ISO 27701 Clause 6.9.5: Strengthening Software Security Controls
Software implementations, patches, updates and new installations have the potential to impact PII and privacy-related assets in a myriad of ways.
Organisations need to take great care when installing applications, utility programs and executable code on operational systems.
What’s Covered in ISO 27701 Clause 6.9.5
ISO 27701 clause 6.9.5 contains just one sub-clause (ISO 27701 6.9.5.1) that deals solely with the installation of software on operational systems.
There are no additional PIMS or PII-related guidance points, nor are there any linked UK GDPR articles to consider.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.9.5.1 – Installation of Software on Operational Systems
References ISO 27002 Control 8.19
In order to protect the availability and integrity of PII, and administer change, organisations should:
- Ensure that software updates are carried out by competent personnel (see ISO 27002 Control 8.5).
- Ensure that code has safely exited the development stage, and is free from any bugs.
- Test all software prior to update or installation, to ensure that no conflicts or errors will ensue.
- Keep an up to date software library system.
- Maintain a ‘configuration control system’ to administers operational software.
- Draft a ‘rollback strategy’ that restores systems to a previously working state, to ensure business continuity.
- Maintain a thorough log of any updates performed.
- Ensure that unused software applications – and all their associate material – are securely stored for further use and analysis.
- Operate with a software restriction policy, that runs in accordance with the organisation’s various roles and responsibilities.
When utilising vendor-supplied software, applications should be kept in good working order and in accordance with the issuers guidelines.
ISO makes it explicitly clear that organisations should avoid using unsupported software unless absolutely necessary. Organisations should seek to upgrade incumbent systems, rather than use out-of-date or unsupported legacy applications.
A vendor may require access to an organisation’s network in order to perform an installation or update. Such activities should be authorised and monitored at all times (see ISO 27002 Control 5.22).
Supplementary Guidance
- Organisations should upgrade, patch and install software in accordance with their published change management procedures.
- Patches that eradicate security vulnerabilities or otherwise improve organisational privacy protection should always be considered as a priority change.
- Organisations should take great care in using open source software, and should identify the latest publicly available version to ensure that security requirements are being met to the fullest extent.
Supporting Controls
- ISO 27002 5.22
- ISO 27002 8.5
Supporting Controls From ISO 27002 & GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.9.5.1 | Installation of Software on Operational Systems | 8.19 – Installation of Software on Operational Systems for ISO 27002 | None |
How ISMS.online Helps
You must create a Privacy Information Management System (PIMS) to meet ISO 27701 standards. Using our preconfigured PIMS, you can quickly and easily organise and manage customer, supplier, and employee information to fully meet ISO 27701 standards.
ISMS.online can also accommodate the growing number of global, regional, and sector-specific privacy regulations.
You must first become ISO 27001 (information security) certified to achieve ISO 27701 (privacy) certification. Fortunately, our platform can assist you with both of these certifications.
