The basics
ISO 27001 control A.8.19 Installation of software on operational systems requires companies to ensure that deployment of software on operating systems (i.e., systems that are used to process or store day-to-day data) is controlled and authorized, in order to ensure the operational environment is not disrupted or tampered with.
Documentation
ISO 27001 control A.8.19 Installation of software on operational systems can be documented:
- for smaller and mid-sized companies by writing an IT Security Policy
- for larger companies by writing a Software Installation Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.19 Installation of software on operational systems you might implement the following:
- Technology — the technology to enable the management of the installation of software on operational systems in most cases will be already available in the company. Companies of all sizes will probably be able to manage the installation of software on operational systems by using the same network-shared folders, software deployment tools, or patch management software adopted to currently install software.
- Organization/processes — you should set up a process for defining who is authorized to install software and how software installation must be requested and installed, and what users can and can’t do regarding software installation. You can document those processes through an IT Security Policy or a Software Installation Procedure.
- People — make employees aware of the risks of installing software without company’s knowledge and control and train the IT staff and other users on how to properly install software.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.19 Installation of software on operational systems: if procedures and solutions are implemented to manage software installation on operational systems.
