1. Framework FAQs

ISO 27001 A.8.9 Configuration management

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.9 Configuration management.

ISO 27001: 2022 Control Description

Configurations, including security configurations, of hardware, software,  services and networks shall be established, documented, implemented,  monitored and reviewed.

Purpose

To ensure that hardware, software, services, and networks operate correctly with the required security settings and that configurations are not altered by unauthorised or incorrect changes.

Guidance on implementation

Effective configuration management is key to maintaining the security and functionality of your organisation's IT systems. This guide outlines how to establish, document, implement, monitor, and review configurations, including security settings, for hardware, software, services (such as cloud services), and networks.

Setting Up Configurations

  1. Define Configuration Processes and Tools:
    • Develop processes and tools to enforce defined configurations for both newly installed and operational systems. This includes both standard configurations and security-specific settings.
  2. Assign Roles and Responsibilities:
    • Clearly define who is responsible for managing configurations, including making and approving changes. Ensure that everyone understands their role in maintaining secure configurations.
  3. Use Standard Templates:
    • Create standard templates for secure configurations based on publicly available guidance, such as templates from vendors or independent security organisations. When developing these templates, consider:
      • The level of security required.
      • Alignment with your organisation’s security policies and standards.
      • The practicality and applicability of security settings in your specific environment.
    • Regularly review and update templates to address new threats, vulnerabilities, or changes in software and hardware.
  4. Key Considerations for Templates:
    • Limit Privileged Access: Minimise the number of identities with admin-level access.
    • Disable Unnecessary Accounts: Turn off or restrict accounts that are unused or insecure.
    • Restrict Unneeded Functions: Disable unnecessary services and restrict access to powerful utilities.
    • Synchronise Clocks: Ensure system clocks are synchronised.
    • Change Default Credentials: Immediately update vendor default passwords and other important security settings after installation.
    • Set Automatic Logoffs: Implement time-out settings to automatically log off inactive devices.
    • Verify Licences: Confirm that all software licences are valid and compliant.

Managing Configurations

  1. Record Configurations:
    • Keep detailed records of all configurations, including logs of any changes. Store these records securely, using tools like configuration databases or templates.
  2. Follow Change Management Processes:
    • Any changes to configurations should go through your organisation’s change management process. Ensure records include:
      • The current owner or contact for the asset.
      • The date of the last configuration change.
      • The version of the configuration template used.
      • Links to the configurations of related assets.
  3. Monitor and Review Configurations:
    • Regularly monitor configurations using system management tools like maintenance utilities, remote support, and backup software. Compare actual configurations with your defined target templates. Address any deviations through:
      • Automatic enforcement of the defined configuration.
      • Manual analysis and corrective action if needed.

Other Information

  • Documentation: Ensure that systems documentation includes detailed information about both hardware and software configurations.
  • System Hardening: Incorporate system hardening into your configuration management practices to reduce vulnerabilities.
  • Integration with Asset Management: Consider integrating configuration management with asset management processes to streamline oversight.
  • Automation: Automate security configuration management where possible, using tools like infrastructure-as-code.
  • Confidentiality: Protect configuration templates and targets as confidential information to prevent unauthorised access.