ISO 27001:2022 Annex A Control 8.19

Abstract of Control 8.19: Installation of software on operational systems

Installation of software on operational systems poses significant security, operational, and compliance risks if not managed properly. ISO/IEC 27001 Control 8.19 mandates that organizations establish procedures and measures to securely manage software installation, ensuring the integrity and availability of operational systems while reducing the likelihood of security vulnerabilities.

Iso 27001 Control 8.19 Installation Of Software On Operational Systems

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Secure Configuration
  • Application Security

Security Domains

  • Protection

Objective

The primary objective of ISO 27001 Control 8.19 is to prevent the unauthorized or insecure installation of software on systems that your organization relies on for daily operations. By establishing clear processes and procedures, you reduce potential security gaps, maintain system stability, and protect against threats arising from outdated or untested software. In short, this control safeguards your operational environment, ensuring minimal disruption and maximum protection.

Purpose

The purpose of this control is straightforward:

  • Protect Operational Systems: Guarantee that any software entering your production environment is safe, approved, and does not introduce hidden vulnerabilities.
  • Establish Clear Accountability: Clearly define who can authorize software changes, reducing the likelihood of accidental or malicious installations.
  • Ensure Business Continuity: Properly tested updates and patches help maintain smooth operations, preventing unnecessary downtime.
  • Limit Exposure to Threats: Quickly address security gaps through timely patching, mitigating risks of exploits.

Scope and Applicability

Systems in Production: Control 8.19 applies to all operational or production environments within your organization. Whether these are on-premises servers, cloud-based systems, or hybrid setups, the same stringent rules for software installation must be applied.

Third-Party Involvement: If your organization relies on external vendors or suppliers to install or update software, Control 8.19 still applies. You must ensure these third parties follow the same secure practices and have limited, well-monitored access.

Software Types: This control covers all software components, including commercial off-the-shelf products, open source applications, internally developed software, and even firmware updates. Essentially, if it runs in your environment, it should be subject to secure installation procedures.

Roles and Responsibilities

IT Operations / System Administrators

  • Implementation: Install or update software in alignment with authorized change procedures.
  • Maintenance: Keep systems updated, perform routine checks, and uphold configuration standards.

Change Management Team

  • Approval Process: Evaluate and sign off on each software installation.
  • Documentation: Maintain clear, auditable records of changes and communicate updates to relevant stakeholders.

Developers and QA Personnel

  • Testing and Validation: Ensure that new releases or patches undergo comprehensive testing before deployment.
  • Separation of Duties: Keep development code and compilers away from production environments to avoid introducing untested or unstable elements.

Information Security Team

  • Policy Enforcement: Develop guidelines on approved installation processes and software usage.
  • Vulnerability Monitoring: Continuously track potential vulnerabilities, coordinate patches, and execute remediation strategies.

Suppliers / Vendors

  • Restricted Access: Only receive the necessary level of access for performing installations or updates.
  • Compliance: Adhere to your organization’s policies, including logging and monitoring requirements.

Secure Installation Procedures

Authorization and Approval
Only install software when a formal change management process has granted permission. This ensures transparency and accountability at every step. By limiting who can approve changes, you reduce the risk of unauthorized software slipping into your critical systems.

Least Privilege Principle
Grant installation privileges only to trained administrators with a legitimate need. This principle, known as least privilege, keeps control over software changes and restricts the ability of unauthorized personnel or malicious attackers to make system-altering adjustments.

Rigorous Testing
Before rolling out software to production, perform extensive testing in a pre-production or test environment. Check compatibility with existing applications and verify that security features are up to your standards.

Version Control and Rollback Plans
Keep track of all deployed versions and configurations in a configuration management system. In addition, always prepare a well-documented rollback strategy before any upgrade or patch. If something goes wrong, you can quickly revert to a known stable state.

Audit Logging
Maintain a detailed audit log of each installation, update, or patch operation. These logs help you review which actions took place, detect anomalies, and provide evidence for compliance and forensics.

Patch and Vulnerability Management

Regular Patching Schedule
Set up a routine schedule to review and deploy patches based on severity. High-risk issues demand immediate attention to reduce the window of exposure, while lower-risk patches can be bundled into regular update cycles.

Vendor and Open Source Software Updates
If you rely on external libraries or modules—be it proprietary vendor software or open source repositories—always maintain supported releases. Unsupported or unmaintained software poses a substantial risk, as vulnerabilities may never be patched by the original developers.

Security Validation
Before a patch is pushed live, assess any potential side effects on other business processes or systems. A patch that fixes one vulnerability but opens another can jeopardize your organization’s overall security posture.

Monitoring and Control of External Dependencies

External Libraries and Modules
Today’s applications often depend on externally supplied code, such as open source libraries. Closely monitor these dependencies, keeping them updated to avoid introducing known vulnerabilities into your operational systems.

Third-Party and Supplier Access
When suppliers are involved in software changes, it is crucial to:

  • Limit Access: Grant only the privileges necessary for their specific tasks.
  • Monitor Activities: Log and review all supplier actions to detect and address improper behavior swiftly.

Audit and Documentation

Change Tracking
Use an internal change management system to record every change event, from justification and approvals to final deployment. This record-keeping makes it easier to investigate issues and demonstrate compliance during audits.

Configuration Management
Maintain a centralized repository of all hardware and software configurations. If something goes wrong, having up-to-date system documentation allows you to rapidly identify and correct errors.

Continuous Improvement
Regularly measure compliance with your internal standards and ISO 27001 requirements. Conduct periodic compliance checks and incorporate the lessons learned into your ongoing risk management strategies.

Common Risks

Unapproved Software Installation:
Risk: Increases the potential for malware or malicious code to enter your environment.
Mitigation: Use strict roles and permissions, along with an established approval workflow that flags unapproved installations.

Vulnerabilities from Patches:
Risk: Certain patches can introduce conflicts or vulnerabilities if not properly tested.
Mitigation: Maintain thorough pre-deployment testing and build robust rollback plans.

Unsupported or Outdated Software:
Risk: Outdated software may no longer receive security updates, leaving known vulnerabilities exposed.
Mitigation: Keep an updated inventory of all software assets. Regularly schedule upgrades or replacements for end-of-life products.

Unauthorized Third-Party Access:
Risk: Third-party vendors might unintentionally or intentionally compromise your systems if not closely monitored.
Mitigation: Provide temporary, limited access, supervise all actions, and revoke rights as soon as tasks are completed.

Other Relevant Controls

  • Secure authentication (Control 8.5): Ensures all authentications to systems are documented and approved.
  • Management of Technical Vulnerabilities (Control 8.8): Focuses on identifying and addressing vulnerabilities systematically.
  • Testing Process (Control 8.29): Guarantees updates undergo thorough evaluation before reaching production.
  • Separation of Development, Testing & Operational Environments (Control 8.31): Reduces the chance of mistakes or incomplete code migrating to live systems.
  • Monitoring Supplier Activities (Control 5.22): Emphasizes strict oversight of third-party actions that could affect your organization’s security.
Control 8.18
ISO 27001 overview
Control 8.20