ISO 27001:2022 annex A controls A.8.17 – A.8.19 play a vital role in maintaining system integrity and security. Accurate timekeeping ensures reliable logs for audits and threat detection, while restricting privileged utilities and software installations minimises the risk of unauthorised changes and malware infections. This post explores best practices for implementing these controls to strengthen operational system security and prevent cyber threats.
A.8.17 Clock synchronisation
This control aims to enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.
A standard reference time for use within the business should be defined and considered for all systems, including building management systems, entry and exit systems and others that can be used to aid investigations. A clock linked to a radio time broadcast from a national atomic clock or global positioning system (GPS) should be used as the reference clock for logging systems; a consistent, trusted date and time source to ensure accurate time-stamps.
Clock synchronization can be difficult when using multiple cloud services or when using both cloud and on-premises services. In this case, the clock of each service should be monitored and the difference recorded in order to mitigate risks arising from discrepancies.
A.8.18 Use of privileged utility programs
The aim of this control is to ensure the use of utility programs does not harm system and application controls for information security.
Utility programs can be capable of overriding system and application controls. The use of these utility programs should be limited to only a minimum practical number of trusted authorised users. Utility programs should also be segregated from application software and where practical, use network communications which are segregated from application traffic.
Basically, this should be covered by the principle of least privilege, so only those users who need to use the programs should have access to them, and where possible, these programs should be installed on systems which are as isolated as possible from networks, especially those which have access to critical data.
A.8.19 Installation of software on operational systems
The objective here on this small sub-clause is to ensure to control the installation of software on your operational systems. This is to ensure your operation systems are not compromised.
One way to implement this is to include a process where all new software must be approved by the Information Security Officer prior to purchase. Then post purchase ensure that there is a formal process to ensure the software doesn’t compromise your systems.
To best protect the production systems of your online products, only installing your software, and any dependencies (which will be covered in future). Cloud services offer good protections for this, as they only provision required services and applications, with each new deployment instantiating a new environment.
Other Posts
- Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
- Read the previous post in the series: Watch, Detect, Respond: Tips for Logging & Monitoring Activity on your system with Controls A.8.15 and A.8.16
- Read the next post in the series: Practical Advice for Locking Down the Network with Controls A.8.20–A.8.22
DQS Newsletter
Stay informed and subscribe to our newsletter!
Author
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.
Loading...
