Approved Software List

An approved software list catalogues all applications explicitly authorized for use within the organization. It is required for compliance because it prevents the installation of unvetted, potentially malicious software, ensuring all deployed tools meet baseline security and privacy requirements.

Begin by conducting a comprehensive audit of currently installed applications. Review each tool for business necessity, security posture, and licensing, then formally document the authorized applications, accepted versions, and approved use cases in a centralized register.

Essential fields include the software name, approved version numbers, vendor name, internal business owner, justification for use, the classification of data it is permitted to process, and the formal approval date.

The list should be reviewed at least annually, or whenever significant changes occur in the organizational environment, such as the adoption of new business processes, major infrastructure updates, or the deprecation of legacy tools.

Enforcement is typically achieved through endpoint management solutions, application control policies, and removing local administrator rights, ensuring that only software matching the approved baseline can execute on corporate devices.

A software inventory is a dynamic, technical record of all applications currently installed across the environment, whereas an approved software list is a governance document dictating what applications are formally permitted to be installed.

Yes, cloud-based applications and browser extensions process organizational data and introduce third-party risk. They must be vetted, approved, and documented just like traditional locally installed desktop or server software.

Exceptions should be managed through a formal request process where the software is evaluated for risk. If approved, it is granted a temporary authorization with a strict expiration date and documented in a dedicated exception register. Tools like WatchDog Security's Risk Register can capture the exception rationale, risk scoring, and time-bound treatment plan, creating an auditable trail for approvals and renewals.

The list acts as a central repository that maps approved applications to their corresponding vendor risk assessments and licensing agreements, ensuring the organization remains compliant with commercial terms and third-party security requirements. WatchDog Security's Vendor Risk Management can link each approved application to a vendor profile with risk-tiering by data exposure and store supporting evidence (such as SOC 2 reports or DPAs) for faster reviews.

Auditors expect to see the documented list, records of periodic reviews, and system-generated reports from endpoint management tools demonstrating that actual deployments match the authorized baseline without unapproved deviations or shadow IT.

A GRC platform can centralize the approved software list, enforce ownership, and create an auditable review cadence so the register stays current as tools change. For example, WatchDog Security's Asset Inventory can help reconcile the approved list against discovered SaaS and cloud assets, while WatchDog Security's Compliance Center can package the list and related evidence for audits across multiple frameworks.

Workflow tooling can automate intake, risk review, approvals, and time-bound exceptions so teams do not rely on ad hoc email threads. WatchDog Security's Risk Register can document exception risk decisions and treatment plans, and WatchDog Security's Vendor Risk Management can store vendor evidence (such as SOC 2 reports or DPAs) alongside the approval record to support consistent, repeatable decisions.