Control Definition
Organizations must define secure configurations for their hardware, software, services, and networks, document them, roll them out consistently, and keep monitoring and reviewing them so settings do not drift or get changed without authorization.
Control Objective
To ensure that systems are configured securely and consistently, reducing vulnerabilities caused by misconfigurations and preventing unauthorized changes.
What This Really Means
Configuration management means establishing secure baseline settings for all your IT assets—servers, workstations, network devices, cloud services, databases—and ensuring they stay that way. This includes hardening operating systems, disabling unnecessary services, configuring firewalls properly, and applying security best practices.
Think of it like setting up a new car: you adjust the mirrors, set the seat position, program your radio presets—that's your baseline configuration. Now imagine every time you drive, those settings randomly change. That's what happens without configuration management: settings drift, unauthorized changes occur, and security weakens over time.
This control requires you to document secure baseline configurations (using standards like CIS Benchmarks or vendor hardening guides), deploy them consistently across all systems, monitor for configuration drift, and have a change management process so modifications are reviewed and approved before implementation. The goal is "no surprises"—every system configured the same way, all changes tracked and justified.
Why It Matters
Misconfigurations are among the leading causes of cloud data breaches and security incidents generally. A single wrong setting—an open S3 bucket, disabled firewall, weak TLS version—can expose your entire organization.
Without proper configuration management, organizations face:
- •Data Breaches from Misconfigured Cloud Storage – Publicly accessible S3 buckets, Azure blobs, or databases with default credentials have leaked billions of records (Capital One, Twilio, Uber)
- •Vulnerability Exploitation – Systems with outdated TLS, disabled security features, or unnecessary services enabled provide easy attack vectors
- •Configuration Drift and Inconsistency – Manual configurations lead to "snowflake servers" where no two systems are alike, making security monitoring and compliance verification impossible
- •Audit Failures and Compliance Gaps – Regulators expect documented baselines and evidence of configuration compliance; ad-hoc setups guarantee non-conformities
Indian organizations face additional scrutiny: CERT-In advisories repeatedly flag weak configurations on internet-facing systems, and DPDPA's reasonable security safeguards obligation is hard to demonstrate without documented hardening baselines.
Implementation Guidance
Adopt Industry-Standard Hardening Baselines
Use CIS Benchmarks, STIGs (Security Technical Implementation Guides), or vendor-specific hardening guides for every OS and platform: Windows Server, Linux (Ubuntu, RHEL), macOS, cloud platforms (AWS, Azure, GCP), databases, network devices. Download the specific benchmark for your versions and customize based on business requirements.
Document Secure Baseline Configurations for All Asset Types
Create standard build documents or infrastructure-as-code templates (Terraform, Ansible, CloudFormation) defining secure settings: disabled services, firewall rules, password policies, logging configurations, encryption requirements. Maintain version-controlled baselines in Git. Include justifications for deviations from standards.
Implement Automated Configuration Deployment
Use configuration management tools (Ansible, Puppet, Chef, Salt) or cloud-native services (AWS Systems Manager, Azure Automation) to deploy baselines automatically. Never configure systems manually—use automation that enforces consistency. Test deployments in staging before production. Maintain deployment logs for audit trails.
Monitor for Configuration Drift Continuously
Deploy configuration monitoring tools (AWS Config, Azure Policy, Qualys, Tenable) that compare current system states against baselines and alert on deviations. Schedule weekly compliance scans. Investigate all unauthorized changes within 24 hours. Automatically remediate known-good drift (like reverted settings) using automation.
Implement Change Management Process for Configuration Changes
Require formal approval before any configuration change using ITSM tools (ServiceNow, Jira Service Management). Document who requested the change, why, what was modified, and when. Test changes in non-production first. Maintain a change log for audit purposes. Emergency changes must be retroactively documented within 24 hours.
Regular Configuration Audits and Compliance Reviews
Conduct quarterly configuration audits comparing systems against baselines using automated scanning tools. Generate compliance reports showing percentage adherence to CIS Benchmarks or STIGs. Review and update baselines annually or when major infrastructure changes occur. Document exceptions with risk acceptance from management.
Secure Configuration for Cloud Services and Containers
Apply security baselines to cloud resources: disable public access by default, enforce encryption at rest and in transit, enable logging and monitoring, implement least-privilege IAM policies. For containers, use hardened base images (Alpine, distroless), scan for vulnerabilities, and define security contexts. Use policy-as-code tools (OPA, Sentinel) for enforcement.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.8.9:
Documentation
- Configuration Management Policy or Procedure defining baseline standards and change processes
- Secure baseline configuration documents or infrastructure-as-code templates for each asset type
- CIS Benchmark or STIG compliance reports showing system adherence to hardening standards
- Change management logs showing approved configuration changes with dates and approvers
- Configuration drift monitoring reports showing deviations detected and remediated
Interviews
- System administrators about how they deploy and maintain system configurations
- IT Security team about configuration monitoring and drift detection processes
- Change managers about the approval workflow for configuration modifications
Observations
- Review of baseline configuration templates in version control (Git, Terraform)
- Demonstration of configuration management automation (Ansible playbooks, AWS Config rules)
- Sample of compliance scan reports from tools like CIS-CAT, Qualys, or cloud-native scanners
- Review of change management system showing recent configuration change requests and approvals
Practitioner Insights
The most common configuration management failure: organizations have beautiful baseline documents sitting in SharePoint that nobody follows. I see production servers with telnet enabled, default SNMP community strings, and SMBv1 running—all forbidden by their own baselines. You must scan for compliance regularly and remediate automatically. Documentation without enforcement is just wishful thinking.
Cloud misconfigurations are epidemic. Every audit, I find S3 buckets with public read, security groups allowing 0.0.0.0/0 on sensitive ports, or disabled CloudTrail logging. Use cloud security posture management tools (AWS Security Hub, Azure Defender) to continuously monitor configurations. Better yet, use policy-as-code to prevent misconfigurations from being deployed in the first place.
Common Challenges & Solutions
Challenge
Development teams need flexible configurations that conflict with security baselines for testing.
Solution
Create separate baselines for different environments: strict hardening for production, relaxed settings for development/test. Use tagging or naming conventions to apply appropriate policies automatically. Development flexibility is fine, but production must be non-negotiable. Never promote dev configurations to production without hardening.
Challenge
Legacy systems cannot be upgraded or hardened without breaking critical business applications.
Solution
Document the legacy system as an exception with formal risk acceptance from senior management. Isolate it on a separate network segment with strict access controls. Implement compensating controls: dedicated firewall rules, enhanced monitoring, no internet access. Create a roadmap for application modernization or replacement with target dates.
Challenge
Configuration drift occurs constantly because administrators make manual emergency changes during incidents.
Solution
Implement "cattle, not pets" infrastructure philosophy—treat servers as disposable and redeploy from baselines rather than fixing in place. For emergency changes, use runbooks that document exactly what was changed and automatically create change tickets post-incident. Schedule weekly drift remediation windows to reset systems to baseline.
Challenge
Different teams use different configuration tools creating inconsistency and tool sprawl.
Solution
Standardize on a single configuration management platform organization-wide (Ansible is popular for its agentless approach). Migrate existing configurations gradually. Create a center of excellence to develop reusable modules and provide training. Document approved tools in an architecture standards document. Phase out unsupported tools over 12 months.
Challenge
We have hundreds of systems and manually checking CIS Benchmark compliance is impossible.
Solution
Use automated CIS scanning tools: CIS-CAT Pro (official tool), OpenSCAP, Lynis (open source), or commercial tools like Qualys, Tenable, or Rapid7. Schedule weekly automated scans that generate compliance scores. Integrate with SIEM to alert on critical misconfigurations. Set target of 90%+ compliance and track progress monthly.
