Series: New Controls in ISO/IEC 27001:2022 Annex A

Configuration Management

In this article series, we are analyzing the implementation aspects of the 11 new controls of ISO/IEC 27001:2022 Annex A. The new organizational controls (Threat intelligence, Information security for use of cloud services, ICT readiness for business continuity) and physical control (Physical security monitoring) have already been discussed in the previous articles. Now we will look at the technological controls. The fifth article of the series explores Control 8.9 (Configuration management).

Control

Control 8.9 (Configuration management) defines the best practices for establishing and maintaining the configurations of hardware, software, services and networks to ensure that they function properly with required security settings.

Attributes

Implementation of this control would help an organization prevent security breaches owing to mis-configurations of devices and tools and hence, protect the confidentiality, integrity and availability of its information systems.

Implementation

The organization should establish processes and tools to configure its infrastructure (hardware and software) and services correctly and securely. Proper configurations should be maintained during the entire lifecycle of the infrastructure. Changes to configurations should be carried out in a controlled manner, in accordance with the change management process. Specific roles and responsibilities should be defined for the same.

The configurations should reflect the organization’s security requirements and policies. All unnecessary functions and services should be disabled or restricted. Logs of configuration changes should be maintained and stored securely. Configurations should be monitored and reviewed periodically. Appropriate corrective actions must be taken to address any identified nonconformities.

Artefacts

The contents and implementation of the following security policies and procedures may be impacted by the above control:

• Change Management Policy – This policy ensures that changes to configurations are properly assessed for their impact on business operations and that appropriate measures are taken to mitigate risks.

• Configuration Management Procedure – This procedure ensures that ICT resources are inventoried and configured in compliance with security policies, standards and procedures of the organization.

• Security Operating Procedures – Rules for the secure configuration of devices and software may be defined within security operating procedures.

• Configuration Logs – The logs and records of configuration changes should be protected and retained for defined time-periods.

• Internal Audit Report – Internal audits should check for correctness and security of device configurations, and compliance of configuration changes with the change management policy of the organization.

  
  

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.