One of the most significant shifts in the transition from ISO 27001:2013 to the 2022 update is the introduction of dedicated controls for modern technical challenges. While many older controls were simply merged or renamed, Annex A 8.9: Configuration Management is a standout addition. It marks a transition from “informal” setup practices to a mandatory, documented system for managing the security settings of your entire digital estate.
In the 2013 version, configuration was often handled indirectly through general system acquisition or maintenance rules. In 2022, ISO has made it crystal clear: if you aren’t actively managing your configurations, you have a major hole in your security posture. Let’s explore what has actually changed and why this new control is a game-changer for your ISMS.
Table of contents
The Evolution: From Informal Practice to Annex A 8.12
In the ISO 27001:2013 standard, there was no single “Configuration Management” control. Instead, the requirements were scattered across various domains, such as Control 12.1.2 (Change management) and Control 14.2.2 (System change control procedures). While these touched on changes, they didn’t explicitly mandate the creation and monitoring of secure “baselines.”
The 2022 update brings Annex A 8.9 into the Technological Controls theme. This move elevates configuration from a background IT task to a core security requirement. According to Hightable.io, the introduction of A 8.9 is a direct response to the fact that misconfigurations are now one of the top three ways hackers gain unauthorised access to corporate networks.
What is Annex A 8.9 Configuration Management?
The core objective of Annex A 8.9 is to ensure that your hardware, software, services, and networks function correctly with the required security settings. It requires that configurations are established, documented, implemented, monitored, and reviewed.
Think of it as the “security recipe” for your IT assets. If you were building a server in 2013, you might have followed a mental checklist. In 2022, Annex A 8.9 requires you to have a documented “Golden Image” or baseline that defines exactly which ports are open, which services are disabled, and which default passwords have been changed before the device ever touches your network.
Key Changes and New Requirements in the 2022 Version
Because Annex A 8.9 is technically a “new” control, almost everything about its explicit wording is a change from the 2013 standard. Here are the most important new requirements:
- The “Secure Baseline” Requirement: You must now define standard security templates for every type of asset. This includes everything from Windows laptops and Linux servers to cloud buckets (like AWS S3) and firewalls.
- The Default Trap: The 2022 guidance places a heavy emphasis on changing manufacturer defaults. Leaving a “factory settings” password or an unnecessary “Guest” account active is now a specific point of failure for this control.
- Monitoring for “Drift”: This is a proactive shift. It isn’t enough to set it and forget it. You need a process to periodically check that your live systems still match your documented baselines. If a “quick tweak” was made six months ago that opened a security hole, A 8.9 requires you to find and fix it.
- Integration with Change Management: Any change to a baseline must now follow the formal Change Management (A 8.32) process. You can’t just change a setting on a whim; it must be assessed for risk and the documentation must be updated accordingly.
The Role of Attributes in Annex A 8.9
A central feature of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 8.9, these metadata tags help categorise the control’s function within your risk treatment plan:
| Attribute | Value |
|---|---|
| Control Type | Preventative |
| Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Protect |
| Operational Capabilities | Secure Configuration |
Practical Steps for Compliance
Transitioning to the 2022 standard means moving from manual, haphazard setups to a disciplined, automated approach. Hightable.io suggests that the most common mistake is having a “paper-only” baseline, where the policy looks great but the actual servers are configured differently.
- Identify Your Asset Types: Group your assets (e.g., Laptops, Web Servers, Cloud Databases).
- Create Hardening Standards: Use industry-standard benchmarks, like the CIS (Center for Internet Security) Benchmarks, to create your own “Standard Build” documents.
- Automate Enforcement: Whenever possible, use tools like Microsoft Intune, Ansible, or Group Policy to “push” these configurations automatically. This removes human error from the equation.
- Audit Your Configurations: Use automated scanners to check for “configuration drift” and generate reports that prove you are meeting the A 8.9 monitoring requirement.
Why the Change Matters
The 2022 update to Annex A 8.9 reflects the reality of the modern attack surface. Hackers rarely “break” encryption; they simply find a misconfigured server or a default password. By turning configuration management into a science rather than an art form, ISO 27001:2022 helps you close the “welcome mat” for attackers.
Final Thoughts on the Transition
The jump from the 2013 version’s informal practices to the 2022 version’s Annex A 8.9 is one of the most beneficial updates for any organisation. It brings rigour to IT operations and ensures that security is baked into the foundation of your infrastructure. As Hightable.io points out, a successful audit of A 8.9 is about proving that your “live” environment matches your “documented” environment.