ISO 27001:2022 Annex A 8.19 Guide

Q: What is the requirement for Annex A 8.19?

Annex A 8.19 requires strict rules for installing software on live systems. You must ensure only authorised personnel perform installations. Documentation must reside in your internal business tools. This prevents unauthorised changes and maintains system integrity.

Q: How should software installation be authorised?

Authorisation should follow a formal change management process managed in Jira. A designated manager must approve the installation after reviewing test results. This ensures accountability. It provides a clear audit trail for external assessors.

Q: Why is a rollback plan necessary for software updates?

A rollback plan ensures you can restore the system if the installation fails. This maintains business continuity. Document these plans in your internal wiki before starting any work. This is a mandatory requirement for ISO 27001 compliance.

What is ISO 27001:2022 Annex A 8.19 in ISO 27001?

Annex A 8.19 requires a documented process for installing software on operational systems. It ensures only authorised updates reach live environments. Management must use internal tools like Jira and SharePoint to track every change. This control protects system integrity. It prevents unverified software from disrupting business operations.

Auditor’s Eye: The Shortcut Trap

Reliance on automated SaaS compliance platforms leads to surface-level compliance. These systems often provide a green tick without verifying actual technical evidence. Auditors prefer seeing change records in your native Jira workflows. We check SharePoint version history to confirm your staff own the process. Black box software decouples security from daily operations. If an auditor cannot find the original authorisation in your repositories: you fail. Real compliance requires human oversight recorded in your organisational tools.

ISO 27001:2013 Control	ISO 27001:2022 Control	Nature of Change
A.12.5.1 Installation of software on operational systems	Annex A 8.19 Installation of software on operational systems	Control renumbered. The requirement for authorisation and limited access remains identical.

How to Implement ISO 27001:2022 Annex A 8.21 (Step-by-Step)

Implement Annex A 8.19 by integrating software controls into your existing technical workflows. You must treat this as a cultural shift: not a software installation. Use SharePoint and Jira to manage the entire lifecycle. Answer the auditor with clear: documented proof.

Draft a software installation policy. Store it in a version-controlled SharePoint library.
Identify authorised personnel. Record their names and roles in a Confluence staff matrix.
Use Jira for all change requests. Include fields for risk assessment and rollback plans.
Test software in a separate environment. Upload the test report to the Jira ticket.
Enforce a final management sign-off. This must happen before any live deployment.
Update your internal wiki with the latest system version details.

ISO 27001 Annex A 8.19 Audit Evidence Checklist

Focus on manual records that prove human oversight and intent. Your evidence must reside in your internal repositories. This demonstrates active management of the ISMS.

Approved change request tickets in Jira.
Software installation policy in SharePoint.
Rollback and back-out procedures in Confluence.
Post-installation test results and sign-offs.
Meeting minutes from Change Advisory Board (CAB).
Verification logs of system integrity checks.

Relational Mapping

Annex A 8.19 connects to several core ISO 27001 requirements:

Clause 8.1: Operational planning and control of changes.
Annex A 8.32: Change management integration.
Annex A 8.31: Separation of development: test: and production environments.
Annex A 8.13: Information backup before installation.

Auditor Interview

Auditor: How do you prevent unauthorised software from being installed on live servers?

Manager: We restrict server access to three authorised administrators. Every installation requires a Jira ticket with manager approval.

Auditor: Where do you store the rollback plan for your latest update?

Manager: The rollback procedure is attached to Jira ticket #542. It is also stored in our Confluence technical manual.

Auditor: How do you verify the installation succeeded?

Manager: We conduct post-deployment testing. We record the results in the same Jira ticket.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS platform dashboard tick. No internal Jira trail exists.	Implement a formal Jira change request workflow immediately.
Lack of Authorisation	Software installed without a documented approval from a manager.	Enforce sign-off requirements in the SharePoint installation policy.
No Rollback Plan	Live systems updated without a documented way to undo changes.	Mandate rollback procedures for all tickets in Jira.

Frequently Asked Questions

What is the requirement for Annex A 8.19?

The bottom line: You must have rules for software installation on live systems. Only authorised personnel can perform these tasks. Documentation must stay in your business tools. This ensures you maintain control over your operational environment.

How should software installation be authorised?

The bottom line: Use a formal change management process in Jira. A manager must review test results before giving approval. This ensures accountability for system stability. It creates the necessary audit trail for ISO 27001.

Why is a rollback plan necessary for software updates?

The bottom line: Rollback plans protect your business from extended downtime. If an update fails: you can quickly restore the system. Store these plans in Confluence. This is essential for meeting the operational requirements of the standard.

LA CASA DE CERTIFICACIÓN