Control 8.19, Installation of software on operational systems, aims to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities. Software installed in production can introduce malware, insecure configurations, untested functionality, compatibility problems, unauthorized tools, or vulnerable components. ISO/IEC 27002 therefore expects installation on operational systems to be controlled, authorized, tested, and managed. This protects live systems from unauthorized or inappropriate software that could weaken security or disrupt operations. Control 8.15, Logging, records events and supports monitoring, investigation, accountability, and detection, but it does not primarily control software installation. Control 8.17, Clock synchronization, ensures consistent time settings across systems so logs, events, and transactions can be correlated accurately. It is important but not the control aimed at preventing exploitation through software installation weaknesses. The exam phrase “integrity of operational systems” is directly aligned with controlling what software is installed in production. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.19 Installation of software on operational systems; Control 8.8 Management of technical vulnerabilities; Control 8.32 Change management.

==========