Configurations – whether acting as a single config file, or a group of configurations linked together – are the underlying parameters that govern how hardware, software and even entire networks are managed.
As an example, a firewall’s configuration file will hold the baseline attributes that the device uses to manage traffic to and from an organisation’s network, including block lists, port forwarding, virtual LANs and VPN information.
Configuration management is an integral part of an organisation’s broader asset management operation. Configurations are key in ensuring that a network is not only operating as it should be, but also in securing devices against unauthorised changes or incorrect amendments on the part of maintenance staff and/or vendors.
Control 8.9 is a preventative control that maintains risk by establishing a series of policies that govern how an organisation documents, implements, monitors and reviews the use of configurations across its entire network.
Configuration management is solely an administrative task that deals with the maintenance and monitoring of asset-side information and data that is resident on a broad range of devices and applications. As such, ownership should reside with the Head of IT, or organisational equivalent.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Secure Configuration | #Protection |
On the whole, organisation’s need to draft and implement configuration management policies for both new systems and hardware, and any that are already in use. Internal controls should include business critical elements such as security configurations, all hardware that holds a configuration file and any relevant software applications or systems.
Control 8.9 asks organisations to consider all relevant roles and responsibilities when implementing a configuration policy, including the delegated ownership of configurations on a device-by-device, or application-by-application basis.
Where possible, organisations should use standardised templates to secure all hardware, software and systems. Templates should:
Security is paramount when applying configuration templates, or amending existing templates in line with the above guidance.
When considering standard templates for use across the organisation, in order to minimise any information security risks organisations should:
An organisation has a responsibility to maintain and store configurations, including keeping an audit trail of any amendments or new installations, in line with a published change management process (see Control 8.32).
Logs should contain information that outlines:
Organisations should deploy a wide range of techniques to monitor the operation of configuration files across their network, including:
Organisations should configure specialised software to track any changes in a device’s configuration, and take appropriate action to address the amendment as soon as possible, either by validating the change or reverting the configuration back to its original state.
None. Control 8.9 has no precedent in ISO 27002:2013 as it is new.
ISMS.Online is a complete solution for ISO 27002 implementation.
It is a web-based system that allows you to show that your information security management system (ISMS) is compliant with the approved standards using well thought out processes and procedures and checklists.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
