UnixTime

Research Note

ISO 27001 A.8.19 - Installation of Software on Operational Systems

Operational systems should not accept software changes just because someone has technical ability to install them. New software, updates, libraries, patches, scripts, packages,...

On this page

Requirement

Requirement lens

This control asks whether software installation on production or operational systems is controlled, authorized, tested, logged, and recoverable.

“Procedures and measures shall be implemented to securely manage software installation on operational systems.”

Plain-language meaning

Operational systems should not accept software changes just because someone has technical ability to install them. New software, updates, libraries, patches, scripts, packages, and configuration-affecting components should follow an approved process before they reach production.

The key point is integrity. Unauthorized or untested software can break services, introduce vulnerabilities, bypass segregation of duties, create licence issues, or hide fraud.

Why this matters

Production software installation is one of the fastest ways to damage confidentiality, integrity, and availability. A competent developer or administrator can still create risk by installing a “standard library”, hotfix, plugin, or vendor package without approval, testing, rollback, licence confirmation, or support validation.

This control connects strongly to A.8.4 Access to Source Code, A.8.8 Management of Technical Vulnerabilities, A.8.9 Configuration Management, A.8.15 Logging, and A.5.37 Documented Operating Procedures.

Implementation guidance

Implementer focus

Treat production software installation as a controlled change, not a technical convenience.

1. Define installation authority

Only authorized and competent personnel should install or update software on operational systems. Separate development, approval, release, and production installation duties where practical.

2. Require business justification and approval

New products, libraries, utilities, vendor packages, and updates should have a business requirement and approval before installation. Emergency installation should still be recorded and reviewed afterwards.

3. Test before production

Software should be tested before installation, including security checks, compatibility checks, regression testing, operational impact, and rollback validation where practical.

4. Preserve rollback capability

Before installation, retain backups of relevant software, configuration, data, and deployment artifacts. Define a fallback strategy so the previous version can be restored if the installation fails.

5. Control licences and vendor support

Confirm that software licences permit the intended use and scale. For vendor-supplied software, confirm that support is available for as long as the organization depends on the software.

6. Log and review installations

Record what was installed, by whom, when, why, from what source, under what approval, with what test evidence, and with what fallback path.

Audit guidance

Auditor focus

Follow a sample production installation from request to approval, testing, deployment, logging, licence/support verification, and rollback evidence.

Auditors should verify:

  • software installation procedures exist and are used;
  • installation privileges are restricted to authorized staff;
  • production changes have business justification and approval;
  • testing and regression testing occur before installation;
  • source code is not unnecessarily included on operational systems;
  • system files, object code, libraries, and deployment artifacts are protected;
  • previous versions and configurations can be restored;
  • backups are taken before significant changes;
  • licence and support requirements are checked;
  • developers and maintenance staff understand the risk of unapproved production code.

Auditors should interview developers, administrators, release managers, and maintenance staff. The weak point is often informal “small” changes that bypass the process.

Evidence examples

Evidence quality

Strong evidence proves that production software installation is authorized, tested, logged, recoverable, and licence/support controlled.

Evidence What it proves
Software installation procedure Installation process is defined
Change/release records Installations are approved and traceable
Test and regression evidence Software was verified before production
Deployment logs Installation activity is recorded
Backup and rollback records Failed installation can be reversed
Licence verification Use is legally authorized
Vendor support record Support remains available
Privileged access records Only authorized staff can install

Strong evidence

  • Production installation links to a change ticket or release record.
  • Security and regression testing are completed before installation.
  • Deployment is performed by authorized personnel.
  • Installation logs identify installer, date/time, package/version, and target system.
  • Rollback procedure and backup evidence exist.
  • Licence entitlement and vendor support are confirmed.
  • Emergency installation is retrospectively reviewed.

Weak evidence

  • Developers install directly into production.
  • “Small” libraries or tools are installed without change control.
  • Testing evidence is verbal or missing.
  • Rollback depends on memory or manual recreation.
  • Licences are assumed rather than verified.
  • Vendor support has expired but the software remains operational.
  • Source code is present on production systems without justification.

Common failures

Implementation watchouts

A.8.19 fails when production installation rights are treated as an admin convenience instead of a controlled integrity risk.

Failure Why it matters
No formal installation procedure Staff improvise in production
Developer direct production install Weakens segregation and accountability
Untested packages or libraries Introduces vulnerabilities and failures
No rollback plan Failed deployment becomes extended outage
No licence check Creates legal and contractual exposure
Unsupported software retained Increases vulnerability and continuity risk
No installation log Audit trail and incident investigation suffer

Exam traps

Exam focus

A.8.19 is about controlled installation on operational systems. It is broader than custom code deployment.

Trap Correct interpretation
This control only applies to internally developed software Vendor software, libraries, utilities, packages, and updates can be in scope
Developer competence is enough Competence does not replace authorization, testing, and change control
Emergency fixes can skip records Emergency changes still need recording and review
Backup alone is enough A tested fallback or rollback approach is needed
Licence checks are procurement-only Licence and support status affect operational and compliance risk

KB-ready summary

Mentor takeaway

A.8.19 protects operational integrity. Strong implementation proves production software is installed only through authorized, tested, logged, licence-valid, supportable, and recoverable processes.

  • Restrict production installation rights.
  • Require business justification and approval.
  • Test before installation.
  • Back up and define fallback.
  • Verify licences and support.
  • Log all production installations.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Software installation
  • Change control
  • Audit

Note Metadata

Aliases: A.8.19, Installation of Software on Operational Systems, Software Installation on Operational Systems

Source: 05 Annex A Technological Controls/A.8.19 Installation of Software on Operational Systems.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.