Baseline

What is a Baseline?

Baseline is the minimum set of mandatory security controls established as standard practice across organisational systems or specific asset types. The primary implementation requirement involves hardening configurations via Annex A standards to ensure the business benefit of technical consistency, reduced vulnerability gaps, and simplified compliance audits.

What is a Baseline?

baseline is a minimum set of security controls that an organisation has decided to implement as a standard practice across its systems or for a specific type of asset. While ISO 27001 is a risk-based standard, meaning you choose controls based on your specific risks, the controls listed in Annex A are often considered a baseline set of best practices to consider.

Key Characteristics

  • Starting Point: It acts as a foundation. Organisations can start by implementing the Annex A controls and then add or remove controls based on their specific risk assessment.
  • Consistency: A baseline ensures a consistent, minimum level of security across all systems, preventing security gaps that might otherwise be overlooked.
  • Measurability: It provides a defined standard to measure against, making audits and security reviews more straightforward.

ISO 27001 Context

The ISO 27001 standard requires you to conduct a risk assessment to determine which controls from Annex A are applicable. Your Statement of Applicability (SoA) is where you justify the inclusion or exclusion of these controls, but Annex A still serves as the authoritative baseline for that selection process.

How to implement Baseline

Implementing a security baseline is a fundamental requirement for achieving ISO 27001 compliance, providing a consistent minimum level of security across your entire estate. As a Lead Auditor, I recommend this technical roadmap to formalise your configurations, ensuring that every asset identified in your register meets a predefined standard of protection.

1. Foundation and Asset Inventory

1. Provision a Comprehensive Asset Register: Document every hardware and software asset within the organisational scope, resulting in total visibility of the attack surface that requires baseline enforcement.

2. Formalise the Risk Assessment Process: Execute a technical risk assessment for each asset class, resulting in a risk-based justification for specific baseline security settings.

  • Identify critical information assets and their owners.
  • Categorise assets by sensitivity and business impact.
  • Document the specific threats relevant to each asset category.

2. Control Selection and Standardisation

3. Categorise Minimum Control Requirements: Select a subset of Annex A controls to serve as your mandatory minimum, resulting in a clear definition of what constitutes a “secure” state for your organisation.

4. Standardise Secure Configuration Images: Create hardened system builds based on industry standards such as CIS Benchmarks, resulting in the elimination of default passwords and unnecessary services.

  • Disable all non-essential ports and protocols.
  • Implement standard builds for workstations, servers, and network devices.
  • Ensure all system clocks are synchronised to a trusted time source.

3. Documentation and Governance

5. Document the Compliance Rules of Engagement: Formalise a Rules of Engagement (ROE) document for technical staff, resulting in clear instructions on how to maintain the baseline during system changes.

6. Execute Mandatory Baseline Deployment: Provision the defined configurations across all production systems, resulting in a consistent security posture that satisfies auditor requirements for technical uniformity.

  • Integrate baseline requirements into the Change Management process.
  • Verify that third-party vendors adhere to the organisational baseline.
  • Maintain a central repository of baseline versions and updates.

4. Technical Enforcement

7. Provision Identity and Access Management (IAM) Roles: Configure RBAC templates for all system users, resulting in the technical enforcement of the Principle of Least Privilege across the baseline.

8. Enforce Multi-Factor Authentication (MFA) Standards: Deploy MFA for all remote access and privileged accounts, resulting in a robust layer of identity verification that protects the integrity of the baseline.

  • Map user roles to specific access permissions in the IAM system.
  • Set account lockout thresholds to prevent brute-force attacks.
  • Revoke access immediately upon employee offboarding or role change.

5. Maintenance and Audit

9. Audit Configuration Drift and Integrity: Provision automated vulnerability scanners and configuration monitoring tools, resulting in the rapid identification of assets that fall below the established security baseline.

10. Refine the Baseline via Management Review: Execute an annual review of the baseline effectiveness, resulting in continuous improvement of the ISMS and alignment with the evolving threat landscape.

  • Schedule monthly configuration audits for critical systems.
  • Log and investigate all unauthorised baseline modifications.
  • Report baseline compliance levels to the senior management team.

Baseline FAQ

What is a security baseline in the context of ISO 27001?

A security baseline is a documented minimum set of controls and technical configurations required to protect a specific information asset. It serves as the primary benchmark for the organisational Information Security Management System (ISMS), ensuring that 100% of deployed systems meet a standardised security posture before entering production.

How does a baseline improve compliance efficiency?

Baselines improve compliance by standardising the audit trail across all system classes. Research indicates that implementing a technical baseline can reduce audit preparation time by 40% and decrease initial configuration errors by up to 70%, providing auditors with clear evidence of consistent control application across the estate.

Which standards are commonly used to build an ISO 27001 baseline?

Organisations typically build their baselines using authoritative frameworks such as the CIS Benchmarks or NIST guidelines. These frameworks provide detailed hardening rules, often exceeding 100 specific configuration points for operating systems, which directly support the requirements of Annex A 8.9 (Configuration Management) within the ISO 27001 standard.

What is the difference between a security policy and a security baseline?

A security policy provides high-level management direction, whereas a baseline provides specific technical requirements. While a policy may state that “passwords must be strong,” a baseline defines the exact technical configuration, such as a minimum of 12 characters and the mandatory use of three distinct character types.

How often should an ISO 27001 security baseline be reviewed?

Security baselines must be reviewed at least annually or immediately following a major system change or a significant security incident. In 2024, data shows that 60% of technical vulnerabilities were mitigated through proactive baseline updates, highlighting the necessity of aligning configurations with the evolving threat landscape and updated ISO guidance.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top