What the auditor wants to verify
Audit objective
Verify that software installation on operational systems is authorized, tested, logged, licence-valid, supportable, and recoverable.
Evidence to request
| Evidence | Purpose |
|---|---|
| Software installation procedure | Shows installation process is defined |
| Change or release records | Shows business justification and approval |
| Test and regression records | Shows verification before production |
| Deployment or installation logs | Shows what was installed and by whom |
| Backup and rollback evidence | Shows fallback is possible |
| Licence entitlement records | Shows use is authorized |
| Vendor support records | Shows support is available where needed |
| Privileged access records | Shows installation rights are controlled |
Strong evidence
- Installation records link to approved changes.
- Security, compatibility, and regression tests are retained.
- Deployment was performed by authorized personnel.
- Production installation logs identify package/version, target, installer, and date/time.
- Backup and rollback plans were prepared before change.
- Licence entitlement and vendor support are confirmed.
- Emergency changes have post-implementation review.
Weak evidence
- Developers or administrators install directly into production without approval.
- Test evidence is missing or informal.
- Rollback depends on memory.
- Licence and support status are assumed.
- Source code or build tools are present on production without justification.
- Installation logs are incomplete.
Sample interview questions
- Who may install software on operational systems?
- What approval is needed before installation?
- How is regression testing performed?
- How do you confirm licence and vendor support status?
- How can the previous version be restored?
- What happens if an emergency installation is required?
Common nonconformities
- No formal procedure for production installation.
- Installation privileges are excessive.
- Unauthorized libraries or tools are installed.
- Testing or rollback evidence is missing.
- Licence/support status is not checked.
- Production source code is not controlled.
Related notes
- Audit
- Evidence
- A8 19
- Iso27001
Note Metadata
Aliases: A.8.19 Evidence
Source: 04 Audit Evidence Packs/A.8.19 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.19 Installation of Software on Operational Systems
- A.8.19 Audit Checklist
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Software Licence and Support Verification Checklist
- Software Rollback and Fallback Checklist
- Audit Evidence Index