ISO 27001 Control 8.19: Installation of Software on Operational Systems
Software installations represent a critical security risk when left uncontrolled. Control 8.19 requires organizations to manage and implement software installations securely using defined change management procedures. This prevents unauthorized, malicious, or incompatible software from compromising operational systems.
What this means
Control 8.19 mandates that every software installation on operational systems follow a structured change management process. Organizations must establish and enforce procedures that govern which software can be installed, by whom, when, and under what conditions. This includes version control, patch management, vulnerability assessments, and rollback procedures. The control ensures that installations don't introduce security vulnerabilities, system instability, or regulatory violations.
How to comply
- 1.Establish a formal change management policy that covers all software installations on operational systems
- 2.Define approval workflows requiring authorized personnel to review and approve software installations before deployment
- 3.Implement asset management and inventory systems to track all software deployed across operational environments
- 4.Conduct security and compatibility assessments prior to installation, including vulnerability scanning and dependency checks
- 5.Document installation procedures with clear instructions, configurations, and rollback plans
- 6.Restrict installation privileges to authorized administrators using role-based access controls
- 7.Maintain an audit trail of all installations, including who installed what, when, and approval records
- 8.Schedule installations during maintenance windows to minimize operational disruption and enable monitoring
- 9.Test software in isolated environments before production deployment
Evidence auditors look for
- Change management policy documentation outlining software installation procedures
- Software installation request forms with approval signatures from authorized personnel
- Approved software asset inventory listing all applications deployed on operational systems
- Pre-installation assessment reports documenting security and compatibility reviews
- Installation logs and audit trails showing who deployed software, when, and approval details
- Documented rollback procedures and successful rollback evidence
- System change tickets linked to software installations with business justification
- Security scan reports performed before and after installations
- User access control lists restricting installation rights to authorized administrators
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates software installation tracking and change management workflows, capturing approval chains and audit logs to demonstrate control 8.19 compliance without manual spreadsheet management.
See how GRCWatch handles this control automatically
Start free trial