Annex A 8.8 ISO/IEC 27001:2022
Configuration management for security
Ensure secure setup and maintenance of IT systems to avoid security risks.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure all your company's computers and networks are set up and maintained securely. Imagine if someone leaves your office door unlocked overnight - that's what happens if you don't manage system settings properly, leaving you open to hackers and data leaks.
Why it matters
Without configuration management, insecure settings and unpatched systems persist, increasing exposure to known vulnerabilities, breaches and service outages.
Operational notes
Maintain secure configuration baselines, monitor for deviations, and remediate promptly (hardening, patching, rollback) to reduce exposure to known vulnerabilities.
Implementation tips
- The IT manager should define secure settings for all company computers and networks by using templates that follow the latest security standards and vendor guidance. This means creating a list of settings that need to be applied to ensure systems are not vulnerable.
- The office manager should organise regular training sessions for all staff to ensure they understand the importance of security configuration and how to report anything unusual. This can be done by inviting experts or using online courses approved by the IT team.
- The IT team should use tools to regularly check that the settings are still secure and haven't been changed without approval. They can do this by using system management software that alerts them to any unauthorised changes, as recommended by ISO 27002:2022.
- Procurement should work with IT to ensure any new hardware or software follows established configuration templates before use. This means IT should review any new purchases to ensure they meet the company’s security requirements.
- The IT support team should have a process for regularly updating configuration templates to address new security threats or changes, drawing on the latest security advice and regulations such as the OAIC and ASD Essential Eight. This includes setting regular intervals to review and update these templates.
Audit / evidence tips
-
Ask: Request the organisation's configuration management documentation.
Good: The documentation should clearly define roles, use standard templates based on recognised security guidance, and be updated regularly.
-
Ask: Ask to see the log of configuration changes.
Good: The log should be comprehensive, showing timestamps, authorisation, and details of any configuration changes.
-
Ask: Request evidence of monitoring tools used to ensure configuration compliance.
Good: Reports should show regular checks of the configurations with alerts for any discrepancies.
-
Ask: Ask for examples of configuration templates or guidelines.
Good: Templates should align with current security standards and vendor recommendations, and be tailored to the company's needs.
-
Ask: Request records of staff training related to configuration management.
Good: Training records should show regular sessions and include topics like security configuration principles and recent updates.
Cross-framework mappings
How Annex A 8.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (13) | ||
| Supports (4) | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (33) | ||
| ISM-0298 | ISM-0298 mandates centralised patch management with integrity and successful application verification | |
| ISM-1316 | ISM-1316 requires changing default wireless SSIDs to avoid insecure default configurations on access points | |
| ISM-1366 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| ISM-1501 | ISM-1501 requires operating systems that are no longer supported by vendors to be replaced | |
| ISM-1606 | ISM-1606 requires timely remediation of vulnerabilities by applying patches, updates or vendor mitigations to software-based isolation me... | |
| ISM-1622 | ISM-1622 requires a specific hardening configuration: PowerShell must use Constrained Language Mode | |
| ISM-1690 | ISM-1690 requires a specific patching outcome: apply non-critical patches for online services within two weeks when no working exploits e... | |
| ISM-1691 | ISM-1691 sets a specific, time-bound requirement to apply vendor patches/mitigations for vulnerabilities in common productivity and secur... | |
| ISM-1692 | ISM-1692 requires a specific, time-bound response: applying critical patches for defined application categories within 48 hours when vend... | |
| ISM-1693 | ISM-1693 requires a specific remediation action: applying patches/updates/vendor mitigations for certain applications within one month of... | |
| ISM-1694 | ISM-1694 requires a specific patching outcome: non-critical OS vulnerabilities on internet-facing servers and network devices are remedia... | |
| ISM-1695 | ISM-1695 requires organisations to apply OS security patches for non-internet-facing workstations, servers and network devices within one... | |
| ISM-1696 | ISM-1696 requires a specific technical vulnerability treatment outcome: applying critical OS patches within 48 hours for defined non-inte... | |
| ISM-1697 | ISM-1697 requires applying vendor-provided mitigations for non-critical driver vulnerabilities within one month where no working exploits... | |
| ISM-1698 | ISM-1698 requires organisations to use a vulnerability scanner at least daily to identify missing patches or updates for vulnerabilities ... | |
| ISM-1701 | ISM-1701 requires a specific operational practice: daily vulnerability scanning to find missing OS patches on internet-facing servers and... | |
| ISM-1702 | ISM-1702 requires a specific operational practice: running a vulnerability scanner at least fortnightly to identify missing operating sys... | |
| ISM-1703 | ISM-1703 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing patches or upda... | |
| ISM-1751 | ISM-1751 requires a specific patching outcome: non-critical vendor OS vulnerabilities (with no working exploits) on certain IT equipment ... | |
| ISM-1752 | ISM-1752 requires organisations to perform a specific, measurable activity: fortnightly vulnerability scanning to identify missing operat... | |
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
| ISM-1808 | ISM-1808 requires a specific technical measure: using a vulnerability scanner with an up-to-date vulnerability database for scanning acti... | |
| ISM-1829 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), removing a known weak credential storage mechanism in ... | |
| ISM-1876 | ISM-1876 requires critical patches or vendor mitigations for online services to be applied within 48 hours when vendors rate vulnerabilit... | |
| ISM-1877 | ISM-1877 requires a specific remediation outcome: applying critical vendor patches/mitigations to internet-facing operating systems withi... | |
| ISM-1878 | ISM-1878 requires critical OS patches to be applied within 48 hours for certain categories of IT equipment when vendors rate vulnerabilit... | |
| ISM-1879 | ISM-1879 requires a specific, time-bound action: applying patches, updates or mitigations for critical driver vulnerabilities within 48 h... | |
| ISM-1900 | ISM-1900 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing firmware patche... | |
| ISM-1901 | ISM-1901 requires a specific vulnerability treatment action: applying non-critical patches within two weeks for a defined set of high-ris... | |
| ISM-1903 | ISM-1903 requires organisations to apply critical firmware patches, updates or vendor mitigations within 48 hours when rated critical or ... | |
| ISM-1904 | ISM-1904 requires a specific remediation action: apply vendor firmware mitigations within one month for non-critical, non-exploited vulne... | |
| ISM-1905 | ISM-1905 requires removal of vendor-unsupported online services to reduce risk from vulnerabilities that can no longer be remediated | |
| ISM-2054 | ISM-2054 requires that, where an SBOM exists for imported third-party software components, it is used during development to ensure those ... | |
| Partially overlaps (7) | ||
| ISM-0300 | Annex A 8.8 requires organisations to obtain vulnerability information, evaluate exposure and take appropriate measures such as applying ... | |
| ISM-0912 | Annex A 8.8 requires organisations to manage security configuration in response to technical vulnerabilities by assessing exposure and ap... | |
| ISM-1163 | ISM-1163 requires continuous monitoring including regular vulnerability assessments | |
| ISM-1616 | ISM-1616 requires organisations to implement a vulnerability disclosure program so external and internal researchers can report product/s... | |
| ISM-1717 | Annex A 8.8 requires organisations to obtain information about technical vulnerabilities and take measures to reduce exposure | |
| ISM-1809 | ISM-1809 requires compensating controls to be implemented when unsupported applications, operating systems or devices cannot be removed o... | |
| ISM-1913 | ISM-1913 requires approved configurations for IT equipment to be developed, implemented and maintained | |
| Supports (16) | ||
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be configured and operated in an evaluated configuration following ASD guidance | |
| ISM-1143 | ISM-1143 requires organisations to develop and maintain patch management processes and procedures to ensure patches are applied in a cont... | |
| ISM-1211 | Annex A 8.8 requires organisations to evaluate exposure to technical vulnerabilities and apply appropriate measures, which often includes... | |
| ISM-1246 | Annex A 8.8 supports ISM-1246 by establishing governance to identify, assess, and treat technical vulnerabilities, which encourages apply... | |
| ISM-1424 | ISM-1424 requires web servers to be configured to emit protective response headers that reduce client-side attack surface and enforce sec... | |
| ISM-1483 | ISM-1483 requires internet-facing server applications to be kept on their latest release to address known vulnerabilities | |
| ISM-1605 | ISM-1605 requires hardening of the underlying operating system that hosts software-based isolation (e.g., hypervisor/host OS) to protect ... | |
| ISM-1643 | ISM-1643 requires maintaining registers of software versions and patch histories across applications, drivers, operating systems and firm... | |
| ISM-1659 | ISM-1659 requires organisations to implement Microsoft’s Vulnerable Driver Blocklist as a specific technical measure to reduce exposure t... | |
| ISM-1704 | ISM-1704 requires removing specific categories of unsupported software to reduce known and unpatched exposure | |
| ISM-1745 | ISM-1745 requires enabling defined security features (ELAM, Secure Boot, Trusted Boot and Measured Boot) to harden systems at startup | |
| ISM-1755 | ISM-1755 requires organisations to develop, implement and maintain a vulnerability disclosure policy for receiving and handling reported ... | |
| ISM-1756 | ISM-1756 requires organisations to develop, implement and maintain vulnerability disclosure processes and supporting procedures for repor... | |
| ISM-1848 | ISM-1848 demands replacement of unsupported server isolation or OS components to avoid vulnerabilities | |
| ISM-1931 | ISM-1931 necessitates SID Filtering to be enabled to mitigate the risk of privilege escalation across trust relationships | |
| ISM-1956 | ISM-1956 mandates scheduled and event-driven rotation of AD FS token-signing and encryption certificates to mitigate compromised federati... | |
| Related (4) | ||
| ISM-1635 | ISM-1635 requires system owners to implement controls to protect systems and their environments | |
| ISM-1914 | Annex A 8.8 requires obtaining vulnerability information, evaluating exposure and implementing measures including secure configuration of... | |
| ISM-1915 | Annex A 8.8 requires organisations to manage security configuration by identifying technical vulnerabilities, evaluating exposure and imp... | |
| ISM-1916 | Annex A 8.8 requires managing security configuration as part of reducing exposure to technical vulnerabilities | |