UnixTime

Research Note

ISO 27001 A.8.9 - Configuration Management

The organization should define what secure and acceptable configuration looks like, apply it, monitor whether systems stay aligned to it, and review exceptions. If approved conf...

On this page

Requirement

Requirement lens

This control asks whether hardware, software, service, and network configurations are established, documented, implemented, monitored, and reviewed.

“Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.”

Plain-language meaning

The organization should define what secure and acceptable configuration looks like, apply it, monitor whether systems stay aligned to it, and review exceptions. If approved configuration is not defined, unauthorized changes and insecure defaults are hard to detect.

Configuration management is not only asset inventory. It includes hardening baselines, secure settings, exception handling, drift monitoring, alert resolution, and risk-based justification where a standard cannot be followed.

Why this matters

Misconfigurations are a major cause of breaches and outages. Weak settings, exposed services, insecure certificates, disabled logging, excessive permissions, open ports, default accounts, or inconsistent hardening can create avoidable risk.

A known baseline makes deviation visible. Without it, the organization cannot reliably distinguish approved change, accidental drift, and malicious alteration.

Implementation guidance

Implementer focus

Define approved baselines, apply them consistently where practical, monitor drift, and document risk-based exceptions.

1. Establish configuration baselines

Baselines should cover relevant:

  • servers;
  • endpoints;
  • network devices;
  • cloud services;
  • databases;
  • applications;
  • security tools;
  • identity platforms;
  • logging and monitoring components.

External baselines from vendors, manufacturers, or security bodies can help, but they usually require local tailoring.

2. Document local deviations

Some recommended settings may not be practical because of business, compatibility, supplier, or operational needs. Deviations should be supported by business case and risk assessment.

3. Implement and enforce configurations

Automation is usually lower risk for consistency, but it can create operational impact if applied blindly. Use automation where practical and focus attention on edge cases, exceptions, and critical systems.

4. Monitor configuration drift

Compare systems against approved baselines regularly or continuously. Drift may indicate malicious change, accidental change, unauthorized troubleshooting, or well-intentioned but uncontrolled modification.

Configuration alerts should have owners, escalation, resolution, and linkage to change/incident processes. Too many unmanaged alerts become background noise and stop being useful.

Audit guidance

Auditor focus

Test whether configuration standards exist, are applied to the right scope, exceptions are risk-justified, and drift monitoring produces action.

Auditors should verify:

  • configuration standards/baselines;
  • scope of systems covered by each baseline;
  • configuration implementation evidence;
  • exception/deviation records with risk justification;
  • compensating controls for deviations;
  • configuration validation records;
  • monitoring frequency and rationale;
  • alert escalation and resolution records;
  • linkage to change and incident management.

For exceptions, ask what risk is created by not applying the baseline and what compensating control reduces that risk.

Evidence examples

Evidence quality

Strong evidence proves baselines are documented, implemented, monitored, reviewed, and exceptions are risk-managed.

Evidence What it proves
Configuration baseline standard Approved secure settings are defined
System-to-baseline mapping Scope is known
Configuration compliance reports Baselines are implemented and monitored
Exception/deviation register Unapplied settings are justified
Risk assessments for deviations Exceptions are risk-based
Alert resolution records Drift is investigated
Change records Configuration changes are controlled
Review records Baselines remain current

Strong evidence

  • Baselines exist for major technology types.
  • Systems are mapped to applicable baselines.
  • Compliance is checked regularly or continuously.
  • Exceptions include risk rationale and compensating controls.
  • Drift alerts are investigated and closed.
  • Baselines are reviewed when threats, standards, or platforms change.

Weak evidence

  • Vendor baseline is referenced but not tailored.
  • Only some systems are checked without rationale.
  • Exceptions exist informally.
  • Configuration alerts are ignored due to volume.
  • Baselines are documented but not implemented.
  • No evidence links configuration changes to change control.

Common failures

Implementation watchouts

A.8.9 fails when secure configuration is treated as a one-time build task instead of a monitored baseline.

Failure Why it matters
No approved baseline Secure state is undefined
One-size-fits-all baseline Local risk and operational needs are ignored
No exception handling Deviations become uncontrolled
No drift monitoring Unauthorized changes remain hidden
Alert overload Important misconfigurations are ignored
No review cycle Baselines become stale

Exam traps

Exam focus

A.8.9 requires establishment, documentation, implementation, monitoring, and review. Missing any one of these weakens the control.

Trap Correct interpretation
Configuration management means asset inventory It means secure configuration baselines and drift control
Vendor standards can be copied unchanged They often need risk-based local tailoring
Automation always solves configuration management Automation helps but exceptions and operational impact still need management
Alerts prove monitoring is effective Alerts must be triaged, escalated, and resolved
Exceptions mean noncompliance Exceptions can be valid if risk-assessed and compensated

KB-ready summary

Mentor takeaway

A.8.9 defines and monitors secure system state. Strong implementation proves baselines exist, systems are compared against them, exceptions are risk-managed, and drift is investigated.

  • Establish secure configuration baselines.
  • Map systems to applicable baselines.
  • Implement and monitor baseline compliance.
  • Justify and review exceptions.
  • Resolve configuration drift through change or incident processes.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Configuration management
  • Hardening
  • Audit

Note Metadata

Aliases: A.8.9, Configuration Management, Security Configuration Management

Source: 05 Annex A Technological Controls/A.8.9 Configuration Management.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.