Use of Privileged Utility Programs - ISO 27001 Annex A Control

ISO 27001 Annex A 8.18

The tools that bypass normal controls need controls of their own.

ISO 27001 Annex A 8.18 - Use of Privileged Utility Programs

Privileged utility programs are tools that can bypass the normal controls of the systems they operate on - administrative scripts, low-level diagnostic tools, database direct access utilities, system editors that operate outside application boundaries. The control asks for these tools to be restricted in availability and tightly controlled in use.

Restriction starts with availability. The utilities should be installed only on systems where they are needed and accessible only to authorised users. Logging of their use provides accountability - who ran what, when, and what changes resulted. Where the utilities can perform irreversible actions, additional approval steps may be appropriate.

The control links closely to privileged access management under A.8.2. The same principle applies: powerful tools held by named users with clear accountability and audit trails. The difference is that utility programs may not be tied to identity in the same way as named accounts, so the controls need to compensate for that.

The utility programs that cause the most damage are the ones that are technically authorised but operationally inappropriate. A database administrator running a SQL update directly against production to fix a data issue. A system administrator using a diagnostic tool that has unexpected side effects. Logging is what catches these after the fact; controls that require change management approval catch them before.

Practical Compliance Guidance

Privileged utility program use is described in the IMS1 manual at section 8.5 alongside the Access Control Policy. Use logs and approval records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Access Control Policy including the rules for privileged utility program access. Use as the source for governance over administrative tooling.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which tools fall in scope?

Tools that can override system or application controls - direct database access utilities, low-level system editors, debugging tools with elevated privileges, administrative scripts that bypass application logic. The exact list depends on the technology stack.

How do we control these tools?

Through restricted availability (installed only where needed), restricted access (only authorised users can run them), logged use (every invocation produces an audit record), and where appropriate change management approval before use on production systems.

Should personal copies be allowed?

Generally no - administrators should use centrally-managed and logged tools rather than personal copies that bypass the audit trail. Where personal copies are needed for specific reasons, the position should be documented and the additional risks compensated for.

Further Resources