ISO 27001 A.8.9: Configuration management
What This Control Requires
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
In Plain Language
Misconfigurations are one of the top causes of security breaches, full stop. Default passwords left in place, unnecessary services running, overly permissive cloud security groups - these are the things that actually get exploited in the real world. This control, new in ISO 27001:2022, makes configuration management an explicit requirement.
The idea is straightforward: define what a secure configuration looks like for each type of technology you run, deploy that configuration consistently, and then monitor for drift. When someone changes a firewall rule or tweaks a cloud setting outside the change management process, you need to know about it.
This applies to everything - operating systems, applications, cloud services, network equipment. Each should have an approved baseline, and actual configurations should be regularly verified against it.
How to Implement
Define secure configuration baselines for all your technology components. Use CIS Benchmarks as a starting point for operating systems, cloud platforms, and applications. Customise them to fit your environment and document everything in a CMDB or equivalent.
Cover all the key areas: OS hardening (disable unnecessary services, apply security settings), application server configuration (secure defaults, error handling, session management), database security (authentication, encryption, audit logging), network devices (firewall rules, ACLs, SNMP settings), cloud services (identity settings, network security groups, encryption), and endpoints (security software, policies, restrictions).
Automate baseline deployment. Use tools like Ansible, Puppet, Chef, or cloud-native options like Terraform, CloudFormation, or ARM templates. Infrastructure-as-code ensures consistent, repeatable deployments every time. Build golden images for standard deployments so new servers start from a known-good state.
Monitor continuously for configuration drift. Deploy tools that detect changes and alert on deviations from baselines. For cloud environments, use CSPM tools. For on-premises, use configuration audit tools. When an unauthorised change is detected, investigate it immediately - it could be a mistake or it could be an indicator of compromise.
Route all configuration changes through change management. Every change should have approval, testing, and documentation. Emergency changes need retrospective review. Maintain a clear log showing who changed what, when, and why.
Run regular configuration audits. Compare actual state against approved baselines, identify deviations, and remediate. Track compliance metrics and report to management. Use audit findings to refine your baselines and deployment processes over time.
Evidence Your Auditor Will Request
- Documented configuration baselines for major technology components
- Configuration management tool deployment and automation records
- Configuration monitoring and drift detection reports
- Configuration audit results showing compliance with baselines
- Change management records for configuration changes
Common Mistakes
- No defined configuration baselines for systems and applications
- Systems are deployed with default configurations without hardening
- Configuration changes are made outside the change management process
- No monitoring for configuration drift from approved baselines
- Cloud service configurations are not managed with the same rigor as on-premises
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Partial overlap |
| SOC 2 | CC8.1 | Related |
| NIS2 | Art.21(2)(d) | Related |
Frequently Asked Questions
Is this control new in ISO 27001:2022?
What configuration baselines should we use?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment