top of page
Search

ISO27001:2022 A8.9 – Configuration Management Deletion




ISO27001 isn’t only about doing the right things, it’s about doing the right things consistently. That’s what this ISO27001 Annex A control is all about.  When you ensure that your systems and software are consistently configured in a secure way, you reduce vulnerabilities, which leads to a reduced risk.


 

This new ISO27001 Annex A control is a recognition that our technological world has become increasingly complex, making consistency a critical factor in protecting information.

 

What does the standard require?

The standard states that “Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed..” (A8.9 – Configuration Management)

 

Again, note that there are three area of focus, requiring five actions;

 

The focus is on;

  • Hardware

  • Software

  • Networks

 

Where configuration management should be;

 

  • Established

  • Documented

  • Implemented

  • Monitored

  • Reviewed

 

There is a complexity here that can quickly become difficult to manage. This is especially difficult for smaller businesses who perhaps don’t have a lot of technical knowledge. But this is where a little creativity and keeping things simple comes into play.

 

Why is this required?

With the plethora of digital devices and software applications in our lives, it is easy to see how incorrectly configured technology could lead to data breaches and cyber attacks.

 

Another important benefit of this ISO27001 control is that consistency can lead to increased quality and efficiency in the output. For example, we implemented a simple checklist for the configuration of new laptops within an IT department. This allowed the IT manager to delegate this task to one of their team, which freed them up to focus on more technically challenging tasks.

 

The team improved the quality of their output, resulting in a reduction in calls to the helpdesk and an increase in the speed at which they configured the devices. This lead to improved relationships with the business, as the team could deliver the devices much faster than previously experienced.

 

This shows that good security practices like this have very real benefits that extend beyond the usual focus of risk management.

 

What the auditor is looking for

For this ISO27001 control, the auditor will look for a range of security measures, including;

 


 

What do you need to do?

As per the requirement of this ISO27001 control, there are a number things we need to address.

 

Establish Configuration Management

The first part of this control is about establishing the configuration management processes. Therefore, you need to speak to your IT function or specialist to understand how they currently deploy new hardware, software and network infrastructure.  Do you use a system to manage configuration? If you do, then you’ll need to understand how it works on the informational assets you’ve previously identified.

 

To understand what devices you have in place, you can use the inventory of assets you created when you addressed ISO27001 Annex A Control - A5.9. You can use this tool to ask about the current configuration of these devices and what can be reasonably configured in a standard way. You can also identify what would be the most efficient way to document this for your business.

 

Document Configuration Management

Once you have established what devices and assets need to have a configuration management you should review what documented processes or systems are in place, and identify any gaps.  If you use a system to manage the process of configuration management, then you won’t need to develop written documentation as the ‘documented evidence’ lives within the system you’re using.

 

However, if you need to create documented processes, keep in mind that they don’t need to be long, wordy documents. They need to be appropriate to you. For example, you can use a simple flow chart or checklist to ensure consistency. If you were configuring a new laptop, for example, you might have the following checklist;

 

  1. Set-up Admin account.

  2. Create unique device ID.

  3. Set device up on the corporate network.

  4. Ensure encryption is enabled.

  5. Install malware protection.

  6. Configure auto-updates.

  7. Disable USB drives.

  8. Enable Firewall.

  9. Patch to latest software versions.

  10. Set-up new user account.

  11. Connect to network drive.

  12. Provide individual login credentials for the user.

  13. Provide Acceptable Use Policy.

  14. Provide Training.

 

I’m not saying the above is what you should do, just what you might do. It offers enough information to someone who is technically competent to follow and ensure that every laptop is configured the same.

 

The nice thing about a checklist like this is that it doesn’t prescribe the order in which you complete the task (although that might be an element of the configuration process). What it does is provide confidence to you, the user or security officer, that everything has been done to configure the device securely.

 

Implement Configuration Management

If this was on an individual worksheet, or spreadsheet for each new member of staff, then this would ensure that you have a consistent approach to configuration management. But now you need to train people on how to follow the process.

 

When you are doing this, it would be useful to hand the process to someone who has never completed the task before and ask them to follow the checklist.  Do they spot any gaps? Are there any tasks that are wrong?

 

Monitor Configuration Management

Depending on the size and complexity (and budget) of your company, you can either monitor this process through simple audits, or using software tools that will ensure standard configuration is implemented. 

 

Review Configuration Management

This final stage is relatively simple, as you’ll need to ensure you review your configuration management systems and processes for adequacy. This should be a formal review conducted periodically, but again, it depends on the size and complexity of your business.

 

Like many aspects of ISO27001, we would suggest you keep it simple and start from the beginning. Start with the easier, obvious assets, like laptops and other mobile devices. Then move on to other hardware devices, including network devices. Finally look at software and what you need to do to configure these securely.

 

Difficulty rating

We rate this a 3 out of 5 difficulty rating. We have given this control a high rating because it covers a number of areas.  In the process we outlined above, we focused on hardware (specifically laptops), but you will need to consider this for hardware, software, and networks. It requires strong communication and analytical skills, which will allow you to develop appropriate processes at levels which make sense to your business.  


 

Q&A


Do I have to keep copies of previous configurations?

This depends on the configurations and changes taking place.  You might want to retain copies of a previous configuration prior to implementing a change, so that you can ‘roll back’ to the previous settings.  Many systems and devices allow this to happen, but you will need to review the kind of change taking place to see if this is appropriate.

 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

7 views

Comments


bottom of page