Requirement
Requirement lens
This control asks whether hardware, software, service, and network configurations are established, documented, implemented, monitored, and reviewed.
“Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.”
Plain-language meaning
The organization should define what secure and acceptable configuration looks like, apply it, monitor whether systems stay aligned to it, and review exceptions. If approved configuration is not defined, unauthorized changes and insecure defaults are hard to detect.
Configuration management is not only asset inventory. It includes hardening baselines, secure settings, exception handling, drift monitoring, alert resolution, and risk-based justification where a standard cannot be followed.
Why this matters
Misconfigurations are a major cause of breaches and outages. Weak settings, exposed services, insecure certificates, disabled logging, excessive permissions, open ports, default accounts, or inconsistent hardening can create avoidable risk.
A known baseline makes deviation visible. Without it, the organization cannot reliably distinguish approved change, accidental drift, and malicious alteration.
Implementation guidance
Implementer focus
Define approved baselines, apply them consistently where practical, monitor drift, and document risk-based exceptions.
1. Establish configuration baselines
Baselines should cover relevant:
- servers;
- endpoints;
- network devices;
- cloud services;
- databases;
- applications;
- security tools;
- identity platforms;
- logging and monitoring components.
External baselines from vendors, manufacturers, or security bodies can help, but they usually require local tailoring.
2. Document local deviations
Some recommended settings may not be practical because of business, compatibility, supplier, or operational needs. Deviations should be supported by business case and risk assessment.
3. Implement and enforce configurations
Automation is usually lower risk for consistency, but it can create operational impact if applied blindly. Use automation where practical and focus attention on edge cases, exceptions, and critical systems.
4. Monitor configuration drift
Compare systems against approved baselines regularly or continuously. Drift may indicate malicious change, accidental change, unauthorized troubleshooting, or well-intentioned but uncontrolled modification.
5. Link alerts to incident and change management
Configuration alerts should have owners, escalation, resolution, and linkage to change/incident processes. Too many unmanaged alerts become background noise and stop being useful.
Audit guidance
Auditor focus
Test whether configuration standards exist, are applied to the right scope, exceptions are risk-justified, and drift monitoring produces action.
Auditors should verify:
- configuration standards/baselines;
- scope of systems covered by each baseline;
- configuration implementation evidence;
- exception/deviation records with risk justification;
- compensating controls for deviations;
- configuration validation records;
- monitoring frequency and rationale;
- alert escalation and resolution records;
- linkage to change and incident management.
For exceptions, ask what risk is created by not applying the baseline and what compensating control reduces that risk.
Evidence examples
Evidence quality
Strong evidence proves baselines are documented, implemented, monitored, reviewed, and exceptions are risk-managed.
| Evidence | What it proves |
|---|---|
| Configuration baseline standard | Approved secure settings are defined |
| System-to-baseline mapping | Scope is known |
| Configuration compliance reports | Baselines are implemented and monitored |
| Exception/deviation register | Unapplied settings are justified |
| Risk assessments for deviations | Exceptions are risk-based |
| Alert resolution records | Drift is investigated |
| Change records | Configuration changes are controlled |
| Review records | Baselines remain current |
Strong evidence
- Baselines exist for major technology types.
- Systems are mapped to applicable baselines.
- Compliance is checked regularly or continuously.
- Exceptions include risk rationale and compensating controls.
- Drift alerts are investigated and closed.
- Baselines are reviewed when threats, standards, or platforms change.
Weak evidence
- Vendor baseline is referenced but not tailored.
- Only some systems are checked without rationale.
- Exceptions exist informally.
- Configuration alerts are ignored due to volume.
- Baselines are documented but not implemented.
- No evidence links configuration changes to change control.
Common failures
Implementation watchouts
A.8.9 fails when secure configuration is treated as a one-time build task instead of a monitored baseline.
| Failure | Why it matters |
|---|---|
| No approved baseline | Secure state is undefined |
| One-size-fits-all baseline | Local risk and operational needs are ignored |
| No exception handling | Deviations become uncontrolled |
| No drift monitoring | Unauthorized changes remain hidden |
| Alert overload | Important misconfigurations are ignored |
| No review cycle | Baselines become stale |
Exam traps
Exam focus
A.8.9 requires establishment, documentation, implementation, monitoring, and review. Missing any one of these weakens the control.
| Trap | Correct interpretation |
|---|---|
| Configuration management means asset inventory | It means secure configuration baselines and drift control |
| Vendor standards can be copied unchanged | They often need risk-based local tailoring |
| Automation always solves configuration management | Automation helps but exceptions and operational impact still need management |
| Alerts prove monitoring is effective | Alerts must be triaged, escalated, and resolved |
| Exceptions mean noncompliance | Exceptions can be valid if risk-assessed and compensated |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.8 Management of Technical Vulnerabilities
- Monitoring activities
- A.5.37 Documented Operating Procedures
- A.5.36 Compliance with Policies, Rules and Standards for Information Security
- Risk Assessment
- Statement of Applicability
- Configuration Baseline Register
- Configuration Exception and Risk Acceptance Record
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
- A.8.9 Audit Evidence Pack
- A.8.9 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.9 defines and monitors secure system state. Strong implementation proves baselines exist, systems are compared against them, exceptions are risk-managed, and drift is investigated.
- Establish secure configuration baselines.
- Map systems to applicable baselines.
- Implement and monitor baseline compliance.
- Justify and review exceptions.
- Resolve configuration drift through change or incident processes.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Configuration management
- Hardening
- Audit
Note Metadata
Aliases: A.8.9, Configuration Management, Security Configuration Management
Source: 05 Annex A Technological Controls/A.8.9 Configuration Management.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.37 - Documented Operating Procedures
- A.8.9 Audit Evidence Pack
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.9 Configuration Management
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-030 - Vulnerability and Configuration Management
- EXAM-035 - Software Installation and Network Security
- ISO 27002 Annex A Control Interpretation Map
- A.8.9 Audit Checklist
- Change Management Procedure
- Configuration Baseline Register
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
- Configuration Exception and Risk Acceptance Record
- Development Environment Separation Standard
- Network Device Configuration and Change Review
- Network Security Architecture and Zoning Standard
- Operational Software Installation Procedure
- Virtual Network and Hypervisor Security Review
- Annex A Controls MOC