A.8.19 Installation of Software on Operational Systems

What is this control?

ISO 27001 control A.8.19 Installation of Software on Operational Systems manages and controls software installation on operational systems to prevent security vulnerabilities and unauthorised changes. The control ensures software installations are managed on a deny-by-default and approved-list basis where users are technically prevented from installing software themselves. Microsoft Intune serves as the central Unified Endpoint Management solution for software distribution and control.

How to implement in Microsoft 365

Implement A.8.19 by removing local administrator rights from standard users enforced via A.8.1 controls to prevent unauthorised software installation. Deploy Microsoft Intune Company Portal with approved, vetted applications for self-service distribution. Enable Windows Defender Application Control policies on Windows devices to restrict execution to approved applications.

Enforce macOS Gatekeeper on all macOS devices via Intune profiles restricting installation to App Store and identified developers per CIS benchmark 2.6.5. Block user OAuth consent for third-party applications requiring admin consent only. Enable admin consent workflow allowing users to request access to new applications.

What an auditor looks for

Auditors will verify Intune Company Portal deployment with managed applications distributed across platforms. They will check macOS Gatekeeper is enabled via configuration profiles aligned with CIS benchmarks. Auditors will verify OAuth consent settings show user consent is blocked or restricted to verified low-risk apps only.

They will check Microsoft Defender for Endpoint TVM inventory is active and collecting software data across managed endpoints. Auditors will verify Microsoft Defender for Cloud Apps monitoring is active with Cloud Discovery streams configured.