ISO 27001 Annex : A.12.5 Control of Operational Software

A.12.5.1  Installation of Software on Operational Systems

Control- To control the installation of software on operating systems, procedures should be implemented.

Implementation Guidance- To control changes in software on operational systems, the following guidelines should be considered:

1. Trained administrators should only upgrade operational software, applications and libraries upon appropriate management permission;
2. Only approved executable code and non-developed code or compilers should exist in operating systems;
3. Usability, safety, effects on other systems and user-friendly functions should only be included after successful and extensive testing; testing should also be conducted on separate systems; ensure that each of the corresponding program source libraries has been updated;
4. To retain control of all deployed applications as well as system documentation, a configuration control system should be used;
5. Before introducing changes, a roll-back strategy should be in place;
6. All changes to operating system libraries should be maintained with an audit log;
7. Previous product versions must be maintained as a measure of contingency;
8. For as long as data is retained in the archive, old software versions and all required information and parameters should be archived together with procedures, setup details, and software support.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The software provided by the vendor to operating systems should be maintained at the vendor support level. Software vendors should cease older software versions over time. The organization’s risk of using faulty software should be considered.

Every decision to upgrade to a new release should take account of business changes requirements and the security of the release, for example by introducing new security functions or the number and severity of the security of information problems affecting the release. When it is able to remove or reduce security information vulnerabilities, software patches should be used.

Suppliers can only be provided with physical or logical access for assistance, if necessary, and with management consent. The activities of the supplier should be monitored.

In order to avoid non-authorized changes that may lead to security defects, software can rely on externally provided software and modules to monitor and control.

Also Read : ISO 27001 Annex : A.12.4 Logging and Monitoring

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner. Infosavvy, a Mumbai- based institute, provides multi-domain certifications and training, which include IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the backup policy to safeguard if data gets lost due to intentional or natural hazards. It also helps in making you understand how to control or manage the operating system integrity. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.

Read More : https://info-savvy.com/iso-27001-annex-a-12-5-control-of-operational-software/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com