Understanding ISO 27002:2022 Control 8.9

Configurations, whether in individual files or interconnected settings, play a fundamental role in governing the operation of hardware, software, and entire networks. For example, a firewall’s default properties, including block lists, port forwarding, virtual LANs, and VPN information, are stored in its configuration file.

ISO 27002:2022 (Control 8.9) recognises the significance of configuration management and introduces it as a new control in the revised edition. This control is an essential aspect of an organisation’s security management.

What is Configuration Management?

ISO 27002:2022 defines configuration management as “The process of controlling and managing the changes to the hardware, software, and network configurations of an organisation’s IT systems. It is the practice of identifying, documenting, and managing the configuration items (CIs) of an organisation’s IT systems, such as servers, network devices, applications, and databases.”

What is the significance of ISO 27002:2022 Control 8.9?

Control 8.9 states that the hardware, software, services, and networks, including security configurations, should be established, documented, practised, measured, and frequently evaluated. Moreover, ISO 27002 forms a part of Annex A controls defined in the ISO 27001:2022 certification.

Configuration management ensures secure and efficient IT systems by maintaining accurate inventories, monitoring changes, and restoring systems to a known state after a security incident. It is an integral part of asset management, guaranteeing the correct function and protection of networks and devices.

ISO 27002:2022 Control 8.9 is a preventive measure to mitigate cyber risk by establishing rules for recording, implementing, monitoring, and evaluating configurations across an organisation’s ecosystem. Configuration management, an administrative effort, is solely responsible for maintaining and monitoring data across devices and applications. Ownership typically lies with the Head of IT or a similar role.

Mandatory steps for Configuration Management

The configuration management process includes the following steps:-

1.Determine and list the configuration components: The organisation must outline all the hardware, software, and network devices it has, together with their settings.

2. Create and put into practice the change management process: It is necessary to establish a process for submitting, approving, and implementing changes to the configuration items and for recording and tracking those changes.

3. Observe and report: Organisations must inspect the configuration items for compliance and security problems and alert the appropriate parties.

4. Restoring and backing up: In the event of a security issue, make and retain copies of the configuration items and have a process to restore systems to a known, secure state.

ISO 27002:2022 Control 8.9 emphasises the importance of considering all relevant roles and responsibilities when establishing a configuration management policy. It recommends delegating configuration ownership on a device-by-device or application-by-application basis. By doing so, companies can enhance their overall configuration management practices.

It ensures effective configuration management by addressing companies and establishing policies for newly installed and existing hardware and software. Moreover, this includes critical components such as security configurations, storage devices for configuration files, and relevant software applications.

Importance of an effective Configuration Management System

Configuration management should align with the organisation’s security and business objectives, closely tied to the corporate security policy and change management (ISO 27002, Control 8.32). Businesses should strive to securely configure hardware, software, and systems using standardised templates that align with information security activities and fulfil minimal security criteria.

IT managers must consider the organisational needs and the practicality of using or managing templates. Reviewing configuration templates should occur in sync with hardware or software changes and emerging security threats.

Organisations are responsible for maintaining and storing configurations and documenting modifications or new installations to the change management control (Control 8.32). Logs should include details such as asset owner, timestamps of recent configuration modifications, current version of the configuration template, and any relevant information for identifying connections to other assets or systems.

Why is it important for an Organisation to maintain compliance with Configuration Management?

Secure Configuration Management is a practice to maintain compliance with security standards, including ISO 27002:2022. Moreover, it is a preventive measure to strengthen system security, reduce vulnerabilities, and prevent potential breaches.

Organisations should employ diverse techniques to effectively monitor configuration files across their network, including automation and specialised configuration maintenance solutions. For instance, PCI DSS emphasises the importance of configuration management and requires File Integrity Monitoring (FIM) to track changes that could result in configuration drift and non-compliance.

Enjoy Reading –