Configuration Management in accordance with ISO 27001:2022 – How to avoid a deviation

Does your company want to be certified according to the latest ISO 27001? Then you need to implement a professional Configuration Management – based on the latest standards! Here’s how you can master the challenge.

Think about the Secure Configuration of your systems!

DIN EN ISO 27001 or DIN/IEC 27001 – ISO 27001 for short – is an important standard in the field of cyber security. The latest big update, DIN 27001:2022, was published in October 2022.

As ISO 27001:2022 becomes effective, affected organisations will need to fully align their Information Security Management Systems (ISMS) with the new requirements. One of the most significant innovations is the introduction of Annex A – Control 8.9, which deals with Configuration Management – also known as Secure Configuration or System Hardening.

This point did not exist in the previous versions of the standard. Therefore, companies must now ensure that they meet the requirements of Secure Configuration in order to avoid non-conformities.

ISO 27002: Comparison of innovations and changes compared to the previous version (Image: nqa)
(Click on the image for a larger view)

Note: An overview of the similarities and differences between the “old” ISO 27002:2017 and the “new” ISO 27002:2022 can be found in this PDF from NQA.

ISO 27001: What is a non-conformity?

A non-conformity or deviation is when a requirement of ISO 27001:2022 is not met. This can be non-compliance with an explicit requirement of the standard. Or an ISO audit reveals a discrepancy between a company’s internal specifications and the actual implementation.

The deviations can be divided into two categories:

1️⃣ Major non-conformity

A major nonconformity exists if a significant aspect of ISO 27001 has not been implemented in your ISMS. The auditor considers the effectiveness of the entire Information Security Management System to be significantly impaired.

2️⃣ Minor non-conformity

A minor non-conformity is less serious. It usually concerns minor, often specific deficiencies that do not directly affect the overall effectiveness of the ISMS. However, several audit results with the status “Minor Non-Confirmity” cumulatively lead to a “Major Non-Conformity”.

➡ You may receive a minor non-conformity if, for example, you do not adequately fulfill an aspect of the required Configuration Management. A major non-conformity would be if, for example, you completely neglect the Secure Configuration of your systems.

What are the consequences of a major or minor deviation?

If there is a major non-conformity, you must expect these consequences:

🔷 Your ISO 27001:2002 audit will fail. Your organisation will not be certified.

🔷 You will be given a deadline to rectify the major non-conformity. This is usually between three and six months.

🔷 Within the deadline, you must provide evidence that the identified defects have been rectified.

🔷 In many cases, a post-audit is carried out. During this audit, the auditor checks whether the corrective measures are effective.

🔷 If all non-conformities have been rectified, you will receive an ISO 27001 certificate, although this is only valid for three years.

If a minor deviation is identified during your ISMS audit, these steps usually follow:

🔷 Certification is granted on the condition that you rectify the non-conformity within a few months.

🔷 Your company must submit a plan to rectify the minor non-conformity and provide evidence of the corrective measures.

🔷 The auditors will check in future audits whether the corrective measures have been implemented. If this is not the case, the minor non-conformities will become major non-conformities – and a certification in accordance with ISO 27001:2022 will no longer apply.

What is meant by “Configuration Management” in ISO 27001:2022?

Configuration Management in accordance with ISO 27001:2022 – Annex A, Control 8.9 comprises numerous measures. Security controls are an important aspect of this. Their main objective is to reduce the attack surfaces of IT systems through Secure Configuration. In the field of information security, these activities are known as System Hardening.

This video shows you the benefits of hardening individual applications, operating systems and large IT system landscapes:

ISO 27001 Configuration Management: Examples of non-conformities

A typical deviation is when there are no documented processes in your company to track changes to IT systems. Such negligence jeopardizes the entire information security of a company.

This is because every change – whether it is the installation of new software, a revised network configuration or a hardware replacement – must be accurately documented and monitored. This is the only way to identify configuration errors and potential vulnerabilities. Inadequate testing and approval processes are also considered “non-conformities” under ISO 27001, as are unclear responsibilities for implementing and testing new assets.

Always remember that any vulnerability, no matter how small, can be exploited by hackers. In the event of a compromise, attackers will often change settings, passwords or permissions on the ‘hijacked’ systems in order to gain further access. Without professional Configuration Management, including documentation and monitoring, unauthorised changes and lateral movement can go unnoticed for a long time.

Configuration Management: Basic measures to avoid deviations

To ensure that there are no minor or major non-conformities in the area of “Configuration Management” or “Secure Configuration” during your next ISO 27001 audit, you should proceed as follows:

Know-how

Study the requirements of ISO 27001:2022 in detail. Acquire the necessary expertise to understand the required measures. Or consult external experts for Configuration Management and System Hardening.

Actual assessment

Check how well your IT systems are configured and secured in accordance with the standard. These checks can be easily carried out with a tool such as the free AuditTAP – for individual applications as well as for complete operating systems.

Strategy

If you discover deficiencies, for example using the AuditTAP report, you must immediately develop measures to rectify them and plans for their implementation over time. Here too, it may be advisable to engage service providers for system hardening.

Actions

Resolve any outstanding issues as quickly as possible by introducing appropriate policies and implementing suitable procedures. As hardening systems can be very time-consuming (there are usually hundreds of settings to adjust per operating system / device), you should automate the process with a professional hardening tool such as Enforce Administrator.

Review

Conduct regular internal reviews to ensure that all Configuration Management processes fulfil the requirements of ISO 27001. Make sure you have complete documentation and traceability to facilitate your next ISO audit.

Optimisation

Work continuously to improve your policies, procedures and individual measures. Don’t just think about your certification and the required measures, but mainly about the protection of your IT systems. In the end, it’s all about improving information security, increasing data protection and preventing serious cyber attacks!

Conclusion

Point 8.9 of ISO 27001:2022 places important requirements on the Configuration Management of IT systems – and that’s a good thing! A Secure Configuration is a very effective preventive security measure to ward off cyber attacks and minimise the consequences of a compromise.

Do you have questions about Configuration Management in accordance with ISO 27001? Or would you like to know how to properly ‘harden’ your systems? Feel free to contact us!

💬 Send us your questions or concerns!

 

Images: Freepik, NQA

Leave a Reply