ISO 27001 Annex A 8.9 Explained: Lead Auditor’s Guide

ISO 27001 Annex A 8.9 is a security control that requires organizations to define and maintain secure configuration baselines for all hardware, software, services, and networks. By enforcing documented standards and monitoring for unauthorized changes (configuration drift), this control ensures systems are “hardened” by default, preventing vulnerabilities caused by default settings or unpatched services.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.9 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 8.9 Configuration Management

ISO 27001 Annex A 8.9 is a new control in the 2022 update. It requires organizations to establish, document, and manage the technical configurations (the “Standard Build”) of their hardware, software, and services. The goal is to ensure that systems are “hardened” by default, preventing security incidents caused by unpatched services, default passwords, or open ports.

Core requirements for compliance include:

Standard Build Templates: You must define exactly what a “secure” device looks like before it is given to a user. This includes disabling unused services, enforcing auto-lock, and removing default manufacturer passwords.
Avoid “Configuration Drift”: Once a system is live, its settings can change. You must monitor your systems to ensure they haven’t “drifted” away from your secure baseline (e.g., a developer temporarily opening a port and forgetting to close it).
Integration with Change Management: Any change to a critical configuration must be authorized. You shouldn’t tweak firewall rules or server settings without a record of who authorized it and why.
Use of Industry Benchmarks: Rather than guessing, the standard encourages using recognized standards like CIS Benchmarks or NIST guidelines to define your secure configurations.

Audit Focus: Auditors will look for “The Blueprint vs. The Reality”:

Documentation: “Show me the standard build checklist for a new company laptop.”
Verification: They will perform a “spot check” on a random device: “Show me that ‘Guest Accounts’ are disabled on this machine, as per your policy.”
Governance: “Show me the last time you reviewed your cloud (AWS/Azure) configurations for security gaps.”

Standard Build Checklist (Hardening Basics):

Component	Standard Setting	Why it matters
Default Passwords	Disabled / Changed	Prevents “Out of the box” credential attacks.
Unused Ports	Closed (e.g., Telnet, FTP)	Reduces the “Attack Surface” of the device.
Guest Accounts	Disabled	Prevents anonymous access to the local system.
Auto-Run	Disabled (for USBs/CDs)	Stops the automatic spread of malware via hardware.
OS Updates	Automatic / Managed	Ensures critical security patches are always applied.

Key Takeaways: ISO 27001 Annex A 8.9 Configuration Management
What is ISO 27001 Annex A 8.9 ?
ISO 27001 Annex A 8.9 Free Training Video
ISO 27001 Annex A 8.9 Explainer Video
ISO 27001 Annex A 8.9 Podcast
ISO 27001 Annex A 8.9 Implementation Guidance
How to implement ISO 27001 Annex A 8.9
Standard Build Checklist
How to pass an ISO 27001 Annex A 8.9 audit
Top 3 ISO 27001 Annex A 8.9 mistakes and how to avoid them
Applicability of ISO 27001 Annex A 8.9 across different business models.
Fast Track ISO 27001 Annex A 8.9 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 8.9 FAQ
Related ISO 27001 Controls
Further Reading
Controls and Attribute Values

What is ISO 27001 Annex A 8.9 ?

ISO 27001 Annex A 8.9 is about configuration management which means you need to document and implement the technical configurations of systems and software.

ISO 27001 Annex A 8.9 Configuration Management is an ISO 27001 control that looks to make sure you have configured software and hardware, documented it and are monitoring and reviewing it.

The focus for this ISO 27001 Annex A Control is having standard, secure, configurations for software and hardware. As one of the ISO 27001 controls this is about having configurations in place and managing them.

ISO 27001 Annex A 8.9 Purpose

The purpose of Annex A 8.9 Configuration Management is to ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes.

ISO 27001 Annex A 8.9 Definition

The ISO 27001 standard defines Annex A 8.9 as:

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
ISO 27001:2022 Annex A 8.9 Configuration Management

ISO 27001 Annex A 8.9 Free Training Video

In the video ISO 27001 Configuration Management Explained – ISO27001:2022 Annex A 8.9 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 8.9 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 8.9 Configuration Management, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 8.9 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.9 Configuration Management. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 8.9 Implementation Guidance

Document Configuration Management

My advice when starting out with configuration management is document before you implement, if you can. Work out what your secure configurations should be based on vendor advice, industry best practice and your own needs. It may that you can’t as you already have an environment in place and you are trying to retro fit, but if you can do it first, do it first.

We know when we purchase hardware and software that it just comes with the standard default set up. Clearly it has to be this way as they cannot account for every use case. This can include default passwords and things should be locked down and closed being left open.

To document it, if you can, get your hand on vendor or industry templates for the thing you are trying to secure. Sure, the actual configuration set up itself can be enough, but for belts and braces documenting it in templates allows a couple of other things to happen. It enables the change management cycle which includes the processes and steps for authorisation. With documentation you can show previous states and evidence that changes to configuration were effectively managed.

What to document

What kind of things can you consider in your templates and documentation? Well here are few of the common ones. Clearly access management and the use of admin accounts will be documented. You are going to remove or disable services that you do not need and document those. Clocks are going to be synchronised and the mechanism for that recorded. The requirement to remove default user names and passwords. You are also going to tie back to licensing to make sure you have licenses for the things you are configuring.

Configuration Changes

For changes you will follow your change management process. In that you will have records of configuration changes that show owners, what the change was, when it was changed, the version of the configuration or template and where needed the relation to other assets.

Configuration Monitoring and Review

Once that configuration is in place you are going to monitor those configurations and review them. Depending on how big and complex you are you may benefit from deploying tools. If you find that the configurations do not match your templates and requirements then you follow your corrective action and risk management processes.

How to implement ISO 27001 Annex A 8.9

Establishing robust configuration management is essential for maintaining system integrity and ensuring that all hardware, software, and network components are deployed in a secure, standardised state. By following these technical steps, your organisation can satisfy the requirements of ISO 27001 Annex A 8.9 and mitigate the risks associated with configuration drift and unauthorised changes.

1. Formalise Configuration Baselines and Policies

Identify and document secure configuration baselines for all asset types, utilising industry standards such as CIS Benchmarks or NIST guidelines.
Draft a formal Configuration Management Policy and Rules of Engagement (ROE) document that defines the technical standards for hardening operational systems.
Result: A centralised governance framework that ensures all infrastructure is provisioned according to a verified security minimum.

2. Provision Automated Configuration Management Tools

Deploy Infrastructure as Code (IaC) or Configuration Management Database (CMDB) tools to automate the deployment and tracking of system settings.
Utilise tools such as Ansible, Terraform, or Microsoft Intune to enforce policy-based configurations across cloud and on-premises environments.
Result: Elimination of manual errors and the ability to rapidly scale secure deployments while maintaining a consistent technical state.

3. Restrict Configuration Access via IAM and MFA

Enforce the Principle of Least Privilege by assigning specific Identity and Access Management (IAM) roles for configuration modification tasks.
Mandate Multi-Factor Authentication (MFA) for all administrative interfaces and console access used to adjust system parameters or security groups.
Result: Prevention of unauthorised tampering and protection against credential-based attacks targeting critical infrastructure settings.

4. Implement Change Control and Versioning Processes

Integrate all configuration files into a version control system to maintain a complete history of changes, rollbacks, and author attributions.
Establish a formal change management workflow that requires technical review and management sign-off before any baseline modification is pushed to production.
Result: A transparent and auditable change history that supports rapid troubleshooting and compliance verification.

5. Execute Continuous Monitoring for Configuration Drift

Provision automated scanning tools to perform real-time integrity checks and detect deviations from the established security baselines.
Configure automated alerts within a SIEM platform to notify the security team when a non-compliant configuration change is detected on a critical asset.
Result: Immediate visibility into unauthorised changes, allowing for rapid remediation before vulnerabilities can be exploited.

6. Perform Periodic Configuration Audits and Reviews

Conduct quarterly technical audits to verify that the operational state of the environment matches the documented configuration baselines.
Revoke access for any outdated or “orphan” administrative accounts discovered during the review process to maintain environment hygiene.
Result: Sustained compliance with ISO 27001 standards and the continuous improvement of the organisational security posture.

Standard Build Checklist

An example standard build checklist and CIS Benchmarks:

Component	Standard Setting (Hardening)	Reason
Default Passwords	DISABLED / CHANGED	Prevent default credential attacks.
Unused Ports	CLOSED (e.g., Telnet port 23)	Reduce attack surface.
Guest Account	DISABLED	Prevent anonymous access.
Auto-Run	DISABLED (on USBs)	Prevent malware spread.

How to pass an ISO 27001 Annex A 8.9 audit

Time needed: 2 hours.

How to comply with ISO 27001 Annex A 8.9

Have effective asset management and know what assets you have
Have an asset management process that includes an asset register.
Document your configuration standards
Using templates and industry best practice you will document your configuration standards for each asset type.
Configure your assets appropriately before use
Using the configuration standards that you have developed and approved you will configure your assets appropriately before you deploy them.
Monitor your configurations
For all asset types you will monitor the configurations to ensure they continue to meet the standards that you have set.
Review your configurations
On a periodic basis you will review your asset configurations to ensure they are in line with the standards that you have set.
Take actions where configurations do not match the templates and standards you have set
If you identify that assets are not configured in line with the configuration standards you will take action and follow appropriate internal processes such as risk management and change control to rectify.
Implement controls proportionate to the risk posed
The controls that you implement and the configuration standards you choose are based on your risk assessment and proportionate to that risk and your business needs.
Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.

Top 3 ISO 27001 Annex A 8.9 mistakes and how to avoid them

The top 3 mistakes people make for ISO 27001 Annex A 8.9 are

Leaving configuration defaults in place: Leaving systems and hardware default configurations, especially user names and passwords, is the biggest mistake that we see.
You never check your configurations: Configuration management is not a one and done. Often we see that the actual configurations do not match the templates and standards that are documented. There are many reasons why this can happen. Do not assume you have configured and it works before the audit happens, check it. You may be surprised.
Your document and version control is wrong: Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 8.9 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Focuses on establishing “Standard Build” templates for office hardware to ensure consistent security across a small fleet. The goal is to move away from “out of the box” defaults which often contain security holes.	Creating a one-page “Hardening Checklist” for new laptops (e.g., Change default admin password, Enable BitLocker, Disable Guest accounts). Using a spreadsheet to track the current OS versions and last patch dates for all office devices. Setting a standard browser configuration that disables auto-fill for passwords on company machines.
Tech Startups	Critical for managing fast-scaling cloud environments. Compliance requires automated configuration management to prevent “Configuration Drift” and ensure that new microservices are secure by default.	Utilizing Infrastructure as Code (IaC) tools like Terraform or Ansible to define and deploy secure server baselines automatically. Using Microsoft Intune or Jamf to enforce security policies (like auto-lock and firewall settings) across remote developer laptops. Implementing automated scans to detect when a cloud storage bucket (e.g., AWS S3) drifts from “Private” to “Public.”
AI Companies	Vital for protecting specialized high-performance computing (HPC) and GPU clusters. Focus is on hardening the research environment to prevent unauthorized access to model IP and training data.	Applying CIS Benchmarks for Linux to harden GPU nodes and prevent the execution of unauthorized background processes. Documenting specific configuration baselines for Jupyter Notebook environments to disable risky external port forwarding. Using container orchestration (e.g., Kubernetes) with strict Network Policies to ensure that only authorized services can communicate with the model weights repository.

Fast Track ISO 27001 Annex A 8.9 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 8.9 (Configuration management), the requirement is to establish, document, and monitor secure configurations for all hardware, software, services, and networks. While SaaS compliance platforms often attempt to sell you complex “automated configuration monitoring” or CMDB (Configuration Management Database) modules, they often overcomplicate what is fundamentally a governance and procedural requirement.

Compliance Factor	SaaS Configuration Modules	High Table ISO 27001 Toolkit	Audit Evidence Example
Blueprint Ownership	Rents access to your build standards; if you cancel, you lose the “Gold Build” definitions.	Permanent Ownership: Fully editable Word/Excel Configuration Policies that you own forever.	A localized “Gold Build” standard for Windows 11 stored on your internal secure drive.
Implementation	Over-engineers compliance with dashboards that often duplicate Intune, Jamf, or Ansible.	Governance-First: Formalizes your existing automation and hardening scripts into an auditor-ready framework.	A completed build checklist verifying that a new server matches the approved CIS benchmark baseline.
Cost Structure	Charges an “Asset Growth Tax” based on the number of endpoints or servers monitored.	One-Off Fee: A single payment covers 10 devices or 1,000. No per-asset or per-seat fees.	Allocating budget to professional automation tools rather than a monthly compliance dashboard fee.
Stack Freedom	Limited to specific cloud connectors; struggles with hybrid, niche, or legacy hardware.	100% Agnostic: Standards adapt to Cisco, AWS, Linux, or custom hardware without limits.	The ability to switch from on-premise servers to cloud-native microservices without extra compliance fees.

Summary: For Annex A 8.9, an auditor wants to see that you have defined secure configuration standards (like CIS benchmarks) and proof that you are following them. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 8.9 FAQ

What is ISO 27001 Annex A 8.9 Configuration Management?

ISO 27001 Annex A 8.9 is a preventive security control that ensures all technology assets are configured securely before use and maintained in that state. It requires organizations to move away from default manufacturer settings (“out of the box”) and instead apply specific, documented security settings to harden systems against attacks. Key requirements include:

Baselines: Establishing standard security configurations for hardware, software, and networks.
Hardening: Disabling unnecessary ports, services, and guest accounts.
Drift Management: Monitoring systems to ensure they do not revert to insecure settings over time.

What is the difference between Configuration Management and Change Management in ISO 27001?

Configuration Management defines the “secure state” of a system, whereas Change Management controls the “process” of altering that state. While they are closely related, they serve different functions:

Configuration Management (Annex A 8.9): Focuses on the content of the settings (e.g., “The password length must be 12 characters”). It ensures the system matches the approved security blueprint (Golden Image).
Change Management (Annex A 8.32): Focuses on the workflow of modification (e.g., “Who authorized changing the password length?”). It tracks the approval and testing of changes to the configuration.

How do you implement ISO 27001 Annex A 8.9 effectively?

Implementation follows a five-step lifecycle: Define, Document, Implement, Monitor, and Review. To satisfy auditors, you must demonstrate a structured approach rather than ad-hoc settings:

Define: Select a security standard (e.g., CIS Benchmarks or vendor hardening guides) for each asset type.
Document: Create a “Standard Build Checklist” that details every required setting (e.g., “Disable Telnet,” “Enable Firewall”).
Implement: Apply these settings to all new devices using automation scripts or manual checklists before deployment.
Monitor: Regularly scan systems to detect “Configuration Drift” (unauthorized changes).
Review: Update your baselines annually to address new security threats.

What evidence do auditors look for regarding Annex A 8.9?

Auditors seek proof of consistency between your documented policies and the actual settings on your live devices. Common evidence requests include:

Standard Build Documents: Checklists or templates defining the secure baseline for laptops, servers, and firewalls.
Golden Images: Evidence of pre-configured system images used for deployment.
Drift Reports: Logs showing that you regularly check for and correct unauthorized setting changes.
Change Records: Proof that any deviation from the standard baseline was authorized via the Change Management process.

Is a Configuration Management Database (CMDB) required for ISO 27001?

No, a complex CMDB software is not explicitly mandatory, though it is highly recommended for larger organizations. The standard requires that configurations are “established, documented, implemented, monitored, and reviewed.”

Small Organizations: Can achieve compliance using spreadsheets (“Asset Registers”) and manual Standard Build Checklists.
Large Organizations: Should use automated tools (e.g., Microsoft Intune, Ansible, or specialized CMDBs) to manage complexity and ensure continuous compliance.

Who is responsible for Configuration Management in ISO 27001?

Responsibility typically lies with the Head of IT or IT Operations, while accountability remains with Senior Management. Specific roles include:

System Administrators: Responsible for applying the standard build templates and fixing configuration drift.
Security Officers: Responsible for defining the security requirements (e.g., “Passwords must expire every 90 days”) that IT must implement.
Asset Owners: Accountable for ensuring their specific assets (e.g., a finance server) adhere to the organizational policy.

What is a “Secure Baseline” or “Golden Image”?

A Secure Baseline (or Golden Image) is a pre-configured version of an operating system or application that has already been “hardened.” Instead of configuring every new computer manually, IT teams deploy this master image to ensure 100% consistency. It acts as the “known good state” against which all live systems are measured.

Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Protect	Secure Configuration	Protection
	Integrity
	Confidentiality

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 8.9 Configuration Management: The Lead Auditor’s Guide.

Key Takeaways: ISO 27001 Annex A 8.9 Configuration Management

Table of Contents