Annex A 8.9 ISO/IEC 27001:2022
Configuration Management of IT Systems
Ensure IT systems have consistent, secure setups documented and maintained.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Source: ISO/IEC 27001:2022
Plain language
Having consistent and secure configurations in your IT systems is crucial. It's like making sure all your personal devices have the same security settings, so nobody can mess them up without permission. If this isn't done, unauthorized changes can lead to leaks of sensitive information or systems not working properly.
Why it matters
Uncontrolled configuration changes and configuration drift can introduce exploitable settings, outages and failed recoveries due to undocumented system baselines.
Operational notes
Define and document approved configuration baselines; use automated drift monitoring, change approvals and periodic reviews to keep settings consistent and secure.
Implementation tips
- IT managers should establish standard templates for configuring hardware and software. This can be done by using guidelines from trusted sources like manufacturers or security organisations. It's important to regularly update these templates to address new security threats or changes in software and hardware versions.
- The IT team should be responsible for documenting all configurations and keeping records of any changes. This can be done using a centralised system like a configuration database where every change is logged with details such as date and person responsible, to ensure traceability and accountability.
- Security officers should monitor configurations actively and regularly. Implementing tools that automatically check current configurations against the set templates helps in identifying discrepancies, allowing for quick action to correct any unauthorized changes.
- The organisation’s management should assign roles and responsibilities clearly around configuration management. This involves defining who can make changes and ensuring all team members are trained on the change management process to avoid errors.
- Conduct regular reviews and audits of the configuration management process. This can be achieved by scheduling review sessions where the whole approach is evaluated against current best practices and compliance requirements such as ISO 27002:2022 and the Australian Privacy Act 1988.
Audit / evidence tips
-
Ask: Request the documented standard configuration templates for hardware and software.
-
Ask: Ask for a log or record of all configuration changes over the past year.
-
Ask: Request to see the roles and responsibilities policy for configuration management.
-
Ask: Request reports from any automated tools used for monitoring configurations.
-
Ask: Request documentation of recent reviews of configuration management processes.
Cross-framework mappings
How Annex A 8.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| E8-AH-ML2.9 | E8-AH-ML2.9 requires hardening of PDF software using ASD and vendor guidance, with the most restrictive guidance applied in case of conflict | |
| E8-AH-ML3.3 | E8-AH-ML3.3 requires a specific security configuration: setting PowerShell to Constrained Language Mode to reduce exploitation of scripti... | |
| Depends on (1) | ||
| E8-AH-ML2.5 | E8-AH-ML2.5 requires Microsoft Office to be configured to prevent activation of OLE packages | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (55) | ||
| ISM-0341 | ISM-0341 requires automatic execution features for removable media to be disabled to prevent code running when media is inserted | |
| ISM-0380 | ISM-0380 requires unneeded operating system user accounts, components, services and functionality to be disabled or removed to reduce att... | |
| ISM-0383 | ISM-0383 requires default operating system user accounts and credentials (including pre-configured accounts) to be changed, disabled or r... | |
| ISM-0484 | ISM-0484 requires specific secure configuration settings for the SSH daemon, such as interface binding and authentication timeouts | |
| ISM-0487 | ISM-0487 requires specific security configurations for SSH in passwordless scenarios, including disabling forwarding and limiting access ... | |
| ISM-0498 | ISM-0498 requires organisations to configure IPsec security association (SA) lifetimes to less than four hours to limit cryptographic exp... | |
| ISM-0521 | ISM-0521 requires IPv6 functionality to be disabled on dual-stack network devices unless IPv6 is actively used, reducing the attack surfa... | |
| ISM-0567 | ISM-0567 requires email servers to be configured so they only relay emails destined for or originating from the organisation’s own domain... | |
| ISM-0570 | ISM-0570 requires that any backup or alternative email gateways are maintained to the same security and operational standard as the prima... | |
| ISM-0574 | ISM-0574 requires an organisation to publish and maintain SPF DNS records that explicitly authorise which mail servers may send email for... | |
| ISM-0864 | ISM-0864 requires mobile devices to lock down security settings so users cannot disable or modify security functionality after provisioning | |
| ISM-1027 | ISM-1027 requires organizations to configure email distribution list applications used by external senders to ensure the sender’s DKIM si... | |
| ISM-1034 | ISM-1034 mandates disabling legacy authentication methods to secure network services | |
| ISM-1037 | ISM-1037 requires gateways to be tested after configuration changes and at least every six months to confirm they conform to expected sec... | |
| ISM-1055 | ISM-1055 requires a specific security configuration: disabling LAN Manager and NT LAN Manager authentication methods | |
| ISM-1183 | ISM-1183 requires an organisation to publish and use hard fail SPF DNS records to specify which email servers are authorised to send for ... | |
| ISM-1196 | ISM-1196 mandates a specific security configuration state for mobile devices: Bluetooth must be undiscoverable except during pairing | |
| ISM-1211 | ISM-1211 requires system administrators to carry out system administration activities in line with an established change and configuratio... | |
| ISM-1260 | ISM-1260 requires default server application accounts and credentials to be changed, disabled or removed as part of initial setup | |
| ISM-1272 | ISM-1272 requires a specific configuration state for database servers, where the DBMS is set to not accept remote connections unless need... | |
| ISM-1304 | ISM-1304 demands that default accounts or credentials on network devices be changed, disabled, or removed at initial setup | |
| ISM-1311 | ISM-1311 mandates that organisations ensure SNMP version 1 and 2 are not used on networks | |
| ISM-1312 | ISM-1312 requires a specific secure configuration outcome for SNMP on network devices (non-default community strings and no write access) | |
| ISM-1316 | ISM-1316 requires that default SSIDs are changed on wireless access points as part of secure configuration | |
| ISM-1319 | ISM-1319 requires organisations to avoid static IP addressing on wireless networks as a specific configuration choice to reduce risk | |
| ISM-1369 | ISM-1369 requires that TLS connections use AES-GCM encryption, which is a specific security configuration for network services | |
| ISM-1406 | ISM-1406 requires organisations to use SOEs for workstations and servers to ensure consistent, secure configurations | |
| ISM-1409 | ISM-1409 requires organisations to implement hardened operating system configurations using ASD and vendor guidance, applying the most re... | |
| ISM-1428 | ISM-1428 mandates a specific secure configuration setting: IPv6 tunnelling is disabled unless needed | |
| ISM-1536 | ISM-1536 requires implementing one defined security configuration in Microsoft Office: blocking OLE package activation | |
| ISM-1540 | ISM-1540 requires DMARC DNS records to be configured for organisational domains and subdomains so that non-compliant emails are rejected | |
| ISM-1562 | ISM-1562 requires hardening of video conferencing and IP telephony infrastructure through secure configurations | |
| ISM-1588 | ISM-1588 requires organisations to review and update Standard Operating Environments (SOEs) at least annually | |
| ISM-1598 | ISM-1598 requires IT equipment to be inspected after maintenance or repair to confirm it still matches the approved configuration and has... | |
| ISM-1604 | ISM-1604 requires a hardened configuration for the software-based isolation mechanism, including removing unneeded functionality and rest... | |
| ISM-1622 | ISM-1622 mandates a particular security configuration for a specific technology (PowerShell Constrained Language Mode) | |
| ISM-1669 | ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes | |
| ISM-1673 | ISM-1673 requires implementing a specific security configuration: blocking Win32 API calls from Microsoft Office macros | |
| ISM-1710 | ISM-1710 requires wireless access points to be hardened by changing insecure default settings and applying secure configuration | |
| ISM-1806 | ISM-1806 requires default user accounts and credentials in user applications to be changed, disabled, or removed during initial setup | |
| ISM-1823 | ISM-1823 requires locking down office productivity suite security settings so users cannot change them | |
| ISM-1824 | ISM-1824 requires preventing user changes to PDF application security settings, ensuring a fixed secure configuration for that application | |
| ISM-1825 | ISM-1825 requires that users cannot change the security settings of security products, preserving the intended secure state | |
| ISM-1828 | ISM-1828 requires the Print Spooler service to be disabled specifically on Microsoft AD DS domain controllers to reduce attack surface | |
| ISM-1832 | ISM-1832 requires that only service accounts and computer accounts are configured with Service Principal Names (SPNs) in Active Directory | |
| ISM-1834 | ISM-1834 requires organisations to maintain a correct Active Directory configuration state by preventing or remediating duplicate SPNs, w... | |
| ISM-1838 | ISM-1838 requires a specific security configuration outcome in AD: the UserPassword attribute for user accounts is not used | |
| ISM-1860 | ISM-1860 requires hardening of PDF applications using ASD and vendor guidance, prioritising the most restrictive settings | |
| ISM-1887 | ISM-1887 requires a particular security configuration on mobile devices: remote locate and wipe must be enabled and usable | |
| ISM-1915 | ISM-1915 requires approved configurations for user applications to be developed, implemented, and maintained | |
| ISM-1926 | ISM-1926 mandates a hardened configuration baseline for AD-related servers by restricting them to their designed roles | |
| ISM-1931 | ISM-1931 requires SID Filtering to be enabled on domain and forest trusts to prevent abuse of SIDHistory/foreign SIDs across trust bounda... | |
| ISM-1935 | ISM-1935 mandates that Active Directory computer accounts are not configured for unconstrained delegation, a specific security measure to... | |
| ISM-1951 | ISM-1951 requires a specific security configuration: hard match takeover must be disabled on Microsoft Entra Connect servers | |
| ISM-1956 | ISM-1956 requires Microsoft AD FS token-signing and encryption certificates to be rotated twice in quick succession when compromised or s... | |
| Partially overlaps (7) | ||
| ISM-0042 | ISM-0042 requires organisations to develop, implement and maintain effective system administration practices and procedures for managing ... | |
| ISM-0289 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be installed, configured, administered and operated in an evaluated configuration and in... | |
| ISM-0589 | ISM-0589 requires controlling MFD configuration and use so higher-classified material is not scanned/copied on lower-classified networks | |
| ISM-0912 | Annex A 8.9 requires configurations of hardware, software, services and networks to be established, documented, implemented, monitored an... | |
| ISM-1608 | ISM-1608 requires third-party SOEs to be checked for insecure or non-compliant configurations (as well as malicious code) before they are... | |
| ISM-1912 | Annex A 8.9 requires organisations to document and maintain configurations for systems and to keep them under review | |
| Supports (24) | ||
| ISM-0211 | ISM-0211 requires a maintained and regularly verified cable register to keep accurate knowledge of physical connectivity | |
| ISM-0481 | ISM-0481 requires systems to use only high assurance cryptographic protocols, which typically must be enforced via configuration (e.g | |
| ISM-0516 | ISM-0516 requires network documentation to include high-level and logical network diagrams showing all connections and all critical compo... | |
| ISM-0518 | ISM-0518 requires organisations to keep network documentation current and available | |
| ISM-0530 | ISM-0530 requires VLAN administration to occur from the most trusted security domain, effectively defining a security configuration requi... | |
| ISM-0591 | ISM-0591 requires the use of specific evaluated peripheral switches to define a security hardware configuration, supporting Annex A 8.9 (... | |
| ISM-1277 | ISM-1277 requires encryption for traffic between database servers and web servers to prevent interception or tampering in transit | |
| ISM-1419 | ISM-1419 requires that development and modification of software only occurs in development environments, limiting configuration drift and... | |
| ISM-1439 | ISM-1439 requires specific secure configurations to hide origin IP addresses and restrict origin access to CDN and authorised management ... | |
| ISM-1450 | ISM-1450 requires a specific configuration/usage state in TOP SECRET areas: non-TOP SECRET workstations must not be used with microphones... | |
| ISM-1493 | ISM-1493 requires organisations to maintain and regularly verify software registers so they can evidence what software exists across thei... | |
| ISM-1605 | ISM-1605 requires that the underlying operating system for software-based isolation on shared servers is hardened, which relies on establ... | |
| ISM-1619 | ISM-1619 mandates a secure configuration pattern for Windows service identities by using gMSAs for service accounts | |
| ISM-1646 | ISM-1646 requires maintaining accurate floor plans that show cabling routes and key network termination points (cabinets, concentration b... | |
| ISM-1696 | ISM-1696 requires applying critical operating system patches within 48 hours for workstations and non-internet-facing servers and network... | |
| ISM-1730 | ISM-1730 requires that an SBOM is produced and made available to consumers of software | |
| ISM-1798 | ISM-1798 requires publishing secure configuration guidance so consumers can securely configure the software | |
| ISM-1888 | ISM-1888 requires a specific security configuration on mobile devices: secure lock screens | |
| ISM-1981 | ISM-1981 requires replacing non-internet-facing network devices that are no longer vendor-supported, preventing insecure legacy devices f... | |
| ISM-2025 | ISM-2025 requires an issue tracking solution to tie development work items to security issues, decisions and change requests | |
| ISM-2031 | ISM-2031 requires organisations to configure compilers, interpreters and build pipelines to use security features that improve executable... | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| ISM-2045 | ISM-2045 requires organisations to ensure backwards compatibility does not introduce security regressions or disable protections | |
| ISM-2084 | ISM-2084 requires organisations to document AI model characteristics, system architecture, intended use and security risks in AI-specific... | |
| Depends on (2) | ||
| ISM-1552 | ISM-1552 requires organisations to configure web applications and associated services so content is delivered only via HTTPS | |
| ISM-1627 | ISM-1627 requires inbound network connections from anonymity networks to be blocked | |
| Related (4) | ||
| ISM-1635 | ISM-1635 requires system owners to implement controls for each system and its operating environment | |
| ISM-1913 | ISM-1913 requires approved configurations for IT equipment to be developed, implemented and maintained | |
| ISM-1914 | Annex A 8.9 requires secure configurations to be established and managed across IT systems | |
| ISM-1916 | Annex A 8.9 requires secure configurations to be established, documented, implemented, monitored and reviewed across IT assets | |