Use of Privileged Utility Programs
Restrict and control programs that can override system controls to prevent unauthorised access.
Plain language
This control is about limiting and keeping a close eye on special programs that can bypass your computer''s security settings. If these programs are not controlled, someone might misuse them to sneak into your systems and access sensitive information.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
30 Mar 2026
Maturity levels
N/A
Official control statement
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
Why it matters
Uncontrolled access to privileged programs can lead to data breaches, compromising sensitive information and potentially harming organisational reputation.
Operational notes
Regularly review and update access permissions for utility programs to ensure they remain properly controlled as staff roles change.
Implementation tips
- The IT manager should identify which utility programs can override system controls. This involves reviewing all software used within the organisation and categorising those capable of bypassing security settings.
- IT staff should restrict access to these programs to only a select few responsible employees. This can be done by setting up user permissions and ensuring only authorised personnel have access.
- Human Resources, together with IT, should define clear authorisation levels for using these utility programs. This means formalising what level of access each employee will have based on their role.
- Regular training sessions led by IT should educate employees on the proper use of these programs. This includes awareness on why restrictions are necessary and the risks of improper use.
- Continuous monitoring should be conducted by the IT department to log and review the use of these programs. Setting up automated logging systems ensures there’s an audit trail of who accessed what and when.
Audit / evidence tips
- Askthe list of utility programs identified by the organisation Look atwhether these programs are capable of bypassing key security controls Gooda comprehensive list that explains the function and potential risk of each program
- Askto see the access logs for these utility programs Look atwho accessed the programs and how often Goodregular reviews of access logs indicating no unauthorised use
- Askthe authorisation and access control policy documents Look athow access is granted and managed for utility programs Goodclear policies that align with restricted access practices
- Askrecords of employee training regarding the use of utility programs Look atthe frequency, content, and list of attendees Goodregular training sessions with a majority of relevant staff participating
- Askdetails on how unauthorised use of utility programs is detected Look atthe systems in place for real-time alerts and follow-up actions Goodconsistent monitoring with proactive alerts and investigations for any anomalies
Cross-framework mappings
How Annex A 8.18 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| handshake Supports (2) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1491 | Annex A 8.18 requires restricting and tightly controlling utility programs that can override system and application controls, addressing ... | |
| ISM-1592 | Annex A 8.18 requires that use of utility programs capable of overriding system and application controls is restricted and tightly contro... | |
| ISM-1657 | Annex A 8.18 requires restricting and tightly controlling use of utility programs that can override system and application controls, effe... | |
| ISM-1658 | Annex A 8.18 requires tight restriction of utilities capable of overriding system and application controls, which includes mechanisms tha... | |
| handshake Supports (6) expand_less | ||
| ISM-0382 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| ISM-0846 | Annex A 8.18 requires that utilities capable of overriding system and application controls are restricted and tightly controlled, which c... | |
| ISM-1584 | ISM-1584 ensures that unprivileged users are prevented from bypassing, disabling or modifying operating system security functionality | |
| ISM-1746 | Annex A 8.18 requires restricting and tightly controlling utilities that could override system and application controls, which relies on ... | |
| ISM-1748 | ISM-1748 requires preventing users from changing security settings in email clients | |
| ISM-2023 | Annex A 8.18 requires tight control over tools and utilities that can override system and application controls, including controlling how... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.