The correct answer is Option B, which aligns with ISO/IEC 27001:2022 Annex A control A.8.18 – Use of privileged utility programs.
Privileged utility programs (e.g., system debuggers, database maintenance tools, and administrative utilities) can bypass standard application and system controls. If misused, they can modify configurations, access sensitive data, or disable security mechanisms, creating significant risk to confidentiality, integrity, and availability.
Annex A A.8.18 requires that:
“The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.”
The purpose of this control is not software compatibility (Option A) nor log correlation (Option C), but rather to prevent circumvention or damage to established security controls. Restriction and tight control ensure that only authorized personnel can use such utilities, that usage is justified, approved, monitored, and logged, and that the risk of abuse or error is minimized.
This control supports defense-in-depth by ensuring that even powerful tools are governed by authorization, segregation of duties, and monitoring—key principles in ISO/IEC 27001:2022.
