ISO 27001:2022 Annex A 8.19: Mastering Software Installation on Operational Systems
We have all seen it happen. A well-meaning employee downloads a “free PDF converter” to get their job done faster, and suddenly your operational server is crawling with malware. Or perhaps a developer pushes a new library directly to production without testing, bringing the whole system down. These scenarios are exactly what ISO 27001:2022 Annex A 8.19 is designed to prevent.
This control, formally titled Installation of software on operational systems, is your safeguard against the chaos of unmanaged software. It ensures that only approved, tested, and necessary software makes it onto your critical systems.
Table of contents
What is Annex A 8.19?
At its core, Annex A 8.19 is a preventive control. It requires organisations to establish strict procedures for the installation of software on operational systems. The goal is simple: maintain the integrity of your systems and stop technical vulnerabilities from being exploited.
It replaces and expands upon the guidance found in the 2013 version’s controls (specifically A.12.5.1 and A.12.6.2). It covers everything from off-the-shelf vendor software to open-source tools and internal updates. For a broader look at how this fits into the full list of controls, ISO27001.com offers a comprehensive overview.
Why This Control Matters
Allowing “Shadow IT”—where users install whatever they want—is a massive security risk. Unmanaged software leads to:
- Licensing Issues: You might be using software illegally without knowing it.
- Security Vulnerabilities: Unpatched or unsupported software is a playground for hackers.
- System Instability: Incompatible software can crash critical servers.
How to Implement Annex A 8.19
Implementation doesn’t mean you have to stop everyone from doing their jobs. It means creating a safe, structured path for them to get the tools they need. Here is a practical approach:
1. Establish an Approval Process
You need a formal gatekeeper. No software should be installed on an operational system without authorisation. This usually involves a “Change Request” process where the Head of IT or a designated security manager approves the installation. This ensures segregation of duties—the person requesting the software should not be the one approving it.
2. The Principle of Least Privilege
Technically restrict who can install software. If every user has “Local Admin” rights, your policy is just a piece of paper. Use technical controls (like Group Policy or MDM solutions) to block unauthorised installations. Only trusted administrators should have the keys to the castle.
3. Create an Approved Software List
Maintain a “whitelist” of software that has already been vetted. If a user needs Google Chrome or Adobe Reader, and it is on the list, the process can be fast-tracked. If they want a new, obscure tool, it needs to go through a full review to check for licensing, security reputation, and compatibility.
4. Test Before You Install
Never install directly to production. Annex A 8.19 emphasizes the need for testing. Use a staging or sandbox environment to ensure the new software doesn’t conflict with existing applications or break system functionality. This also includes checking that the software is a legitimate version and not a trojan horse.
5. Manage Vendor Software
When dealing with third-party software (COTS), ensure it is supported. Using “Abandonware” (software no longer updated by the vendor) is a non-compliance red flag. Always check that you have the correct number of licenses to avoid legal penalties.
Audit Evidence: What to Show
When the auditor arrives, they will want proof that your process works. Be prepared to provide:
- The Policy: A written document outlining the rules for software installation.
- The Log: A change log or service desk ticket history showing requests, approvals, and the actual installation dates.
- The Whitelist: Your inventory of approved software.
- Access Rights Reviews: Evidence that you have restricted administrative privileges on operational systems.
Conclusion
ISO 27001:2022 Annex A 8.19 is about taking control of your environment. By enforcing strict installation procedures, you protect your organisation from malware, legal risks, and downtime. It’s not just about compliance; it’s about running a stable, secure ship where you know exactly what is running on your servers and why.
