In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.19 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 8.19 Installation of Software on Operational Systems
ISO 27001 Annex A 8.19 requires organizations to strictly control what software is installed on their operational systems (laptops, servers, and devices). The goal is to prevent the introduction of malware, ensure software licensing compliance, and maintain system stability. You must move away from a culture where “anyone can install anything” to a structured, authorized process.
Core requirements for compliance include:
- Approved Software List (ASL): You must maintain a list of software that is authorized for use. If a tool isn’t on the list, it shouldn’t be on the system.
- Removal of Admin Rights: To enforce this control, most users should not have “Local Admin” rights. This prevents the unauthorized installation of software (including “shadow IT” and potentially malicious tools).
- Managed Installation: Software should be installed by authorized IT personnel or through a managed system (like Intune or Jamf) rather than by end-users dragging files into a folder.
- Licensing & Support: You must only install software that is properly licensed and currently supported by the vendor. Using “end-of-life” or pirated software is a major audit non-conformity.
Audit Focus: Auditors will perform “The Desktop Spot Check”:
- Unauthorized Tools: They will look at a random employee’s laptop for unapproved apps (e.g., Spotify, Steam, or unauthorized VPNs).
- Admin Rights: “Show me that this user cannot install a new application without an admin password.”
- The Paper Trail: “Show me the request and approval for the last piece of software you installed on your production server.”
Approved Software List (ASL) Example:
| Software Name | Version | Category | Status |
|---|---|---|---|
| Office 365 | Latest | Productivity | Approved |
| Slack | Latest | Communication | Approved |
| Adobe Acrobat | 2024+ | PDF Editor | Approved |
| Public VPNs | Any | Networking | BANNED |
Table of contents
- Key Takeaways: ISO 27001 Annex A 8.19 Installation of Software on Operational Systems
- What is ISO 27001 Annex A 8.19?
- ISO 27001 Annex A 8.19 Explainer Video
- ISO 27001 Annex A 8.19 Podcast
- ISO 27001 Annex A 8.19 Implementation Guidance
- How to implement ISO 27001 Annex A 8.19
- Approved Software List Example
- What will an auditor check?
- Applicability of ISO 27001 Annex A 8.19 across different business models.
- Fast Track ISO 27001 Annex A 8.19 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 8.19 FAQ
- Related ISO 27001 Controls
- Further Reading
What is ISO 27001 Annex A 8.19?
ISO 27001 Annex A 8.19 is about the installation of software on operational systems which means you need a process for what software you install and how you install that software.
ISO 27001 Annex A 8.19 Installation of Software on Operational Systems is an ISO 27001 control that requires us to manage software installation on operational systems.
ISO 27001 Annex A 8.19 Purpose
ISO 27001 Annex A 8.19 is a preventive control to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.
ISO 27001 Annex A 8.19 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.19 as:
Procedures and measures should be implemented to securely manage software installation on operational systems.
ISO27001:2022 Annex A 8.19 Installation of Software on Operational Systems
ISO 27001 Annex A 8.19 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 8.19 Installation of Software on Operational Systems, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 8.19 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.19 Installation of Software on Operational Systems. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 8.19 Implementation Guidance
This control is looking for us to install software into our operational environment in a controlled manner. In smaller businesses it can be the case that anyone can install anything and that there is no process in place. It can also be the case that everyone has local admin rights to devices.
To implement this control you will put in place a process to manage the software installation process that records evidences of what has happened for audit purposes and you will implement some technical controls that will restrict the ability for certain users to install software.
This is usually owned by the Head of IT and managed by the IT department. Software has licence requirements that must be met and the impact of software and changes can be far reaching and detrimental to the organisation. It is therefore practical to limit the use to trusted and authorised users.
To do this you will put in place a process for the request and approving of software installation that you are able to evidence when the time of the audit comes. Of course, you will ensure that the person making the request is not the same person that approves it. This will ensure segregation of duty. As part of this process you would document the authorisation levels but in practical terms, in a smaller organisation, this tends to be on person / role and in all likelihood the Head of IT that approves it.
As part of the implementation it is good practice to restrict the installation on systems. This will prevent these tools from being installed by any old Tom, Dick or Harry. Once approved you want to have in place a process that the instigates the installation of the software.
Considerations for the installation of software would include:
- Implement and approved software list and educate people on what is, and what is not, allowed
- Implement software under license
- Implement software that is supported
- Implement software on the principle of least privilege
- Testing of software before installing
- Following the change management process and including a rollback / back out strategy
- Maintaining a change and audit log of all updates
- Not including development code on operational systems.
- Where software is installed by a third party, following your access control to restrict access to systems and the time that access is allowed. The third party should be monitored.
How to implement ISO 27001 Annex A 8.19
Controlling the installation of software on operational systems is vital for maintaining environment stability and preventing the introduction of malicious or unlicensed code. By following these technical steps, your organisation can establish a secure, auditable process for managing system changes in alignment with ISO 27001 Annex A 8.19.
1. Formalise Software Installation Policies and ROE
- Document a formal policy defining which types of software are permitted on operational systems and who is authorised to perform installations.
- Establish a Rules of Engagement (ROE) document that outlines the mandatory testing and approval steps required before any production deployment.
- Result: A clear governance framework that ensures all software deployments are intentional, authorised, and risk-assessed.
2. Provision Application Whitelisting and Control Mechanisms
- Deploy application control or whitelisting software to ensure that only approved binaries and scripts can execute on operational servers and workstations.
- Configure system-level restrictions to block unauthorised installers and prevent the use of portable executable files from external media.
- Result: Prevention of “shadow IT” and the mitigation of risks associated with malware or unverified third-party applications.
3. Revoke Local Administrative Privileges via IAM
- Implement the Principle of Least Privilege by removing local administrative rights from standard user accounts across the estate.
- Provision granular Identity and Access Management (IAM) roles that allow only designated system administrators to trigger software installation tasks.
- Result: A significantly reduced attack surface where unauthorised users or automated threats cannot modify system configurations.
4. Mandate Testing in Segregated Environments
- Require all software to undergo successful functional and security testing in an isolated staging or UAT environment prior to operational rollout.
- Verify that the software does not conflict with existing security controls, such as EDR agents, or degrade system performance.
- Result: Assurance that new software installations will not disrupt business operations or compromise existing security postures.
5. Execute Cryptographic Integrity and Authenticity Checks
- Utilise cryptographic hashing (e.g. SHA-256) to verify the integrity of installation packages against the vendor’s provided checksums.
- Enforce digital signature verification to ensure that the software originates from a trusted source and has not been tampered with during transit.
- Result: Protection against supply chain attacks and the installation of corrupted or compromised software files.
6. Implement Centralised Logging and Configuration Monitoring
- Configure operational systems to export installation logs and file integrity monitoring (FIM) alerts to a centralised SIEM platform.
- Establish automated alerts for unauthorised installation attempts or changes to critical system directories and registry keys.
- Result: Real-time visibility into system modifications and a verifiable audit trail for ISO 27001 compliance and forensic analysis.
Approved Software List Example
This is an ASL example:
| Software Name | Version | Category | Approval Date |
| Microsoft Office | 365 | Productivity | Jan 2026 |
| Slack | Latest | Communication | Jan 2026 |
| Spotify | – | BANNED | – |
What will an auditor check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documentation
What this means is that you need to show that you have documented your Installation of Software on Operational Systems. Can you show a list of what software installed, that it is licensed, the version and which users access it?. Are you able to evidence a request and approval process and tie that to the list of users and software to show the process was followed.
2. That you have have implemented Installation of Software on Operational Systems appropriately
They will look at systems to seek evidence of software. They will question you on the process and seek evidence that you have followed it. They want to see evidence of software installation and the process in operation.
3. That you have conducted internal audits
The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.
Applicability of ISO 27001 Annex A 8.19 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on ending the “anyone can install anything” culture. It involves centralizing software requests and removing local admin rights to prevent unlicensed or malicious software from destabilizing the office environment. |
|
| Tech Startups | Essential for managing fast-paced growth and remote teams. Uses automated Mobile Device Management (MDM) to enforce software standards and ensure that developer tools are verified and licensed. |
|
| AI Companies | Crucial for maintaining the integrity of training environments. Controls ensure that only verified libraries and ML frameworks are installed on high-performance compute clusters to prevent supply chain attacks. |
|
Fast Track ISO 27001 Annex A 8.19 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 8.19 (Installation of software on operational systems), the requirement is to manage and control what software is installed on your systems to prevent vulnerabilities and maintain integrity. While SaaS platforms often try to sell you “automated asset discovery” or complex software management modules, the auditor is looking for your governance – the process of request, approval, and your Approved Software List (ASL).
| Compliance Factor | SaaS Asset Management Modules | High Table ISO 27001 Toolkit | Real-World Example |
|---|---|---|---|
| Data Ownership & Continuity | Rents you a container for your data. Defining software rules inside their system means you lose access to your “Approved Software List” if you stop paying. | Permanent Ownership: You receive the “Approved Software List” and “Software Installation Policy” in Word/Excel to keep on your own systems forever. | Maintaining a permanent history of software governance and audit trails without a recurring subscription fee. |
| Simplicity & Workflow | Over-engineers the requirement with complex dashboards. Forces teams to learn new software just to record a simple installation approval. | Governance Without Bloat: Focuses on the process of authorization and segregation of duties using simple, universally understood templates. | Updating a spreadsheet when the Head of IT approves a new tool, rather than navigating a complex SaaS interface. |
| Cost Structure | Often charges based on “endpoints” or “managed assets.” Costs balloon as you add more laptops, servers, and employees. | One-Off Fee: A single payment covers the documentation for 10 employees or 1,000. The cost remains static as you scale. | Allocating your budget toward actual software licenses instead of a platform that simply documents those licenses. |
| Freedom & IT Integration | Mandates specific ways to document versions. Often results in “double work” if the tool doesn’t align with your existing ITSM flow. | Workflow Agnostic: Editable procedures match your exact operations, whether you use manual approvals or automated portals. | Customizing installation categories to fit your specific culture without being constrained by a vendor’s rigid fields. |
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
Summary: For Annex A 8.19, the auditor wants to see that you have a process for software installation and that it is followed. The High Table ISO 27001 Toolkit provides the governance framework to do exactly that. It is the most direct, cost-effective way to prove you have a controlled software environment with permanent documentation that you own and control.
ISO 27001 Annex A 8.19 FAQ
What is the primary objective of ISO 27001 Annex A 8.19?
The primary objective is to prevent the introduction of vulnerabilities and malware by strictly controlling software installation on operational systems. This control mandates that organizations move away from an “open” environment to a managed one where only authorized code runs.
- Security: Prevents malicious software and ransomware from entering the network.
- Compliance: Ensures all software is legally licensed and supported.
- Stability: Avoids system conflicts caused by unverified or incompatible applications.
Does Annex A 8.19 require removing local administrator rights?
Yes, removing local administrator rights is the most effective technical method to satisfy this control. By adhering to the “Principle of Least Privilege,” you physically prevent users from bypassing authorization processes.
- Block Unauthorized Installs: Users cannot install software without IT intervention.
- Mitigate Shadow IT: Stops employees from deploying unvetted tools.
- Audit Proof: Provides concrete evidence that installation restrictions are enforced technically, not just on paper.
What is the required process for handling software exceptions?
Organizations must establish a formal “Request and Approval” workflow for software not currently on the Approved Software List (ASL). You cannot simply say “no” to everything; you need a safe path for innovation that doesn’t bypass security.
- Business Justification: The user must document why the software is necessary for their role.
- Security Review: IT must verify the vendor’s reputation, licensing, and update frequency before approval.
- Sandboxed Testing: New software should be tested in a non-production environment first to ensure it doesn’t crash existing systems.
What information must be included in an Approved Software List (ASL)?
An Approved Software List (ASL) serves as the definitive register of all applications authorized for business use. To be audit-ready, this document must be kept up-to-date and reviewed regularly.
- Software Name & Version: Explicitly state which versions are allowed (e.g., “Adobe Acrobat Pro 2024”).
- Category: Classify the tool (e.g., Productivity, Communication, Developer Tools).
- Approval Status: Mark items as “Approved,” “Under Review,” or “Banned.”
- Date of Approval: Proves the list is actively maintained.
How do auditors typically verify compliance with Annex A 8.19?
Auditors verify compliance through a combination of documentation reviews and “desktop spot checks.” They look for consistency between your written policy and the actual state of your devices.
- The Spot Check: Asking a random employee to demonstrate they cannot install a new app without admin credentials.
- Evidence of Approval: Requesting the “paper trail” (ticket or email) for a recently installed application.
- ASL Verification: Comparing installed software on a server against your Approved Software List.
Does this control apply to cloud (SaaS) applications?
Yes, the principles of Annex A 8.19 extend to cloud applications (SaaS) that function as operational systems. While you may not “install” them in the traditional sense, you must still authorize and control their integration into your environment.
- Browser Extensions: Unverified extensions can act as spyware and must be restricted.
- API Integrations: Connecting third-party apps to corporate data requires the same approval rigor as desktop software.
- Shadow IT: Prevents employees from signing up for unauthorized tools that process company data.
Why is a document-based toolkit often preferred over SaaS for this control?
A document-based toolkit provides permanent ownership of your compliance evidence without the risks of vendor lock-in. While SaaS tools act as a “container” for data, a toolkit allows you to integrate governance directly into your existing workflows.
- Data Sovereignty: You own your Approved Software List and policies forever; you aren’t “renting” your compliance.
- Simplicity: Avoids the learning curve and overhead of complex GRC platforms.
- Cost Efficiency: Eliminates recurring “per-user” or “per-asset” subscription fees.
Related ISO 27001 Controls
ISO 27001 Clause 8.1 Operational Planning and Control
ISO 27001 Annex A 5.1 Policies for Information Security
Further Reading
How To Implement ISO 27001: A Step By Step Guide
ISO 27001 Malware and Antivirus Policy Beginner’s Guide
ISO 27001 Monitoring, Measurement, Analysis and Evaluation | Beginner’s Guide
