Software installation discipline — authorised software, configuration, source code access
Primary statement
Software installation operates as: (1) procedures and measures to securely manage software installation on operational systems (ISO A.8.19); (2) installation and execution of unauthorised software prevented (NIST PR.PS-05); (3) software maintained, replaced, removed commensurate with risk (NIST PR.PS-02); (4) access to source code and development tools managed (ISO A.8.4); (5) configuration management practices established (NIST PR.PS-01 + ISO A.8.9); (6) integration with secure SDLC for internally developed software.
Audit-fatigue payoff
A unified software lifecycle programme — installation approval + whitelisting / unauthorised prevention + source code access controls + configuration management — satisfies software-installation requirements across all 7 contributing frameworks. Application whitelisting (NIST PR.PS-05) is the audit-defensible enforcement mechanism.
Strictness matrix
Scope
Scope: ALL software installation on operational systems. Servers, workstations, mobile, network devices, IoT/OT. No category exempt without documented exception.
Ceiling source: iso27001:A.8.19
Rationale: ISO 27001 A.8.19 universal scope is the audit-defensible specification.
Threshold
Threshold: installation AND execution of unauthorised software PREVENTED. Prevention is the operational threshold — detection alone fails. Application whitelisting or equivalent enforcement.
Ceiling source: nist_csf:PR.PS-05
Rationale: NIST CSF PR.PS-05 prevention threshold is binary. Detection-only fails.
Method
Method: (1) software installation procedure; (2) approved software register; (3) application whitelisting or equivalent on high-risk endpoints; (4) integration with change management for new software; (5) source code access controls (ISO A.8.4); (6) software maintenance per risk (NIST PR.PS-02) — patching, replacement, removal; (7) configuration baselines applied per cl-hardening; (8) integration with secure SDLC for internal software.
Ceiling source: iso27001:A.8.19
Rationale: ISO 27001 A.8.19 method combined with NIST PR.PS-05 prevention is the most prescriptive.
Frequency
Installation events: per approval. Approved software register review: quarterly minimum. Application whitelisting policy update: per software addition. Software maintenance: per risk (patch SLAs apply). Configuration baseline assessment: quarterly (cl-hardening).
Ceiling source: iso27001:A.8.19
Rationale: Per-approval installation + quarterly register review is the consistent cadence.
Evidence
Required evidence: (1) software installation procedure; (2) approved software register; (3) application whitelisting configuration (where deployed) with sample blocked attempts; (4) integration with change management evidence; (5) source code access controls (ISO A.8.4); (6) software maintenance records (PR.PS-02); (7) installation logs.
Ceiling source: iso27001:A.8.19
Rationale: ISO 27001 A.8.19 evidence with whitelisting blocked-attempts is uniquely strict.
Auditor test pattern
Step 1: Inspect the software installation procedure. Step 2: Inspect the approved software register. Step 3: Verify application whitelisting on high-risk endpoints; sample blocked-attempts. Step 4: Sample one recent software installation and verify approval. Step 5: Inspect source code access controls (ISO A.8.4). Step 6: Verify software maintenance per risk — sample one EOL software and verify replacement plan.
Common findings
Common 2024–26 findings: (1) Approved software register stale; new software approved ad-hoc; (2) Application whitelisting deployed at servers but not workstations (where most installations happen); (3) Source code access broader than needed — full repository access for all developers; (4) EOL software running in production without replacement plan; (5) Installation logs absent; cannot trace what was installed when.