A.8.18 Use of Privileged Utility Programs

What is this control?

ISO 27001 control A.8.18 Use of Privileged Utility Programs restricts and tightly controls the use of utility programs capable of overriding system and application controls. The control implements the principle of least privilege through just-in-time elevation, time-limited access, and comprehensive audit logging. It prevents unauthorised access, privilege escalation, and security control bypass while ensuring complete accountability for administrative actions.

How to implement in Microsoft 365

Implement A.8.18 by deploying Microsoft Intune Endpoint Privilege Management or Account Protection profiles to remove standard users from local Administrators group. Enable Local Administrator Password Solution with passwords escrowed in Entra ID for emergency break-glass access. Implement Microsoft Entra Privileged Identity Management for all privileged directory roles using eligible rather than permanent assignments.

Configure PIM activation requirements including MFA, business justification, approval workflows for high-privilege roles, and maximum 8-hour time limits. Restrict permanent privileged access to maximum 2 break-glass accounts only. Enable Microsoft Purview Unified Audit Log to capture all administrative operations.

What an auditor looks for

Auditors will verify EPM, LAPS, or Account Protection profiles are deployed removing local admin rights from standard users. They will check PIM eligibility schedules show all privileged roles use eligible rather than permanent assignments. Auditors will verify PIM activation history demonstrates MFA, business justification, and approval workflows are enforced.

They will check permanent privileged assignments are limited to 2 or fewer documented break-glass accounts. Auditors will verify Purview Unified Audit Log is enabled and capturing administrative events with queryable sample records.