Approved-tool allowlist communicated to staff
Demonstrate that an approved-tool allowlist exists, is current, and has been actively communicated to staff through documented channels with evidence of receipt and understanding.
Description
What this control does
This control ensures that an organization maintains and actively communicates a documented list of approved software tools, applications, and utilities to all relevant staff members. The allowlist defines which tools employees are permitted to install and use on organizational systems, reducing the attack surface by preventing unauthorized or vulnerable software. Communication methods typically include policy documents, onboarding materials, intranet postings, periodic email reminders, and embedded references in technical documentation or ticketing systems.
Control objective
What auditing this proves
Demonstrate that an approved-tool allowlist exists, is current, and has been actively communicated to staff through documented channels with evidence of receipt and understanding.
Associated risks
Risks this control addresses
- Installation of shadow IT applications containing unpatched vulnerabilities that provide initial access vectors for threat actors
- Use of unlicensed or pirated software introducing malware or legal compliance violations
- Deployment of tools with excessive permissions or data exfiltration capabilities that bypass data loss prevention controls
- Staff downloading phishing-lookalike or typosquatted versions of legitimate tools due to lack of authoritative guidance
- Introduction of software with incompatible cryptographic libraries or insecure defaults that weaken overall security posture
- Operational disruption when unapproved tools conflict with endpoint protection, causing system instability or blocking legitimate business functions
- Lack of visibility into installed software inventory preventing accurate risk assessment and vulnerability management
Testing procedure
How an auditor verifies this control
- Obtain the current version of the approved-tool allowlist from IT security, IT operations, or the governance office, noting the version number and last-review date
- Review organizational policy documents and acceptable-use policies to confirm they reference and mandate adherence to the approved-tool allowlist
- Identify all communication channels used to disseminate the allowlist, including employee handbooks, intranet portals, onboarding materials, email distributions, and security awareness platforms
- Select a sample of 15-20 employees across different departments, roles, and tenure lengths for testing awareness and access
- Interview sampled employees to verify they can locate the allowlist, understand its purpose, and describe the process for requesting additions or exceptions
- Review access logs or distribution records for intranet pages, email campaigns, or learning management system modules containing the allowlist to confirm staff engagement
- Examine change-control or communication records from the past 12 months to verify that updates to the allowlist triggered notifications to affected user populations
- Cross-reference the communicated allowlist against endpoint detection and response (EDR) or software inventory tools to validate consistency and identify any gaps in enforcement
Where this control is tested