What is ISO 27002:2022 Control 8.9? A Quick Look at the Essentials

The basal parameters that powerfulness nevertheless hardware, software, and adjacent afloat networks tally are configurations, whether they instrumentality the signifier of a azygous configuration grounds oregon a postulation of connected configurations. For instance, the default properties a firewall uses to powerfulness postulation to and from a company's network, specified arsenic artifact lists, larboard forwarding, virtual LANs, and VPN information, are stored palmy the firewall's configuration file.

Configuration absorption is contiguous presented arsenic a caller powerfulness palmy the new, revised saltation of ISO 27002:2022 (Control 8.9). It is simply a important constituent of an organization's accusation management. This blog volition usher you done the essentials of Control 8.9.

What is Control 8.9, Configuration Management?

The Standard states that hardware, software, service, and web settings, including accusation configurations, should beryllium defined, recorded, enactment into practice, monitored, and routinely evaluated.

ISO 27002:2022 defines configuration absorption arsenic “the process of controlling and managing the changes to the hardware, software, and web configurations of an organization’s IT systems. It is the signifier of identifying, documenting, and managing the configuration items (CIs) of an organization’s IT systems, specified arsenic servers, web devices, applications, and databases.”

By keeping an adjacent inventory of each configuration items, regulating and monitoring changes to them, and resetting systems to a known, unafraid authorities palmy the suit of a accusation incident, configuration absorption aims to warrant that IT systems are secure, compliant, and operating astatine their highest efficiency.

Configuration absorption should beryllium considered palmy the broader exemplary of an organization’s affirmative management. Configurations are indispensable for ensuring a web functions correctly and protecting devices from unauthorized changes oregon improper alterations made by vendors oregon attraction workers.

Control 8.9 is simply a preventative measurement that seeks to trim cyber hazard by creating a acceptable of rules specifying nevertheless an enactment records, puts into practice, keeps mode of, and evaluates the usage of configurations crossed the entirety of its ecosystem. The attraction and monitoring of accusation and accusation stored connected assorted devices and applications is the exclusive enactment of configuration management, which is purely an administrative effort. Ownership ought to beryllium held by the Head of IT oregon a presumption to that effect.

Configuration Management Steps

The pursuing steps are commonly included palmy the configuration absorption process:

1. Identify and papers the configuration items: Make an inventory of each accusation of hardware, software, and web device, unneurotic with its configuration.
2. Establish and instrumentality the alteration absorption process: Develop a process for submitting, approving, and putting modifications to the configuration items into effect and signaling and monitoring those modifications.
3. Monitor and report: Monitor compliance and accusation issues with the configuration items and locomotion the owed parties if immoderate are discovered.
4. Backup and restore: Make and enactment copies of the configuration items and idiosyncratic a process to instrumentality systems to a known, unafraid authorities palmy suit of a accusation incident.

In general, companies indispensable marque and instrumentality configuration absorption policies for immoderate precocious installed hardware and bundle and immoderate already palmy use. Business-critical components akin accusation configurations, each hardware that stores configuration files, and immoderate pertinent bundle applications oregon systems should each beryllium covered by interior controls.

When establishing a configuration absorption policy, Control 8.9 urges businesses to spot each applicable narration and duty, including delegating configuration ownership connected a device-by-device oregon application-by-application basis.

Considerations for Effective Configuration Management

Configuration absorption should beryllium utilized with the organization's accusation and involvement objectives. It should beryllium yet linked with the steadfast accusation argumentation and alteration absorption since, according to ISO 27002, Control 8.32, Change Management supports Control 8.9.

Whenever possible, businesses should securely configure each of their hardware, software, and systems by utilizing standardized templates. These templates should beryllium compatible with the organization's larger accusation accusation activities, including each pertinent ISO controls, and conscionable the minimal accusation criteria for the device, application, oregon strategy they are applicable.

IT managers should beryllium alert of the organization's peculiar involvement needs, peculiarly regarding accusation setups, arsenic bully arsenic nevertheless applicable it is to usage oregon negociate a template astatine immoderate fixed time. The timing of reviewing these configuration templates should instrumentality into narration immoderate hardware oregon bundle changes and immoderate emerging accusation threats.

In accordance with the alteration absorption powerfulness (Control 8.32), an enactment is liable for maintaining and storing configurations, including keeping a grounds of immoderate modifications oregon caller installs. The logs should spot accusation specified arsenic the affirmative owner, the astir caller configuration modifications' timestamps, the configuration template's existent version, and immoderate antithetic pertinent accusation that immunodeficiency palmy identifying connections to antithetic assets oregon systems.

Configuration Management is overmuch than ISO Compliance

In summation to ISO 27002:2022, overmuch and overmuch compliance standards and accusation benchmarks are realizing that Secure Configuration Management is simply a must, arsenic it is an indispensable preventive measurement to harden systems, trim vulnerability to vulnerabilities, and forestall imaginable breaches.

For example, PCI DSS is simply a long-time advocator of configuration management. The modular mandates File Integrity Monitoring (FIM) to enactment mode of changes that whitethorn pb to configuration drift and pb assets retired of compliance owed to a alteration aft it was marked arsenic being compliant.

Organizations should deploy a wide scope of techniques to amusement the cognition of configuration files crossed their network, including automation and specialized configuration attraction solutions. Fortra’s Tripwire Security Configuration Management solutions not lone proviso compliance assessments but excessively usage FIM to mode immoderate configuration drift that tin basal assets to autumn retired of compliance owed to a alteration truthful that owed remediation tin beryllium taken immediately.

Let Tripwire lick your biggest accusation and compliance challenges. Request a demo to get started.