Requirement
Requirement lens
This control asks whether software installation on production or operational systems is controlled, authorized, tested, logged, and recoverable.
“Procedures and measures shall be implemented to securely manage software installation on operational systems.”
Plain-language meaning
Operational systems should not accept software changes just because someone has technical ability to install them. New software, updates, libraries, patches, scripts, packages, and configuration-affecting components should follow an approved process before they reach production.
The key point is integrity. Unauthorized or untested software can break services, introduce vulnerabilities, bypass segregation of duties, create licence issues, or hide fraud.
Why this matters
Production software installation is one of the fastest ways to damage confidentiality, integrity, and availability. A competent developer or administrator can still create risk by installing a “standard library”, hotfix, plugin, or vendor package without approval, testing, rollback, licence confirmation, or support validation.
This control connects strongly to A.8.4 Access to Source Code, A.8.8 Management of Technical Vulnerabilities, A.8.9 Configuration Management, A.8.15 Logging, and A.5.37 Documented Operating Procedures.
Implementation guidance
Implementer focus
Treat production software installation as a controlled change, not a technical convenience.
1. Define installation authority
Only authorized and competent personnel should install or update software on operational systems. Separate development, approval, release, and production installation duties where practical.
2. Require business justification and approval
New products, libraries, utilities, vendor packages, and updates should have a business requirement and approval before installation. Emergency installation should still be recorded and reviewed afterwards.
3. Test before production
Software should be tested before installation, including security checks, compatibility checks, regression testing, operational impact, and rollback validation where practical.
4. Preserve rollback capability
Before installation, retain backups of relevant software, configuration, data, and deployment artifacts. Define a fallback strategy so the previous version can be restored if the installation fails.
5. Control licences and vendor support
Confirm that software licences permit the intended use and scale. For vendor-supplied software, confirm that support is available for as long as the organization depends on the software.
6. Log and review installations
Record what was installed, by whom, when, why, from what source, under what approval, with what test evidence, and with what fallback path.
Audit guidance
Auditor focus
Follow a sample production installation from request to approval, testing, deployment, logging, licence/support verification, and rollback evidence.
Auditors should verify:
- software installation procedures exist and are used;
- installation privileges are restricted to authorized staff;
- production changes have business justification and approval;
- testing and regression testing occur before installation;
- source code is not unnecessarily included on operational systems;
- system files, object code, libraries, and deployment artifacts are protected;
- previous versions and configurations can be restored;
- backups are taken before significant changes;
- licence and support requirements are checked;
- developers and maintenance staff understand the risk of unapproved production code.
Auditors should interview developers, administrators, release managers, and maintenance staff. The weak point is often informal “small” changes that bypass the process.
Evidence examples
Evidence quality
Strong evidence proves that production software installation is authorized, tested, logged, recoverable, and licence/support controlled.
| Evidence | What it proves |
|---|---|
| Software installation procedure | Installation process is defined |
| Change/release records | Installations are approved and traceable |
| Test and regression evidence | Software was verified before production |
| Deployment logs | Installation activity is recorded |
| Backup and rollback records | Failed installation can be reversed |
| Licence verification | Use is legally authorized |
| Vendor support record | Support remains available |
| Privileged access records | Only authorized staff can install |
Strong evidence
- Production installation links to a change ticket or release record.
- Security and regression testing are completed before installation.
- Deployment is performed by authorized personnel.
- Installation logs identify installer, date/time, package/version, and target system.
- Rollback procedure and backup evidence exist.
- Licence entitlement and vendor support are confirmed.
- Emergency installation is retrospectively reviewed.
Weak evidence
- Developers install directly into production.
- “Small” libraries or tools are installed without change control.
- Testing evidence is verbal or missing.
- Rollback depends on memory or manual recreation.
- Licences are assumed rather than verified.
- Vendor support has expired but the software remains operational.
- Source code is present on production systems without justification.
Common failures
Implementation watchouts
A.8.19 fails when production installation rights are treated as an admin convenience instead of a controlled integrity risk.
| Failure | Why it matters |
|---|---|
| No formal installation procedure | Staff improvise in production |
| Developer direct production install | Weakens segregation and accountability |
| Untested packages or libraries | Introduces vulnerabilities and failures |
| No rollback plan | Failed deployment becomes extended outage |
| No licence check | Creates legal and contractual exposure |
| Unsupported software retained | Increases vulnerability and continuity risk |
| No installation log | Audit trail and incident investigation suffer |
Exam traps
Exam focus
A.8.19 is about controlled installation on operational systems. It is broader than custom code deployment.
| Trap | Correct interpretation |
|---|---|
| This control only applies to internally developed software | Vendor software, libraries, utilities, packages, and updates can be in scope |
| Developer competence is enough | Competence does not replace authorization, testing, and change control |
| Emergency fixes can skip records | Emergency changes still need recording and review |
| Backup alone is enough | A tested fallback or rollback approach is needed |
| Licence checks are procurement-only | Licence and support status affect operational and compliance risk |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.4 Access to Source Code
- A.8.8 Management of Technical Vulnerabilities
- A.8.9 Configuration Management
- A.8.15 Logging
- A.5.3 Segregation of Duties
- A.5.32 Intellectual Property Rights
- A.5.37 Documented Operating Procedures
- Risk Assessment
- Statement of Applicability
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Software Rollback and Fallback Checklist
- Software Licence and Support Verification Checklist
- A.8.19 Audit Evidence Pack
- A.8.19 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.19 protects operational integrity. Strong implementation proves production software is installed only through authorized, tested, logged, licence-valid, supportable, and recoverable processes.
- Restrict production installation rights.
- Require business justification and approval.
- Test before installation.
- Back up and define fallback.
- Verify licences and support.
- Log all production installations.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Software installation
- Change control
- Audit
Note Metadata
Aliases: A.8.19, Installation of Software on Operational Systems, Software Installation on Operational Systems
Source: 05 Annex A Technological Controls/A.8.19 Installation of Software on Operational Systems.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.37 - Documented Operating Procedures
- A.8.19 Audit Evidence Pack
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.19 Installation of Software on Operational Systems
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-035 - Software Installation and Network Security
- ISO 27002 Annex A Control Interpretation Map
- A.8.19 Audit Checklist
- Change Management Procedure
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Release and Rollback Plan
- Security Acceptance Criteria Checklist
- Software Licence and Support Verification Checklist
- Software Rollback and Fallback Checklist
- Annex A Controls MOC