Unapproved software often contains malware, spyware, or unpatched vulnerabilities that hackers exploit to steal your customer data, financial records, or trade secrets. A manufacturing business in Delhi lost ₹40 lakhs when employees used a cracked accounting software that was backdoored; they also faced GST audit penalties because transaction logs were compromised and untrustworthy. If your business processes customer payment data (credit cards, Aadhaar) using unapproved apps, you can face RBI fines and loss of customer trust. Regulators and large customers (especially if you supply to banks or e-commerce companies) will fail your security audit if you cannot prove you control what software runs on company devices.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find multiple versions of Microsoft Office, free antivirus from different vendors, personal mobile apps, and downloaded software with no documentation of where it came from. No one can tell you which programs are allowed or why.
Initial
You have a rough mental list of what 'should' be installed, but there's no written list and no way to check what's actually on each computer. Employees sometimes install things on their own when they think they need them.
Developing
You have a written list of approved software and employees know they should ask before installing anything new. Someone (often the owner or one IT person) manually checks machines occasionally, but there's no automated enforcement or central tracking.
Defined
You maintain an updated approved software list with business justification for each tool. You use basic device management (Windows Group Policy or MDM) to block unapproved installations on company laptops, and you audit what's installed quarterly.
Managed
All company devices are centrally managed with Mobile Device Management (MDM) or similar tools that automatically enforce the approved software list. You have a formal process for requesting new software with security review before approval. You monitor installations in real time and generate monthly compliance reports.
Optimised
Your approved software list is integrated into your risk management system and reviewed quarterly with input from your security team, finance, and legal departments. Automated tools scan for unapproved software, license compliance violations, and known vulnerabilities continuously. You have a documented exception process for temporary tools with time-based approval and automatic removal.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all software currently installed on business computers (Microsoft Office version, antivirus name, accounting software, browsers, etc.). Add a column for 'Business Use' and 'Approved Y/N'. | IT person or owner | 2-3 days |
| 1 → 2 | Formalize the list into an 'Approved Software Policy' document. Include why each tool is approved (e.g., 'Microsoft Office for invoicing', 'Google Chrome for browsing'). Get owner/manager sign-off. Print or email it to all staff with a rule that new installations need approval from IT/owner. | IT person or owner | 1 week |
| 2 → 3 | Set up Windows Group Policy (for Windows computers) or basic MDM (like Intune Free or Relion) to block installation of unapproved exe files. Train the IT person on this. Run a quarterly inventory check using free tools like Ninite or Windows built-in reporting. | IT person | 2-3 weeks |
| 3 → 4 | Deploy a proper Mobile Device Management (MDM) solution like Microsoft Intune, Relion, or Zoho MDM across all devices. Configure it to enforce approved software list automatically. Set up monthly compliance dashboard reports showing what's installed on each device. | IT person or external consultant | 4-6 weeks |
| 4 → 5 | Integrate software approval process into your Information Security governance structure. Conduct quarterly review of approved software list with security risk assessment. Implement continuous automated scanning for unapproved and vulnerable applications. Document and monitor all exceptions with automatic expiry dates. | IT person + Information Security team lead or external security consultant | Ongoing (2-4 hours per month) |
Documents and records that prove your maturity level.
- Approved Software List document signed by owner/manager with date and version control (e.g., 'v2.1 - Jan 2025')
- Device inventory report showing all computers/laptops with list of installed applications on each (generated from Windows, MDM tool, or manual audit)
- Software request and approval form (template and at least 3 examples of approved/denied requests with dates and approver name)
- Policy document titled 'Acceptable Software Policy' or 'Approved Applications Policy' distributed to employees with signed acknowledgment from at least 3 staff members
- Audit/compliance report from the last 3 months showing which devices were scanned, what unapproved software was found (if any), and remediation actions taken
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your list of approved software? How is it communicated to employees and how often is it updated?"
- "If I pick a random computer in your office, how would you prove that only approved software is installed on it? Can you demonstrate this for me right now?"
- "What happens when an employee wants to install new software—like a design tool or accounting plugin? Walk me through the process."
- "Do you have any machines using pirated software, cracked versions, or unlicensed copies? How do you ensure compliance with software licenses?"
- "Show me evidence that you audit installed software at least quarterly. What did you find in your last audit, and what did you do about unapproved applications?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and inventory all software installed on company computers | Ninite (free version shows installed apps), Windows built-in 'Programs and Features' report, or OpenAudit (self-hosted open-source) | SolarWinds N-able (₹15,000-25,000/year for small business), Lansweeper (₹20,000-40,000/year) |
| Enforce approved software list and block unapproved installations automatically | Windows Group Policy (built-in for Windows Pro/Enterprise), Relion (free tier for up to 50 devices) | Microsoft Intune (₹5,000-12,000 per device per year), Jamf Pro for Mac (₹10,000-20,000/year), Zoho MDM (₹15,000-30,000/year) |
| Monitor and prevent unauthorized software installation in real time | OSSEC (open-source, needs technical setup), Wazuh (open-source endpoint detection) | CrowdStrike Falcon (₹50,000+/year), Kaspersky Endpoint Security (₹8,000-15,000/year), Sophos Intercept X (₹12,000-20,000/year) |
| Create and manage approved software list documents and policies | Google Docs, LibreOffice Writer, Notion (free tier) | Microsoft Word/SharePoint (included in Microsoft 365), Confluence (₹10,000+/year) |
- Installing pirated software or cracked versions to 'save money'—this is illegal under Copyright Act 1957, invites malware, and creates audit liability. Large customers often require license compliance audits as part of vendor agreements.
- Allowing employees to use personal apps (free photo editors, personal cloud storage, chat apps) for business work—these have weak security, weak privacy controls, and no company oversight of where data goes. A finance employee sharing invoices via personal WhatsApp instead of approved secure mail created a compliance nightmare.
- Not updating the approved list when employees leave or roles change—this results in orphaned, outdated software that becomes a security risk and license compliance issue. Former employees' tools sometimes remain with elevated permissions.
- Assuming 'free software from the internet' is safe—many free tools are designed to collect data, bundle adware, or contain vulnerabilities. Stick to major vendors (Microsoft, Adobe, Google, etc.) or industry-standard tools with reputation.
- Treating software approval as IT person's job only, without business owner involvement—this leads to business tools being blocked (slowing work) or unauthorized tools being used because the approval process is too slow or rigid.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Lawful basis and consent for processing), Schedule 2 (Reasonable security practices) |
| CERT-In Guidelines 2022 | Direction 4.1 (Software and security update management), Direction 4.3 (Prohibition of unlicensed and pirated software) |
| ISO 27001:2022 | Annex A, Control A.5.16 (Management of information and other related assets), Control A.8.1 (User endpoint devices), Control A.8.4 (Removal of access rights) |
| NIST CSF 2.0 | Govern (GV): GV.RO-02 (Manage authorization and access control), Protect (PR): PR.DS-05 (Protection of information and other assets), PR.SL-01 (Security planning) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →