Use of Privileged Utility Programs
Restrict and control programs that can override system controls to prevent unauthorised access.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
30 Mar 2026
🎯 Maturity levels
N/A
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
Source: ISO/IEC 27001:2022
Plain language
This control is about limiting and keeping a close eye on special programs that can bypass your computer''s security settings. If these programs are not controlled, someone might misuse them to sneak into your systems and access sensitive information.
Why it matters
Uncontrolled access to privileged programs can lead to data breaches, compromising sensitive information and potentially harming organisational reputation.
Operational notes
Regularly review and update access permissions for utility programs to ensure they remain properly controlled as staff roles change.
Implementation tips
- The IT manager should identify which utility programs can override system controls. This involves reviewing all software used within the organisation and categorising those capable of bypassing security settings.
- IT staff should restrict access to these programs to only a select few responsible employees. This can be done by setting up user permissions and ensuring only authorised personnel have access.
- Human Resources, together with IT, should define clear authorisation levels for using these utility programs. This means formalising what level of access each employee will have based on their role.
- Regular training sessions led by IT should educate employees on the proper use of these programs. This includes awareness on why restrictions are necessary and the risks of improper use.
- Continuous monitoring should be conducted by the IT department to log and review the use of these programs. Setting up automated logging systems ensures there’s an audit trail of who accessed what and when.
Audit / evidence tips
-
Ask: the list of utility programs identified by the organisation
Look at: whether these programs are capable of bypassing key security controls
Good: a comprehensive list that explains the function and potential risk of each program
-
Ask: to see the access logs for these utility programs
Look at: who accessed the programs and how often
Good: regular reviews of access logs indicating no unauthorised use
-
Ask: the authorisation and access control policy documents
Look at: how access is granted and managed for utility programs
Good: clear policies that align with restricted access practices
-
Ask: records of employee training regarding the use of utility programs
Look at: the frequency, content, and list of attendees
Good: regular training sessions with a majority of relevant staff participating
-
Ask: details on how unauthorised use of utility programs is detected
Look at: the systems in place for real-time alerts and follow-up actions
Good: consistent monitoring with proactive alerts and investigations for any anomalies
Cross-framework mappings
How Annex A 8.18 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (5) | ||
| Supports (2) | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (4) | ||
| ISM-1491 | Annex A 8.18 requires restricting and tightly controlling utility programs that can override system and application controls, addressing ... | |
| ISM-1592 | Annex A 8.18 requires that use of utility programs capable of overriding system and application controls is restricted and tightly contro... | |
| ISM-1657 | Annex A 8.18 requires restricting and tightly controlling use of utility programs that can override system and application controls, effe... | |
| ISM-1658 | Annex A 8.18 requires tight restriction of utilities capable of overriding system and application controls, which includes mechanisms tha... | |
| Supports (6) | ||
| ISM-0382 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| ISM-0846 | Annex A 8.18 requires that utilities capable of overriding system and application controls are restricted and tightly controlled, which c... | |
| ISM-1584 | ISM-1584 ensures that unprivileged users are prevented from bypassing, disabling or modifying operating system security functionality | |
| ISM-1746 | Annex A 8.18 requires restricting and tightly controlling utilities that could override system and application controls, which relies on ... | |
| ISM-1748 | ISM-1748 requires preventing users from changing security settings in email clients | |
| ISM-2023 | Annex A 8.18 requires tight control over tools and utilities that can override system and application controls, including controlling how... | |