ISO 27002:2022 introduces several new information security controls including A8.9 – Configuration management

This blog takes a brief look at what is required.

Configuration management in ISO 27002:2022

The new control id 8.9 – Configuration management has been added to ISO/IEC 27002:2022 to ensure hardware, software, services, and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

The control is regarding configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

The organization should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime. Roles, responsibilities, and procedures should be in place to ensure satisfactory control of all configuration changes.

How to Evidence A8.9 of ISO 27002:2022

Organisations can evidence control A8.9 in several ways, including:

  • Established configurations of hardware, software, services, and networks should be recorded, and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as through configuration databases or configuration templates.
  • Configurations should be monitored with a comprehensive set of system management tools (e.g., maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths, and assess activities performed.

Implement A8.9 – Configuration management. 

If you need assistance with control A8.9, Assent’s ISO 27002 Consultants can help.

Kerri Madders
Kerri Madders
Articles: 11