ISO 27001 A.8.19: Installation of software on operational systems
What This Control Requires
Procedures and measures shall be implemented to securely manage software installation on operational systems.
In Plain Language
If anyone in your organisation can install whatever they like on their work machine, you have a serious problem. Uncontrolled software installation opens the door to malware, vulnerable applications, unlicensed tools, and supply chain attacks.
This covers everything - OS updates, applications, utilities, drivers, firmware - across servers, workstations, mobile devices, and network equipment. The goal is a controlled process where only authorised, tested, and approved software makes it onto operational systems.
From an auditor's perspective, the question is simple: can you demonstrate that you know what software is running in your environment and that you control how it gets there? If the answer is no, expect findings.
How to Implement
Put a software management policy in place that spells out who can install software, what is approved, how new requests are handled, and what technical controls enforce the rules.
Remove local administrator rights from standard users. Set up a software request and approval process through your IT service desk. Build a self-service catalogue of pre-approved applications so people are not constantly raising tickets for common tools. Anything outside the catalogue goes through a formal request, security review, and sign-off.
Deploy software through managed channels only. Use enterprise distribution tools (SCCM, Intune, Jamf, Ansible) to push approved software consistently. Maintain a repository of tested, approved versions and use package signing to verify integrity before installation.
On critical systems, implement application whitelisting. Technologies like Windows Defender Application Control (WDAC), AppLocker, or third-party tools can restrict execution to approved software only. Start in audit mode to catch all legitimate applications, then switch to enforcement. This is especially important for servers.
Before approving any new software, run a security review. Check for known vulnerabilities, look at the vendor's security track record, assess what privileges it needs, and evaluate what data it accesses or sends externally. Do not skip open-source components.
Keep a live inventory of all installed software using automated discovery. Reconcile it against your approved list regularly. Investigate and remove anything unauthorised. Track versions to support both vulnerability management and licence compliance.
Funnel software updates through your patch management process. Test before deploying, push updates within defined timeframes based on criticality, and retire anything that has hit end-of-life without security patch support.
Evidence Your Auditor Will Request
- Software management policy with installation control requirements
- Software approval process documentation and recent approval records
- Application whitelisting or control configuration for critical systems
- Software inventory showing installed software across the environment
- Software distribution tool deployment and configuration records
Common Mistakes
- Users have local administrator rights and can install any software
- No software approval process before installation on operational systems
- Application whitelisting is not implemented on servers or critical systems
- Software inventory is incomplete or outdated
- End-of-life software remains in use without security patch support
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.8 | Related |
| SOC 2 | CC8.1 | Related |
| NIS2 | Art.21(2)(d) | Partial overlap |
Frequently Asked Questions
Should we remove local admin rights from all users?
How do we handle software that users bring to use for work?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment