ISO 27001:2022 Annex A Control 8.19

General Guidance on ISO 27001:2022 Annex A 8.19 Compliance

To ensure the safety of changes and installations on their network, organisations should:

• Ensure that only personnel with the required training and competency perform software updates (as per ISO 27001:2022 Annex A 8.5).
• Ensure that only executable code of a high quality is installed; this code should be error-free and must have completed the development process with success.
• Only install and update software after the patch or update has been tested successfully, and the organisation is sure that no conflicts or problems will occur.
• Keep the library system up-to-date.
• Make use of a ‘configuration control system’ to oversee all operational software including program documentation.
• Prior to any updates or installations, agree upon a ‘rollback strategy’ to guarantee business continuity in case of an unexpected error or conflict.
• Maintain a record of any changes made to operational software, providing a brief overview of the update, the individuals involved and a timestamp.
• Ensure any unused software is securely stored and kept with all necessary documentation, configuration files, system logs, and supporting procedures, in case it is needed in the future.
• Enforce stringent regulations on the software packages users can install, based on the principles of ‘least privilege’ and in line with applicable roles and responsibilities.

Guidance on Vendor Software

When it comes to vendor-supplied software (e.g. software used to run machinery or for a unique business purpose), it’s essential to uphold the vendor’s guidelines to ensure it remains in good working order.

It is essential to be aware that, even in cases of externally supplied and managed software or software modules (i.e. the organisation is not responsible for any updates), measures should be taken to guarantee that third party updates do not undermine the organisation’s network integrity.

Organisations should refrain from using unverified vendor software unless absolutely essential and bear in mind the security ramifications of operating obsolete programs rather than upgrading to newer, more secure systems.

If a vendor requires access to an organisation’s network to install or update something, activity should be monitored and authorised as per ISO 27001:2022 Annex A 5.22.

Supplementary Guidance on Annex A 8.19

Software should be upgraded, installed, and patched in line with the organisation’s change management procedures, to guarantee consistency with the rest of the business.

Whenever a patch is identified that completely eradicates a vulnerability (or group of vulnerabilities) or assists in anyway to enhance the organisation’s information security processes, such alterations should typically be applied (although it is still necessary to examine such changes on an individual basis).

Organisations should use the latest, actively maintained version of open source software, where necessary. They should also take into account any risks associated with using unmaintained software in their operations.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.22
• ISO 27001:2022 Annex A 8.5

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.19 supersedes ISO 27001:2013 Annex A 12.5.1 (Software installation on operational systems) and 12.6.2 (Limitations on software installation) in the revised 2022 standard.

ISO 27001:2022 Annex A 8.19 combines most of the guidelines in ISO 27001:2013 Annex A 12.5.1 and 12.6.2, with some key concepts elaborated on and new governing principles added:

• Maintaining and managing a library system.
• Rules that govern the use of open source software.
• Ensure tight logical monitoring of vendor software installation and upkeep.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.online provides a comprehensive solution for ISO 27001:2022 implementation. This web-based system facilitates demonstrating that your information security management system is compliant with the approved standards, through the use of streamlined processes, procedures, and checklists.

This platform not only makes ISO 27001 implementation straightforward but it also serves as an excellent resource for training staff on best practice and processes in relation to information security, as well as recording all endeavours.

The benefits of using ISMS.online are numerous:

• This platform is user-friendly and can be accessed from any device.
• It is easily adjustable to fit your requirements.
• Customise workflows and processes to suit your business requirements.
• Tools to enable new staff to become proficient quicker.
• A library of template documents is on hand, including policies, procedures, plans and checklists.

Contact us now to arrange a demonstration.