Control 8.19 : Installation of Software on Operational Systems

Summary

Procedures and measures should be implemented to securely manage the installation of software on operational systems. This prevents the introduction of unvetted, malicious, or unlicensed software into the production environment.

Applicability

In-Scope: Mandatory for maintaining system stability and security. It is the primary control against shadow IT and the accidental installation of malware by users.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Software Distribution: Use Microsoft Intune as the single source of truth for all authorized software, ensuring only vetted applications are pushed to managed devices.

• User Restriction: Configure Intune profiles to prevent standard users from installing any software that requires administrative permissions.

• Company Portal: Provide a self-service Company Portal where users can safely install pre-approved software without needing administrative rights.

Evidence Checklist

• Software Installation Policy: Rules defining the process for vetting, approving, and deploying new software.

• Authorized Software List: A maintained inventory of all applications permitted in the operational environment.

• Compliance Reports: Logs from Intune showing that only approved versions of software are present on managed endpoints.

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the formal vetting process for a new software application before it is added to the approved list?

• How do you detect and remove software that was installed without authorization?

• How are software updates and security patches for third-party applications (non-Microsoft) managed and deployed?

• Can you demonstrate how you prevent users from installing software from unauthorized external sources, such as public websites or personal cloud storage?