Implementing ISO 27001 Annex A 8.9 is a foundational security discipline that mandates secure configuration management across the entire IT estate. By defining technical baselines and implementing continuous monitoring for configuration drift, organizations ensure system integrity and eliminate vulnerabilities arising from insecure default settings or unauthorized changes.
Table of contents
- ISO 27001 Annex A Configuration Management Implementation Checklist
- 1. Adopt Industry-Standard Security Baselines
- 2. Disable Unnecessary Services and Ports
- 3. Change Vendor Default Passwords immediately
- 4. Create and Maintain “Golden Images”
- 5. Implement Configuration-as-Code (IaC)
- 6. Scrub Hardcoded Secrets from Config Files
- 7. Deploy Automated Drift Detection
- 8. Secure the Boot Process (BIOS/UEFI)
- 9. Review Firewall and ACL Rules Regularly
- 10. Validate with Vulnerability Scanning
- ISO 27001 Annex A 8.9 SaaS / GRC Platform Implementation Failure Checklist
ISO 27001 Annex A Configuration Management Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.9. Configuration management is not about writing a policy; it is about establishing technical baselines, hardening systems against CIS benchmarks, and actively monitoring for drift.
1. Adopt Industry-Standard Security Baselines
Control Requirement: Configurations must be established, documented, implemented, monitored, and reviewed.
Required Implementation Step: Do not invent your own security standards. Download the CIS (Center for Internet Security) Benchmarks relevant to your OS (e.g., Windows Server 2022, Ubuntu 22.04) and apply the “Level 1” profile. Document any necessary deviations in a technical exception register.
Minimum Requirement: Evidence of a recognised hardening standard applied to all assets.
2. Disable Unnecessary Services and Ports
Control Requirement: The principle of least functionality must be applied.
Required Implementation Step: Run netstat -an or nmap on your build images. Identify and disable any service not required for the server’s specific role (e.g., Print Spooler on a Web Server, Telnet, FTP). Uninstall the binaries entirely to prevent accidental re-enablement.
Minimum Requirement: If the service is not needed for business, it must be disabled.
3. Change Vendor Default Passwords immediately
Control Requirement: Default authentication credentials must be changed before use.
Required Implementation Step: Audit every new piece of hardware (Firewalls, Switches, IoT, UPS cards). Change the default admin/admin credentials to complex, unique passwords stored in a PAM (Privileged Access Management) vault. Disable the default ‘Administrator’ and ‘Root’ accounts where possible.
Minimum Requirement: Zero devices on the network with factory default credentials.
4. Create and Maintain “Golden Images”
Control Requirement: Standardised configurations should be deployed to prevent inconsistency.
Required Implementation Step: Build a “Golden Image” or template for workstations and servers that includes all security hardening, EDR agents, and logging configurations. Deploy exclusively from this image. Never allow IT staff to manually build a server “from scratch” using a vanilla ISO.
Minimum Requirement: Automated deployment ensures identical security posture across the fleet.
5. Implement Configuration-as-Code (IaC)
Control Requirement: Changes to configurations must be controlled and auditable.
Required Implementation Step: Use tools like Ansible, Terraform, or Group Policy Objects (GPO) to manage configurations. Store these configuration files in a version-controlled repository (Git). This ensures every change to a firewall rule or server setting is tracked, authorised, and reversible.
Minimum Requirement: No manual “on the fly” changes by admins RDP-ing into servers.
6. Scrub Hardcoded Secrets from Config Files
Control Requirement: Sensitive information must not be stored in clear text within configuration files.
Required Implementation Step: Scan scripts and web.config files for hardcoded API keys, database connection strings, or passwords. Replace them with calls to a Secrets Manager (e.g., Azure Key Vault, HashiCorp Vault) or use Managed Identities.
Minimum Requirement: A config file leak must not result in a credential breach.
7. Deploy Automated Drift Detection
Control Requirement: Monitor configurations for unauthorised changes.
Required Implementation Step: Install File Integrity Monitoring (FIM) tools (e.g., Tripwire, OSSEC) to watch critical system files (e.g., /etc/passwd, System32/drivers). Configure alerts to trigger immediately if a configuration file is modified outside of a scheduled change window.
Minimum Requirement: You must know if an attacker (or a rogue admin) changes a setting silently.
8. Secure the Boot Process (BIOS/UEFI)
Control Requirement: Prevent unauthorised changes to the boot order.
Required Implementation Step: Set a strong BIOS/UEFI password on all physical endpoints to prevent booting from USB drives. Enable Secure Boot to ensure only signed OS loaders can execute, preventing rootkits from loading before the OS.
Minimum Requirement: Physical access must not grant easy administrative access via external media.
9. Review Firewall and ACL Rules Regularly
Control Requirement: Network configurations must remain relevant and secure.
Required Implementation Step: Schedule a quarterly review of firewall rulesets and switch ACLs. Remove “temporary” allow rules that were created for testing but never deleted. Ensure the “Cleanup Rule” (Deny All) is strictly at the bottom of the list.
Minimum Requirement: Remove any rule labeled “Test” or “Temp” older than 30 days.
10. Validate with Vulnerability Scanning
Control Requirement: Verify that configurations effectively mitigate vulnerabilities.
Required Implementation Step: Configure your vulnerability scanner (e.g., Nessus, Qualys) to perform “Credentialed Scans”. This allows the scanner to log in and check registry keys and local policies against the hardening baseline, rather than just checking for missing patches.
Minimum Requirement: Scans must look inside the OS configuration, not just at the network perimeter.
ISO 27001 Annex A 8.9 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Hardening Benchmarks | GRC tool asks: “Are servers hardened?” (Yes/No). | You clicked “Yes”, but you are running Windows Server with default settings. One SMBv1 vulnerability and the network is ransomed. |
| Default Passwords | “We have a policy against default passwords.” | The CCTV system installed by a contractor still has admin/12345. Attackers use it to pivot into the corporate LAN. |
| Golden Images | “We manually install Windows.” | The Junior Tech forgot to enable the Firewall on the new laptop. Manual builds lead to inconsistent security holes. |
| Drift Detection | “We trust our admins.” | A developer disabled the Antivirus to test some code and forgot to turn it back on. Without drift detection, you have no idea it’s off. |
| Configuration Backup | “We backup the data.” | The firewall hardware failed. You have the data, but you didn’t backup the firewall config. It takes 3 days to rebuild the rules manually. |
| Secrets in Code | “Our repo is private.” | A contractor cloned the repo to their personal machine. The hardcoded AWS keys in config.js are now on their insecure laptop. |
| Review Cycle | Reviewing the policy document annually. | The firewall has 500 “Any/Any” rules accumulated over 5 years. The policy is fine, but the actual technical configuration is a disaster. |
About the author
