How to Implement ISO 27001:2022 Annex A 8.9: Configuration Management

/ By
How to Implement ISO 27001 Annex A 8.9

We have all been there. A server isn’t connecting to an application, so a helpful sysadmin temporarily disables the firewall “just to test.” It works, everyone is happy, and they move on to the next ticket. Six months later, you suffer a breach because that firewall was never turned back on.

This phenomenon is called “configuration drift,” and it is the silent killer of information security. ISO 27001:2022 Annex A 8.9 is the control designed to stop this. It moves you away from the “wild west” of ad-hoc settings and towards a disciplined, documented, and secure state for all your technology.

Table of contents

What is Annex A 8.9?

In the 2022 update of the standard, Annex A 8.9 is a new explicit control titled Configuration Management. It requires that configurations (including security settings) of hardware, software, services, and networks are established, documented, implemented, monitored, and reviewed.

Think of it as the “recipe” for your IT assets. If you were baking a cake, you wouldn’t just guess the ingredients every time; you would follow a recipe to ensure consistency. Annex A 8.9 demands that you have a “security recipe” (a baseline) for every laptop, server, and router you deploy.

The “Default” Trap

One of the primary reasons this control exists is to stop the habit of deploying systems with manufacturer default settings. Out-of-the-box settings are designed for compatibility, not security. They often come with default passwords (admin/admin), unnecessary open ports, and “guest” accounts enabled.

Implementing Annex A 8.9 means your first step is always to change these defaults before a device ever touches your live network.

Step 1: Create Secure Baselines (Golden Images)

You cannot secure what you haven’t defined. The core of this control is the Secure Baseline (or Standard Build).

For every type of asset you use (Windows 11 Laptops, Linux Web Servers, AWS S3 Buckets, etc.), you need a document that defines exactly how it should be configured. This document should list:

  • User Accounts: Which default accounts are disabled? Who gets admin rights?
  • Services: Which unnecessary services (like Print Spooler on a Web Server) are turned off?
  • Network: Which ports are open? Which are blocked?
  • Software: What is the standard antivirus or EDR agent installed?

Pro Tip: Don’t invent this yourself. Use industry standards like the CIS Benchmarks as your starting point, then customize them for your business needs.

Step 2: Hardening Your Systems

Once you have your baseline, you need to enforce it. This process is called “hardening.” Ideally, this should be automated.

Instead of manually clicking through settings on every new laptop (which invites human error), use tools like Microsoft Intune, Group Policy, or Ansible to push these configurations out automatically. If a device doesn’t match the hardened baseline, it shouldn’t be allowed on the network.

Step 3: Monitor for “Drift”

This is where the “Monitoring” part of the control comes in. A system might start perfectly secure on Day 1, but after a year of patches, hotfixes, and “quick tweaks,” it might look very different.

You need a process (or tool) that periodically checks your live systems against your documented baseline. If a developer opens Port 22 (SSH) on a server that shouldn’t have it, your monitoring system should flag this as a “Configuration Incident.”

Step 4: Manage Changes

Annex A 8.9 is best friends with Annex A 8.32 (Change Management). You cannot effectively manage configurations if people are allowed to change them on a whim.

If you need to change a baseline—for example, opening a new port for a new application—this must go through a formal Change Control process. The request is reviewed, the security impact is assessed, and then the baseline document is updated. If you change the system but not the documentation, you have failed the control.

Common Pitfalls to Avoid

  • The “Paper-Only” Baseline: Having a beautiful secure build document that sits in a drawer while your actual servers are configured totally differently. An auditor will check the reality against the document.
  • Ignoring Cloud Services: This isn’t just for physical servers. Your AWS Security Groups, Azure AD settings, and Microsoft 365 tenant configurations all need baselines too.
  • Lack of Version Control: If you have three versions of “Server_Build_Standard.docx” and nobody knows which one is current, you are in trouble.

How to Fast-Track Compliance

Creating configuration standards for every device type can feel like a mountain of paperwork. If you don’t have the time to research CIS benchmarks and write policies from scratch, Hightable.io offers comprehensive ISO 27001 toolkits.

Their templates include pre-written Configuration Management Policies and Standard Build checklists that you can simply adapt to your environment, saving you weeks of effort and ensuring you meet the auditor’s expectations.

Conclusion

Implementing ISO 27001 Annex A 8.9 is about discipline. It forces you to stop treating IT infrastructure as an art form and start treating it as a science. By establishing secure baselines, hardening your systems, and watching like a hawk for changes, you not only pass your audit but significantly reduce your attack surface.

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top