Checklist of ISO/IEC 27001-A.12.5.1 Installation of software on operational systems

Introduction:

The installation of software on operational systems is an important aspect of maintaining the security and functionality of an organization’s IT infrastructure. 

To ensure that only fully tested, approved, and currently supported software is installed for production use, organizations need to review their policies, procedures, and practices associated with software installation regularly. 

This article will provide a sample checklist for organizations to follow when reviewing their policies and procedures for software installation.

Sample Checklist:

  • Review Policies, Procedures, and Practices: The first step in ensuring that only fully tested, approved, and currently supported software is installed for production use is to review the organization’s policies, procedures, and practices associated with software installation. This review should focus on identifying any gaps or weaknesses in the current processes and identifying areas where improvements can be made.
  • Identify Outdated Software: Hunt down any outdated and especially no longer supported/maintained software on production systems, including firmware, operating systems, middleware, applications, and utilities. Such software can pose significant security risks and vulnerabilities, and their presence on production systems must be addressed.
  • Restrict Software Installation: Check that desktops, laptops, servers, databases, etc. are configured to prevent software installation except by trained and authorized administrators under management authority. This step is crucial in ensuring that only approved software is installed and that unauthorized software installations are prevented.
  • Monitoring and Reporting: Check that the management and monitoring systems and practices flag up any unapproved software installations, reporting them to and recording them on the configuration management database, monitoring/alerting systems, etc. This step ensures that any unauthorized software installations are identified promptly and addressed promptly.
  • Cross-Check against Relevant Areas: Cross-check against change and configuration management, security management, business continuity, and other relevant areas, focusing on high-risk/critical systems. This step is crucial in ensuring that software installation policies and procedures are aligned with other critical areas of the organization’s IT infrastructure and that potential risks and vulnerabilities are identified and addressed.
See also  Cryptographic Controls For Small – Medium Businesses (SMBs)

Conclusion:

Ensuring that only fully tested, approved, and currently supported software is installed for production use is critical in maintaining the security and functionality of an organization’s IT infrastructure. 

By following the sample checklist provided above, organizations can review their policies and procedures associated with software installation regularly and identify areas where improvements can be made. 

By doing so, organizations can mitigate potential risks and vulnerabilities associated with software installation and maintain a secure and functional IT infrastructure.

Leave a comment

Your email address will not be published. Required fields are marked *