ISO 27701, Clause 6.9.5 – Control of Operational Software

ISO 27701 Controls and Clauses Explained

Book a demo

young,business,colleagues,working,in,a,busy,open,plan,office

Software implementations, patches, updates and new installations have the potential to impact PII and privacy-related assets in a myriad of ways.

Organisations need to take great care when installing applications, utility programs and executable code on operational systems.

What’s Covered in ISO 27701 Clause 6.9.5

ISO 27701 clause 6.9.5 contains just one sub-clause (ISO 27701 6.9.5.1) that deals solely with the installation of software on operational systems.

There are no additional PIMS or PII-related guidance points, nor are there any linked UK GDPR articles to consider.

ISO 27701 Clause 6.9.5.1 – Installation of Software on Operational Systems

References ISO 27002 Control 8.19

In order to protect the availability and integrity of PII, and administer change, organisations should:

  • Ensure that software updates are carried out by competent personnel (see ISO 27002 Control 8.5).

  • Ensure that code has safely exited the development stage, and is free from any bugs.

  • Test all software prior to update or installation, to ensure that no conflicts or errors will ensue.

  • Keep an up to date software library system.

  • Maintain a ‘configuration control system’ to administers operational software.

  • Draft a ‘rollback strategy’ that restores systems to a previously working state, to ensure business continuity.

  • Maintain a thorough log of any updates performed.

  • Ensure that unused software applications – and all their associate material – are securely stored for further use and analysis.

  • Operate with a software restriction policy, that runs in accordance with the organisation’s various roles and responsibilities.

When utilising vendor-supplied software, applications should be kept in good working order and in accordance with the issuers guidelines.

ISO makes it explicitly clear that organisations should avoid using unsupported software unless absolutely necessary. Organisations should seek to upgrade incumbent systems, rather than use out-of-date or unsupported legacy applications.

A vendor may require access to an organisation’s network in order to perform an installation or update. Such activities should be authorised and monitored at all times (see ISO 27002 Control 5.22).

Supplementary Guidance

  1. Organisations should upgrade, patch and install software in accordance with their published change management procedures.

  2. Patches that eradicate security vulnerabilities or otherwise improve organisational privacy protection should always be considered as a priority change.

  3. Organisations should take great care in using open source software, and should identify the latest publicly available version to ensure that security requirements are being met to the fullest extent.

Supporting Controls

  • ISO 27002 5.22

  • ISO 27002 8.5
Jump to Topic

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.9.5.1Installation of Software on Operational Systems8.19 – Installation of Software on Operational Systems for ISO 27002None

How ISMS.online Helps

You must create a Privacy Information Management System (PIMS) to meet ISO 27701 standards. Using our preconfigured PIMS, you can quickly and easily organise and manage customer, supplier, and employee information to fully meet ISO 27701 standards.

ISMS.online can also accommodate the growing number of global, regional, and sector-specific privacy regulations.

You must first become ISO 27001 (information security) certified to achieve ISO 27701 (privacy) certification. Fortunately, our platform can assist you with both of these certifications.

Find out more by booking a demo.

ISMS.online is a
one-stop solution that radically speeded up our implementation.

Evan Harris
Founder & COO, Peppy

Book your demo

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more