ISO 27001 A.8.18: Use of privileged utility programs
What This Control Requires
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
In Plain Language
Disk editors, debuggers, network sniffers, registry editors - these tools can bypass every security control you have in place. A disk editor reads data without caring about file permissions. Wireshark captures credentials in transit. A debugger can pull secrets from running processes. The problem is that these same tools are essential for system administration and troubleshooting. You cannot simply ban them. What you can do is tightly control who has access to them, log every time they are used, and remove them from machines where they have no business being. Auditors will check whether privileged utilities are freely available to all users or properly restricted. They will also look for evidence that usage is monitored and that unnecessary tools have been cleaned off production systems.
How to Implement
Start by inventorying every privileged utility in your environment. Think operating system tools (PowerShell, bash with sudo, registry editors, disk management), network tools (Wireshark, nmap, tcpdump), security and forensic tools, database utilities with direct SQL access, and development tools like debuggers and decompilers. Lock down access based on role and genuine need. Strip unnecessary utilities from standard workstations and servers. Use application whitelisting to block unauthorised execution of system utilities. Put PowerShell into constrained language mode for standard users and reserve full access for admins. Configure endpoint protection to flag hacking or penetration testing tools. Turn on logging for all privileged utility usage. Enable command-line audit logging on servers and workstations. Switch on PowerShell script block logging and transcription. Log all sudo usage on Linux systems. Watch for unusual patterns - use outside normal hours or by unexpected accounts. Write a clear policy that spells out which utilities are approved, who can use them, under what circumstances, and what logging applies. Security and penetration testing tools should only be installed with explicit authorisation and a defined purpose. For utilities that must stay on systems, add compensating controls. Use just-in-time access for admin tools. Set application control rules that only allow execution from approved paths by approved users. Alert on anything that looks like credential dumping or network reconnaissance. Review the utility inventory regularly. Remove anything no longer needed and update your access controls as the landscape changes.
Evidence Your Auditor Will Request
- Inventory of privileged utility programs available in the environment
- Access control configuration restricting utility access to authorized personnel
- Logging configuration for privileged utility usage
- Application whitelisting or control policies for utility programs
- Policy documentation defining authorized utility usage and conditions
Common Mistakes
- Privileged utilities are available to all users without restriction
- Usage of system utilities is not logged or monitored
- Penetration testing or hacking tools are left on systems after use
- PowerShell execution is not restricted or logged on standard workstations
- No inventory of privileged utilities across the environment
Related Controls Across Frameworks
Frequently Asked Questions
Should we remove PowerShell from all workstations?
How do we handle network analysis tools like Wireshark?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment