of why managing access to privileged utility programs is needed, and train IT staff on how to manage them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.18 Use of privileged utility programs: if the use of programs that can override or change security configurations are controlled.
