Annex A 8.9 ISO/IEC 27001:2022
Configuration Management for Secure IT Systems
Set and keep secure settings for all IT systems and watch for changes.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
30 Mar 2026
🎯 Maturity levels
N/A
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Source: ISO/IEC 27001:2022
Plain language
Configuration management ensures that all the settings for your computers, software, and networks are planned and kept secure, reducing the chance of unexpected changes that could lead to security problems. Without this, systems can become vulnerable to attacks or operate inefficiently due to unauthorised or incorrect changes.
Why it matters
Poor configuration management leaves systems open to attacks and operational errors, risking company data and service disruptions.
Operational notes
Regularly monitor systems for baseline compliance and adjust settings when introducing new technology to prevent drift and minimise risks.
Implementation tips
- The IT manager should set up standard settings (often called baselines) for all hardware and software. Use trusted guides from vendors or security organisations to set these templates, and ensure they''re documented as per Australian regulations.
- System administrators must regularly check these configurations. Use tools to compare current settings against your standard ones, and fix any discrepancies promptly to prevent security risks.
- The security team should have procedures for managing changes. Only make adjustments to configurations through a formal process to avoid mistakes and unauthorised changes, aligning with ISO 27002:2022 guidance.
- HR and IT should ensure the right people have the right access. Limit access to system settings and disable any unnecessary admin rights to protect against misuse according to the ASD Essential Eight strategies.
- The IT team must ensure systems'' clocks are synchronised and unnecessary functions are disabled. This helps in maintaining system integrity and ensuring audit logs are accurate and reliable.
Audit / evidence tips
-
Ask: configuration baselines and templates
Look at: the documentation completeness and relevance
Good: includes well-documented templates using trusted sources
-
Good: shows detailed logs with approved change requests
-
Good: setup matches identified deviations back to corrective actions
-
Ask: records of system access rights. Check for restricted access as per security requirements. Good implementation shows only necessary personnel with limited system access
- Request synchronisation settings for system clocks. Confirm all systems are synchronised. A well-synchronised environment leads to consistent timestamping in logs.
Cross-framework mappings
How Annex A 8.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (6) | ||
| Supports (1) | ||
| Depends on (1) | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (55) | ||
| ISM-0341 | ISM-0341 requires automatic execution features for removable media to be disabled to prevent code running when media is inserted | |
| ISM-0380 | ISM-0380 requires unneeded operating system user accounts, components, services and functionality to be disabled or removed to reduce att... | |
| ISM-0383 | ISM-0383 requires default operating system user accounts and credentials (including pre-configured accounts) to be changed, disabled or r... | |
| ISM-0484 | ISM-0484 requires specific secure configuration settings for the SSH daemon, such as interface binding and authentication timeouts | |
| ISM-0487 | ISM-0487 requires specific security configurations for SSH in passwordless scenarios, including disabling forwarding and limiting access ... | |
| ISM-0498 | ISM-0498 requires organisations to configure IPsec security association (SA) lifetimes to less than four hours to limit cryptographic exp... | |
| ISM-0521 | ISM-0521 requires IPv6 functionality to be disabled on dual-stack network devices unless IPv6 is actively used, reducing the attack surfa... | |
| ISM-0567 | ISM-0567 requires email servers to be configured so they only relay emails destined for or originating from the organisation’s own domain... | |
| ISM-0570 | ISM-0570 requires that any backup or alternative email gateways are maintained to the same security and operational standard as the prima... | |
| ISM-0574 | ISM-0574 requires an organisation to publish and maintain SPF DNS records that explicitly authorise which mail servers may send email for... | |
| ISM-0864 | ISM-0864 requires mobile devices to lock down security settings so users cannot disable or modify security functionality after provisioning | |
| ISM-1027 | ISM-1027 requires organizations to configure email distribution list applications used by external senders to ensure the sender’s DKIM si... | |
| ISM-1034 | ISM-1034 mandates disabling legacy authentication methods to secure network services | |
| ISM-1037 | ISM-1037 requires gateways to be tested after configuration changes and at least every six months to confirm they conform to expected sec... | |
| ISM-1055 | ISM-1055 requires a specific security configuration: disabling LAN Manager and NT LAN Manager authentication methods | |
| ISM-1183 | ISM-1183 requires an organisation to publish and use hard fail SPF DNS records to specify which email servers are authorised to send for ... | |
| ISM-1196 | ISM-1196 mandates a specific security configuration state for mobile devices: Bluetooth must be undiscoverable except during pairing | |
| ISM-1211 | ISM-1211 requires system administrators to carry out system administration activities in line with an established change and configuratio... | |
| ISM-1260 | ISM-1260 requires default server application accounts and credentials to be changed, disabled or removed as part of initial setup | |
| ISM-1272 | ISM-1272 requires a specific configuration state for database servers, where the DBMS is set to not accept remote connections unless need... | |
| ISM-1304 | ISM-1304 demands that default accounts or credentials on network devices be changed, disabled, or removed at initial setup | |
| ISM-1311 | ISM-1311 mandates that organisations ensure SNMP version 1 and 2 are not used on networks | |
| ISM-1312 | ISM-1312 requires a specific secure configuration outcome for SNMP on network devices (non-default community strings and no write access) | |
| ISM-1316 | ISM-1316 requires that default SSIDs are changed on wireless access points as part of secure configuration | |
| ISM-1319 | ISM-1319 requires organisations to avoid static IP addressing on wireless networks as a specific configuration choice to reduce risk | |
| ISM-1369 | ISM-1369 requires that TLS connections use AES-GCM encryption, which is a specific security configuration for network services | |
| ISM-1406 | ISM-1406 requires organisations to use SOEs for workstations and servers to ensure consistent, secure configurations | |
| ISM-1409 | ISM-1409 requires organisations to implement hardened operating system configurations using ASD and vendor guidance, applying the most re... | |
| ISM-1428 | ISM-1428 mandates a specific secure configuration setting: IPv6 tunnelling is disabled unless needed | |
| ISM-1536 | ISM-1536 requires implementing one defined security configuration in Microsoft Office: blocking OLE package activation | |
| ISM-1540 | ISM-1540 requires DMARC DNS records to be configured for organisational domains and subdomains so that non-compliant emails are rejected | |
| ISM-1562 | ISM-1562 requires hardening of video conferencing and IP telephony infrastructure through secure configurations | |
| ISM-1588 | ISM-1588 requires organisations to review and update Standard Operating Environments (SOEs) at least annually | |
| ISM-1598 | ISM-1598 requires IT equipment to be inspected after maintenance or repair to confirm it still matches the approved configuration and has... | |
| ISM-1604 | ISM-1604 requires a hardened configuration for the software-based isolation mechanism, including removing unneeded functionality and rest... | |
| ISM-1622 | ISM-1622 mandates a particular security configuration for a specific technology (PowerShell Constrained Language Mode) | |
| ISM-1669 | ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes | |
| ISM-1673 | ISM-1673 requires implementing a specific security configuration: blocking Win32 API calls from Microsoft Office macros | |
| ISM-1710 | ISM-1710 requires wireless access points to be hardened by changing insecure default settings and applying secure configuration | |
| ISM-1806 | ISM-1806 requires default user accounts and credentials in user applications to be changed, disabled, or removed during initial setup | |
| ISM-1823 | ISM-1823 requires locking down office productivity suite security settings so users cannot change them | |
| ISM-1824 | ISM-1824 requires preventing user changes to PDF application security settings, ensuring a fixed secure configuration for that application | |
| ISM-1825 | ISM-1825 requires that users cannot change the security settings of security products, preserving the intended secure state | |
| ISM-1828 | ISM-1828 requires the Print Spooler service to be disabled specifically on Microsoft AD DS domain controllers to reduce attack surface | |
| ISM-1832 | ISM-1832 requires that only service accounts and computer accounts are configured with Service Principal Names (SPNs) in Active Directory | |
| ISM-1834 | ISM-1834 requires organisations to maintain a correct Active Directory configuration state by preventing or remediating duplicate SPNs, w... | |
| ISM-1838 | ISM-1838 requires a specific security configuration outcome in AD: the UserPassword attribute for user accounts is not used | |
| ISM-1860 | ISM-1860 requires hardening of PDF applications using ASD and vendor guidance, prioritising the most restrictive settings | |
| ISM-1887 | ISM-1887 requires a particular security configuration on mobile devices: remote locate and wipe must be enabled and usable | |
| ISM-1915 | ISM-1915 requires approved configurations for user applications to be developed, implemented, and maintained | |
| ISM-1926 | ISM-1926 mandates a hardened configuration baseline for AD-related servers by restricting them to their designed roles | |
| ISM-1931 | ISM-1931 requires SID Filtering to be enabled on domain and forest trusts to prevent abuse of SIDHistory/foreign SIDs across trust bounda... | |
| ISM-1935 | ISM-1935 mandates that Active Directory computer accounts are not configured for unconstrained delegation, a specific security measure to... | |
| ISM-1951 | ISM-1951 requires a specific security configuration: hard match takeover must be disabled on Microsoft Entra Connect servers | |
| ISM-1956 | ISM-1956 requires Microsoft AD FS token-signing and encryption certificates to be rotated twice in quick succession when compromised or s... | |
| Partially overlaps (7) | ||
| ISM-0042 | ISM-0042 requires organisations to develop, implement and maintain effective system administration practices and procedures for managing ... | |
| ISM-0289 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be installed, configured, administered and operated in an evaluated configuration and in... | |
| ISM-0589 | ISM-0589 requires controlling MFD configuration and use so higher-classified material is not scanned/copied on lower-classified networks | |
| ISM-0912 | Annex A 8.9 requires configurations of hardware, software, services and networks to be established, documented, implemented, monitored an... | |
| ISM-1608 | ISM-1608 requires third-party SOEs to be checked for insecure or non-compliant configurations (as well as malicious code) before they are... | |
| ISM-1912 | Annex A 8.9 requires organisations to document and maintain configurations for systems and to keep them under review | |
| Supports (25) | ||
| ISM-0211 | ISM-0211 requires a maintained and regularly verified cable register to keep accurate knowledge of physical connectivity | |
| ISM-0481 | ISM-0481 requires systems to use only high assurance cryptographic protocols, which typically must be enforced via configuration (e.g | |
| ISM-0516 | ISM-0516 requires network documentation to include high-level and logical network diagrams showing all connections and all critical compo... | |
| ISM-0518 | ISM-0518 requires organisations to keep network documentation current and available | |
| ISM-0530 | ISM-0530 requires VLAN administration to occur from the most trusted security domain, effectively defining a security configuration requi... | |
| ISM-0591 | ISM-0591 requires the use of specific evaluated peripheral switches to define a security hardware configuration, supporting Annex A 8.9 (... | |
| ISM-1277 | ISM-1277 requires encryption for traffic between database servers and web servers to prevent interception or tampering in transit | |
| ISM-1419 | ISM-1419 requires that development and modification of software only occurs in development environments, limiting configuration drift and... | |
| ISM-1439 | ISM-1439 requires specific secure configurations to hide origin IP addresses and restrict origin access to CDN and authorised management ... | |
| ISM-1450 | ISM-1450 requires a specific configuration/usage state in TOP SECRET areas: non-TOP SECRET workstations must not be used with microphones... | |
| ISM-1493 | ISM-1493 requires organisations to maintain and regularly verify software registers so they can evidence what software exists across thei... | |
| ISM-1605 | ISM-1605 requires that the underlying operating system for software-based isolation on shared servers is hardened, which relies on establ... | |
| ISM-1619 | ISM-1619 mandates a secure configuration pattern for Windows service identities by using gMSAs for service accounts | |
| ISM-1634 | ISM-1634 requires system owners and authorising officers to select and tailor system controls to meet defined security and resilience obj... | |
| ISM-1646 | ISM-1646 requires maintaining accurate floor plans that show cabling routes and key network termination points (cabinets, concentration b... | |
| ISM-1696 | ISM-1696 requires applying critical operating system patches within 48 hours for workstations and non-internet-facing servers and network... | |
| ISM-1730 | ISM-1730 requires that an SBOM is produced and made available to consumers of software | |
| ISM-1798 | ISM-1798 requires publishing secure configuration guidance so consumers can securely configure the software | |
| ISM-1888 | ISM-1888 requires a specific security configuration on mobile devices: secure lock screens | |
| ISM-1981 | ISM-1981 requires replacing non-internet-facing network devices that are no longer vendor-supported, preventing insecure legacy devices f... | |
| ISM-2025 | ISM-2025 requires an issue tracking solution to tie development work items to security issues, decisions and change requests | |
| ISM-2031 | ISM-2031 requires organisations to configure compilers, interpreters and build pipelines to use security features that improve executable... | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| ISM-2045 | ISM-2045 requires organisations to ensure backwards compatibility does not introduce security regressions or disable protections | |
| ISM-2084 | ISM-2084 requires organisations to document AI model characteristics, system architecture, intended use and security risks in AI-specific... | |
| Depends on (2) | ||
| ISM-1552 | ISM-1552 requires organisations to configure web applications and associated services so content is delivered only via HTTPS | |
| ISM-1627 | ISM-1627 requires inbound network connections from anonymity networks to be blocked | |
| Related (4) | ||
| ISM-1635 | ISM-1635 requires system owners to implement controls for each system and its operating environment | |
| ISM-1913 | ISM-1913 requires approved configurations for IT equipment to be developed, implemented and maintained | |
| ISM-1914 | Annex A 8.9 requires secure configurations to be established and managed across IT systems | |
| ISM-1916 | Annex A 8.9 requires secure configurations to be established, documented, implemented, monitored and reviewed across IT assets | |