ISO 27001 Control 8.9 – Configuration management

The basics

ISO 27001 control A.8.9 Configuration management requires organizations to manage configurations throughout the lifecycle of a particular technology. This is important to achieve and maintain adequate system security, while avoiding unauthorized and inappropriate changes.

This is a completely new control in the 2022 edition of the standard.

Documentation

ISO 27001 control A.8.9 Configuration management can be documented:

for smaller and mid-sized companies – through a Security Procedures for IT Department
larger companies might have a Configuration Management Procedure.

This control must be documented.

Implementation

In order to comply with control A.8.9 Configuration management you might implement the following:

Technology — the technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes — you should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations. You can document those processes through Security Procedures for IT Department or a Configuration Management Procedure.
People — make employees aware of why strict control of security configuration is needed, and train them on how to define and implement security configurations.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.9 Configuration management: if the configuration is defined, documented, implemented, monitored, and reviewed.

Products by framework:

By Type

Where to Start

Other

Solutions for industries:

Dejan Kosutic

Products

Resources

Standards & Regulations

Advisera

Help