Secure Software Installation Procedures
Ensure software installations are controlled to prevent security risks.
Plain language
This control is about making sure that whenever software is installed on company computers, it's done in a way that keeps everything safe and secure. If this isn't done properly, it could lead to vulnerable systems that hackers could exploit, which might result in stolen data or disrupted operations.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Why it matters
Without controlled software installation, unauthorised apps can introduce security holes and malware, risking data breaches and operational failures.
Operational notes
Only install approved, signed software from trusted repositories; require change approval, least-privilege installers, and log installs with tested rollback/uninstall steps.
Implementation tips
- The IT manager should ensure that only approved and trained staff can install or update software. This can be done by setting strict permissions on user accounts to limit who can install software, following policies and procedures aligned with ISO 27002:2022.
- The operations team should establish a process for authorising software updates, in which changes are reviewed and approved by management. Use a checklist or system to document the request, approval, and proof of testing, referencing Australian regulations like CPS 234.
- IT staff should conduct thorough testing of software updates before implementation. Set up a testing environment where new software can be trialed to identify potential issues, ensuring alignment with secure configurations as per ASD Essential Eight.
- The IT department should maintain an up-to-date inventory of all software versions used. Use a software management tool that tracks versions, update histories, and ensures compliance with the Privacy Act 1988 regarding data collection and use.
- Managers should ensure a fallback plan is ready in case of failed installations. Create a rollback strategy that includes backing up current software states so you can quickly restore systems if something goes wrong during updates.
Audit / evidence tips
-
AskRequest access to the list of personnel authorised to install software.
GoodAll listed individuals should have clear approval records and relevant training documentation.
-
AskAsk for the documentation process of software update authorisations.
GoodThe records should show a clear chain of command with every update authorised by management.
-
AskRequest evidence of software testing procedures.
GoodTesting logs should demonstrate rigorous processes, noting any issues identified and resolved.
-
AskRequest an inventory of current software versions.
GoodThe inventory should be complete, accurately reflecting what is in use, and include update histories.
-
AskAsk for documentation of rollback plans for software installations.
GoodThere should be explicit plans detailing how to revert installations, protecting data integrity during software failures.
Cross-framework mappings
How Annex A 8.19 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AC-ML3.2 | E8-AC-ML3.2 requires application control to restrict driver execution to an organisation-approved set | |
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML1.5 | Annex A 8.19 requires secure management of software installation, including controlled installation of updates and vendor fixes | |
| E8-AC-ML2.1 | E8-AC-ML2.1 requires application control on internet-facing servers to prevent execution of unapproved software | |
| E8-AC-ML2.2 | E8-AC-ML2.2 specifies control with folder exclusions, whereas Annex A 8.19 involves managing software installation security | |
| handshake Supports (1) expand_less | ||
| E8-AC-ML3.3 | E8-AC-ML3.3 requires implementing Microsoft’s vulnerable driver blocklist to stop vulnerable drivers from running on Windows systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| ISM-1245 | ISM-1245 requires all temporary installation files and logs created during server application installation to be removed after installation | |
| ISM-1655 | ISM-1655 requires that .NET Framework 3.5 is not present/enabled, reducing the chance of insecure legacy components being installed and used | |
| ISM-1797 | ISM-1797 requires installers, patches and updates to be digitally signed or accompanied by cryptographic checksums so their authenticity ... | |
| ISM-1926 | ISM-1926 requires that Microsoft AD DS/AD CS/AD FS/Entra Connect servers are used only for their designed role, with no additional applic... | |
| sync_alt Partially overlaps (11) expand_less | ||
| ISM-0289 | Annex A 8.19 requires secure management of software installation on operational systems | |
| ISM-0912 | Annex A 8.19 requires controlled, secure processes for installing software on operational systems | |
| ISM-1143 | Annex A 8.19 requires procedures and measures to securely manage software installation on operational systems | |
| ISM-1406 | ISM-1406 requires organisations to use Standard Operating Environments (SOEs) for workstations and servers to enforce consistent, secure ... | |
| ISM-1409 | ISM-1409 requires operating systems to be hardened using ASD and vendor guidance, prioritising the most restrictive requirements | |
| ISM-1419 | ISM-1419 requires that software changes are performed in development environments rather than on operational systems | |
| ISM-1493 | ISM-1493 requires organisations to develop, maintain and verify software registers, ensuring installed software is known and can be check... | |
| ISM-1592 | Annex A 8.19 requires secure management of software installation on operational systems, including preventing unauthorised or risky installs | |
| ISM-1800 | ISM-1800 requires network devices to be flashed with trusted firmware before first use to prevent introduction of compromised device soft... | |
| ISM-1915 | ISM-1915 mandates the use of approved configurations for user applications and their maintenance | |
| ISM-2023 | Annex A 8.19 requires organisations to implement controlled, secure procedures for installing software on operational systems | |
| handshake Supports (11) expand_less | ||
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be installed and operated in an evaluated configuration consistent with ASD guidance | |
| ISM-1598 | ISM-1598 requires post-maintenance inspection to confirm systems remain in their approved configuration and no unauthorised modifications... | |
| ISM-1606 | ISM-1606 requires timely remediation of vulnerabilities affecting software-based isolation mechanisms and the underlying host operating s... | |
| ISM-1608 | ISM-1608 requires scanning and verification of third-party SOEs for malicious code and unsafe configurations before they are introduced i... | |
| ISM-1796 | ISM-1796 requires executable files to be digitally signed with a verifiable chain of trust, enabling recipients to validate software auth... | |
| ISM-1798 | ISM-1798 requires secure configuration guidance to be produced and made available to consumers to enable secure setup of software | |
| ISM-1871 | ISM-1871 requires a specific secure configuration for application control coverage, excluding user profiles and temporary folders to redu... | |
| ISM-1916 | Annex A 8.19 requires organisations to implement secure procedures and measures to control software installation on operational systems | |
| ISM-2027 | Annex A 8.19 requires secure management of software installation, which commonly includes validating software integrity and provenance be... | |
| ISM-2044 | Annex A 8.19 requires procedures and measures to securely manage software installation on operational systems | |
| ISM-2045 | ISM-2045 requires organisations to prevent security controls being weakened when supporting older application versions or legacy behaviours | |
| link Related (2) expand_less | ||
| ISM-0042 | ISM-0042 requires organisations to maintain holistic system administration processes and procedures that govern operational management ac... | |
| ISM-1635 | ISM-1635 requires system owners to implement security controls for each system and its operating environment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.