ISO 27001 Annex A 8.19

Software in production should arrive through a process - not by accident.

ISO 27001 Annex A 8.19 - Installation of Software on Operational Systems

What runs on production systems shapes their security posture. Authorised, tested software with a known supply chain creates a manageable estate. Ad-hoc installations - whether by users seeking convenience or administrators applying short-term fixes - introduce unknown components that may carry vulnerabilities or alter behaviour in unintended ways. The control asks for software installation to follow defined procedures.

The procedures typically cover authorisation (who decides what can be installed), testing (the software is verified before reaching production), source verification (it comes from a trusted supplier through a controlled channel), and recording (the inventory reflects what is actually installed). Each step protects against a different category of risk.

Modern infrastructure often manages software through automation - container images built from defined base images, package management with curated repositories, configuration management tools that establish the software baseline. Where this is in place, the procedural controls are partly enforced by the infrastructure itself.

The software installation gap that surfaces in audit is the manual workaround. The change that bypassed the normal process because of urgency, the local copy that has not been put through the standard pipeline, the script that someone copied between servers without going through configuration management. Each is forgivable in isolation; together they create an inventory that does not match reality.

Practical Compliance Guidance

Software installation arrangements are described in the IMS1 manual at section 8.3 on IT equipment alongside the wider operational arrangements. Software inventory and change records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the operational arrangements for software installation including the authorisation and recording requirements. Use as the source for software governance.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What about open source software?

Open source can be used like any other software but should go through the same authorisation, source verification and recording process. The supply chain considerations apply equally - the source repository, the version, and the build provenance all matter.

How do we handle emergency installations?

Through defined emergency change procedures that allow faster action while preserving the audit trail. The emergency change should be retrospectively reviewed and the standard records updated. Frequent emergency changes may indicate gaps in the planned change process that need to be addressed.

How does this apply to cloud-managed services?

For cloud services managed by the provider, the provider handles the underlying software lifecycle. The organisation's responsibility focuses on the configuration of those services and any code deployed onto them. The shared responsibility model needs to be understood for each service used.

Further Resources