ISO 27001:2022 Annex A 8.9 – Configuration Management

• See ISO 27002:2022 Control 8.9 for more information.

Purpose of ISO 27001:2022 Annex A 8.9

Configurations, either as an individual config file or a collection of configurations linked together, determine how hardware, software, and networks are managed.

As an example, a firewall’s configuration file will contain the baseline attributes that the device utilises to manage the traffic entering and leaving an organisation’s network, such as block lists, port forwarding, virtual LANs and VPN information.

Configuration management forms an essential part of any organisation’s asset management strategy. Configurations are crucial for making sure that a network runs as it should, and for protecting devices from unapproved changes or inappropriate alterations by maintenance personnel and/or vendors.

Ownership of Annex A 8.9

Configuration management is an administrative duty dedicated to sustaining and observing asset-related data and info present on various devices and applications. Therefore, ownership should be in the hands of the Head of IT or the equivalent.

Guidance on ISO 27001:2022 Annex A 8.9 Compliance

Organisations need to craft and enact configuration management policies for both new and existing systems and hardware. Internal controls should encompass key elements such as security configurations, hardware with configuration files, and any applicable software or systems.

ISO 27001:2022 Annex A 8.9 requires organisations to contemplate all pertinent roles and duties when establishing a configuration policy, including assigning ownership of configurations on a device-by-device or application-by-application basis.

Guidance on Standard Templates

Organisations should strive to use standardised templates to secure all hardware, software and systems whenever practical. These templates should:

• Attempt to use freely available vendor-specific and open source instructions to optimally configure hardware and software assets.
• Ensure that the device, application or system abides by the minimum security requirements.
• Co-operate with the company’s larger information security activities, including all applicable ISO regulations.
• Take into account the special business needs of the organisation – particularly with respect to security settings – as well as the possibility of applying or managing a template at any given time.
• At regular intervals, review the system and hardware updates, and any current security threats, to ensure optimal performance.

Guidance on Security Controls

Security is of utmost importance when applying configuration templates or changing existing ones in accordance with the guidance mentioned above.

When contemplating templates to be implemented across the company, organisations should strive to reduce potential information security hazards by:

• Restrain the amount of personnel with administrative authority to the least quantity possible.
• Deactivate any identities not being used or not needed.
• Track access to maintenance programs, utilities and internal settings carefully.
• Ensure clocks are coordinated to record configuration accurately and aid any future probes.
• Straight away switch any default passwords or safety settings provided with any device, service or program.
• Implement a preset log-off period for any devices, systems, or applications that have been inactive for a predetermined time frame.
• Ensure compliance with ISO 27001:2022 Annex A 5.32 to guarantee that all licensing requirements have been fulfilled.

Guidance on Managing and Monitoring Configurations

The organisation is obliged to retain and record configurations, along with a history of any changes or new setups, in line with the ISO 27001:2022 Annex A 8.32 Change Management process.

Logs should include information that details:

• Who holds the asset.
• Record the time of the latest configuration change.
• This version of the configuration template that is in effect.
• Explain any data pertinent to the asset’s association with configurations on other gadgets/systems.

Organisations should employ a broad spectrum of methods to keep tabs on the functioning of configuration files across their network, such as:

• Automation.
• Specialised configuration maintenance programs are available for use. These programs enable efficient and effective management of settings.
• Remote support tools that automatically populate configuration data for each device.
• Enterprise device and software management utilities are created to observe large quantities of configuration data simultaneously.
• The BUDR software provides automated backups of configurations to a secure place, and can remotely or on-site restore templates to malfunctioning or compromised devices.

Organisations should employ specialised software to monitor any changes to a device’s configuration, taking swift action to either approve or revert the transformation to its initial status.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.32
• ISO 27001:2022 Annex A 8.32

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.9 is not present in ISO 27001:2013, as it is a new addition in the 2022 revision.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.Online provides a comprehensive approach to ISO 27001 implementation. It offers a full-service package, ensuring that the whole process is handled quickly and efficiently. It provides all the necessary tools, resources and guidance to enable organisations to implement the standard with confidence.

This web-based system permits you to demonstrate that your Information Security Management System (ISMS) meets the accepted standards, with well-considered processes, procedures and checklists.

Contact us now to arrange a demonstration.