ISO 27001 Annex A 8.9

A known configuration is the baseline against which security can be measured.

ISO 27001 Annex A 8.9 - Configuration Management

Configuration management establishes the baseline state of systems and tracks how they change over time. Without this, the organisation cannot tell what is normal, what is hardened, and what has drifted. The control asks for configurations to be documented, implemented consistently, and monitored for drift.

Modern infrastructure increasingly uses configuration as code - the desired state of systems is held in version-controlled definitions and applied automatically. This makes configuration management more deterministic and easier to audit. Where configuration is still managed manually, the records need to be maintained alongside the systems.

Security configurations are the part of the wider configuration that affects security posture - service hardening settings, firewall rules, access control lists, logging configuration. These should be derived from a security baseline (CIS benchmarks, vendor hardening guides, or internal standards) and reviewed when threats or systems change.

Drift is the silent enemy of configuration management. Settings get tweaked to fix a one-off issue and never get put back. Exceptions get granted and never reviewed. Over time the actual configuration diverges from the documented one, and nobody is sure which is right. Periodic comparison of actual against intended catches drift before it becomes the norm.

Practical Compliance Guidance

Configuration management is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider operational arrangements. Configuration baselines and change records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the operational arrangements relevant to configuration management including the security baselines that apply.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What baselines should we use?

CIS benchmarks are widely accepted starting points for many platforms. Vendor hardening guides (Microsoft, AWS, Linux distributions) provide platform-specific guidance. Internal baselines built from these sources can be tailored to the organisation. The choice should be documented and applied consistently.

How do we detect configuration drift?

Through periodic configuration audits, configuration management tools that compare actual to intended state, and change records that track every authorised change. Where configuration as code is used, the source of truth and the running state should remain in sync.

How does this link to change management?

Configuration management establishes the baseline; change management controls how the baseline changes. The two work together - changes are made through the change process, and configuration records are updated as a result. The change records under A.8.32 form part of the configuration audit trail.

Further Resources