ISO 27001:2022 Annex A 8.9 Configuration management

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.9 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 8.9 Configuration Management

ISO 27001 Annex A 8.9 is a new control in the 2022 update. It requires organizations to establish, document, and manage the technical configurations (the “Standard Build”) of their hardware, software, and services. The goal is to ensure that systems are “hardened” by default, preventing security incidents caused by unpatched services, default passwords, or open ports.

Core requirements for compliance include:

Standard Build Templates: You must define exactly what a “secure” device looks like before it is given to a user. This includes disabling unused services, enforcing auto-lock, and removing default manufacturer passwords.
Avoid “Configuration Drift”: Once a system is live, its settings can change. You must monitor your systems to ensure they haven’t “drifted” away from your secure baseline (e.g., a developer temporarily opening a port and forgetting to close it).
Integration with Change Management: Any change to a critical configuration must be authorized. You shouldn’t tweak firewall rules or server settings without a record of who authorized it and why.
Use of Industry Benchmarks: Rather than guessing, the standard encourages using recognized standards like CIS Benchmarks or NIST guidelines to define your secure configurations.

Audit Focus: Auditors will look for “The Blueprint vs. The Reality”:

Documentation: “Show me the standard build checklist for a new company laptop.”
Verification: They will perform a “spot check” on a random device: “Show me that ‘Guest Accounts’ are disabled on this machine, as per your policy.”
Governance: “Show me the last time you reviewed your cloud (AWS/Azure) configurations for security gaps.”

Standard Build Checklist (Hardening Basics):

Component	Standard Setting	Why it matters
Default Passwords	Disabled / Changed	Prevents “Out of the box” credential attacks.
Unused Ports	Closed (e.g., Telnet, FTP)	Reduces the “Attack Surface” of the device.
Guest Accounts	Disabled	Prevents anonymous access to the local system.
Auto-Run	Disabled (for USBs/CDs)	Stops the automatic spread of malware via hardware.
OS Updates	Automatic / Managed	Ensures critical security patches are always applied.

Key Takeaways: ISO 27001 Annex A 8.9 Configuration Management
What is ISO 27001 Annex A 8.9 ?
ISO 27001 Annex A 8.9 Free Training Video
ISO 27001 Annex A 8.9 Explainer Video
ISO 27001 Annex A 8.9 Podcast
How to implement ISO 27001 Annex A 8.9
Standard Build Checklist
How to pass an ISO 27001 Annex A 8.9 audit
Top 3 ISO 27001 Annex A 8.9 mistakes and how to avoid them
Fast Track Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 8.9 FAQ
Related ISO 27001 Controls
Further Reading
Controls and Attribute Values

What is ISO 27001 Annex A 8.9 ?

ISO 27001 Annex A 8.9 is about configuration management which means you need to document and implement the technical configurations of systems and software.

ISO 27001 Annex A 8.9 Configuration Management is an ISO 27001 control that looks to make sure you have configured software and hardware, documented it and are monitoring and reviewing it.

The focus for this ISO 27001 Annex A Control is having standard, secure, configurations for software and hardware. As one of the ISO 27001 controls this is about having configurations in place and managing them.

ISO 27001 Annex A 8.9 Purpose

The purpose of Annex A 8.9 Configuration Management is to ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes.

ISO 27001 Annex A 8.9 Definition

The ISO 27001 standard defines Annex A 8.9 as:

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
ISO 27001:2022 Annex A 8.9 Configuration Management

ISO 27001 Annex A 8.9 Free Training Video

In the video ISO 27001 Configuration Management Explained – ISO27001:2022 Annex A 8.9 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 8.9 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 8.9 Configuration Management, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 8.9 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.9 Configuration Management. The podcast explores what it is, why it is important and the path to compliance.

How to implement ISO 27001 Annex A 8.9

Document Configuration Management

My advice when starting out with configuration management is document before you implement, if you can. Work out what your secure configurations should be based on vendor advice, industry best practice and your own needs. It may that you can’t as you already have an environment in place and you are trying to retro fit, but if you can do it first, do it first.

We know when we purchase hardware and software that it just comes with the standard default set up. Clearly it has to be this way as they cannot account for every use case. This can include default passwords and things should be locked down and closed being left open.

To document it, if you can, get your hand on vendor or industry templates for the thing you are trying to secure. Sure, the actual configuration set up itself can be enough, but for belts and braces documenting it in templates allows a couple of other things to happen. It enables the change management cycle which includes the processes and steps for authorisation. With documentation you can show previous states and evidence that changes to configuration were effectively managed.

What to document

What kind of things can you consider in your templates and documentation? Well here are few of the common ones. Clearly access management and the use of admin accounts will be documented. You are going to remove or disable services that you do not need and document those. Clocks are going to be synchronised and the mechanism for that recorded. The requirement to remove default user names and passwords. You are also going to tie back to licensing to make sure you have licenses for the things you are configuring.

Configuration Changes

For changes you will follow your change management process. In that you will have records of configuration changes that show owners, what the change was, when it was changed, the version of the configuration or template and where needed the relation to other assets.

Configuration Monitoring and Review

Once that configuration is in place you are going to monitor those configurations and review them. Depending on how big and complex you are you may benefit from deploying tools. If you find that the configurations do not match your templates and requirements then you follow your corrective action and risk management processes.

Standard Build Checklist

An example standard build checklist and CIS Benchmarks:

Component	Standard Setting (Hardening)	Reason
Default Passwords	DISABLED / CHANGED	Prevent default credential attacks.
Unused Ports	CLOSED (e.g., Telnet port 23)	Reduce attack surface.
Guest Account	DISABLED	Prevent anonymous access.
Auto-Run	DISABLED (on USBs)	Prevent malware spread.

How to pass an ISO 27001 Annex A 8.9 audit

Time needed: 2 hours

How to comply with ISO 27001 Annex A 8.9

Have effective asset management and know what assets you have
Have an asset management process that includes an asset register.
Document your configuration standards
Using templates and industry best practice you will document your configuration standards for each asset type.
Configure your assets appropriately before use
Using the configuration standards that you have developed and approved you will configure your assets appropriately before you deploy them.
Monitor your configurations
For all asset types you will monitor the configurations to ensure they continue to meet the standards that you have set.
Review your configurations
On a periodic basis you will review your asset configurations to ensure they are in line with the standards that you have set.
Take actions where configurations do not match the templates and standards you have set
If you identify that assets are not configured in line with the configuration standards you will take action and follow appropriate internal processes such as risk management and change control to rectify.
Implement controls proportionate to the risk posed
The controls that you implement and the configuration standards you choose are based on your risk assessment and proportionate to that risk and your business needs.
Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.

Top 3 ISO 27001 Annex A 8.9 mistakes and how to avoid them

The top 3 mistakes people make for ISO 27001 Annex A 8.9 are

1. Leaving configuration defaults in place

Leaving systems and hardware default configurations, especially user names and passwords, is the biggest mistake that we see.

2. You never check your configurations

Configuration management is not a one and done. Often we see that the actual configurations do not match the templates and standards that are documented. There are many reasons why this can happen. Do not assume you have configured and it works before the audit happens, check it. You may be surprised.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Fast Track Compliance with the ISO 27001 Toolkit

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

For ISO 27001 Annex A 8.9 (Configuration management), the requirement is to establish, document, and monitor secure configurations for all hardware, software, services, and networks. While SaaS compliance platforms often attempt to sell you complex “automated configuration monitoring” or CMDB (Configuration Management Database) modules, they often overcomplicate what is fundamentally a governance and procedural requirement.

The High Table ISO 27001 Toolkit is the logical, time-saving solution because it provides the governance structure and standard build templates needed to satisfy auditors, allowing you to manage your technical configurations effectively without a recurring subscription.

1. Ownership: You Own Your Configuration Standards Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your secure build standards and store your configuration logs inside their proprietary system, you are essentially renting your own technical blueprints.

The Toolkit Advantage: You receive the Configuration Management Policy and Standard Build Checklists in fully editable Word/Excel formats. These are yours forever. You own the standards that define your “Gold Builds” and hardening rules, ensuring you are audit-ready without being held to a “subscription ransom.”

2. Simplicity: Governance for the Tools You Already Use

Annex A 8.9 is about the management of configurations. You don’t need a complex new software interface to manage what your existing systems (like Intune, Jamf, or Ansible) already do.

The Toolkit Advantage: Your technical team already understands how to configure systems. What they need is the governance layer to prove to an auditor that these configurations are standardized and approved. The Toolkit provides pre-written templates that formalize your existing technical work into an auditor-ready framework, without forcing your team to learn a new software platform.

3. Cost: One-Off Fee vs. The “Asset Growth” Tax

Many compliance SaaS platforms charge more as you add more “assets” or “integrations.” For a control that touches every piece of hardware and software in your organization, these monthly costs can scale aggressively.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you are managing configurations for 10 devices or 1,000, the cost of the Configuration Management Documentation remains the same. You save your budget for actual technical tools and talent rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Infrastructure Stack

SaaS compliance tools often only integrate with specific “name-brand” cloud providers. If you use a hybrid setup, niche software, or change your infrastructure vendor, the SaaS tool can become a barrier to technical flexibility.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can edit the Configuration Standards to match any technical environment, on-premise, cloud, or specialised hardware. You maintain total freedom to evolve your infrastructure without being constrained by the technical limitations of a rented SaaS platform.

Summary: For Annex A 8.9, an auditor wants to see that you have defined secure configuration standards (like CIS benchmarks) and proof that you are following them. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 8.9 FAQ

What is ISO 27001 Annex A 8.9?

What is ISO 27001 Annex A 8.9 is an ISO 27001 control that requires an organisation to fully manage configurations of hardware, software, services and networks.

Who is responsible for ISO 27001 Annex A 8.9?

Responsibility for ISO 27001 Annex A 8.9 lies with the IT department.

Who is accountable for ISO 27001 Annex A 8.9?

Accountability for ISO 27001 Annex A 8.9 lies with senior management and leadership.

Who owns ISO 27001 Annex A 8.9?

Ownership of ISO 27001 Annex A 8.9 lies with the head of IT.

What is the ISO 27001 Annex A 8.9 Guidance on Security Controls?

The guidance on security controls from ISO 27001 Annex A 8.9 includes:
Restrict who has administrative accounts
Restrict the number of administrative accounts
Ensure that segregation of duty is implemented for those with administrative accounts
Disable any accounts or identities that are not used or required
Disable any services or features that are not used or required
Implement appropriate logging and monitoring
Implement clock synchronisation
Change default passwords and settings immediately before use and / or connecting to a network
Ensure auto account lock out and log outs are in place

What is the ISO 27001 Annex A 8.9 Guidance on Standard Templates?

The guidance on standard templates from ISO 27001 Annex A 8.9 includes:
Utilise templates and follow guidance from vendors
Where possible utilise industry best practice for templates such as the High Table ISO 27001 Templates
Subscribe to vendor, industry and specialist forums and communications

What is the ISO 27001 Annex A 8.9 Guidance on Managing and Monitoring Configurations?

The guidance on Managing and Monitoring Configurations from ISO 27001 Annex A 8.9 includes:
Implement a configuration management process
Ensure that configurations are tested before they are put live
Keep records and version control of configurations
Regularly review configurations and document the review
Consider the use of software and tools for the deployment and monitoring of configurations

What other ISO 27001 controls are relevant to ISO 27001 Annex A 8.9?

The following 27001 controls are relevant to ISO 27001 Annex A 8.9:
ISO 27001 Annex A 5.32 Intellectual Property Rights

Is ISO 27001 Annex A 8.9 a new control?

Yes, ISO 27001 Annex A 8.9 is a new control. It was introduced in the 2022 update to the standard.

What are some common tools and technologies used for configuration management?

Example of common tools used for configuration management include:
Configuration management databases (CMDBs)
Configuration management software (CMS)
Version control systems
Deployment automation tools

What are the challenges of implementing and maintaining configuration management?

The challenges of implementing configuration are directly proportionate to the number of devices and complexity of your setup. The more you have, the harder it is to manage.

What is ISO 27001 configuration management?

ISO 27001 configuration management is the process of establishing, documenting, implementing, monitoring, and reviewing the configurations of hardware, software, services, and networks. This includes security configurations.

What are the benefits of implementing ISO 27001 configuration management?

The benefits of implementing ISO 27001 configuration management include:
Reduced risk of a data breach
Reduced risk of unauthorised access
Reduced risk of information security incidents.
Compliance with laws and regulations for data and information security
Reduction in IT management and maintenance costs

What is the difference between ISO 27001 configuration management and change management?

Change management is about managing changes. Configuration management is about the setup of devices, software, services and networks. To implement configuration management will rely on change management to manage the changes to configurations.

How hard it is to implement ISO 27001 configuration management?

ISO 27001 configuration management can be difficult to implement. The smaller you are the easier it will be. The larger and more complex you are, the harder it will be.

How much will it cost to implement ISO 27001 configuration management?

The costs will vary depending on the approach you take but they will be significant. Commons costs include:
The cost of IT staff
The cost of outsourcing
The cost of tools

ISO 27001 Monitoring, Measurement, Analysis, Evaluation: Clause 9.1

ISO 27001 Change Management: Annex A 8.32

Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Protect	Secure Configuration	Protection
	Integrity
	Confidentiality

Availability, Confidentiality, Integrity, Preventive, Protect, Protection, Secure Configuration

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.