Configuration Management Policy
ISO/IEC 27001 Toolkit: Version 11A ©CertiKit
Configuration Management Policy [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the organization’s policy for the secure configuration of hardware, software, services and networks.
Areas of the standard addressed The following areas of the ISO/IEC 27002:2022 standard are addressed by this document: •
A.5 Organizational controls o A.5.1 Policies for information security
•
A.8 Technological controls o 8.9 Configuration management
General guidance The ISO27001 standard means something slightly different to the classic definition of “configuration management”, for example in the ITIL sense. This is about defining standards for the secure configuration of the components that make up your ICT environment, and then making sure they are used. There are some good tools available, especially in a cloud scenario, for achieving this, both in terms of creating components using Infrastructure as Code (IaC) and for finding noncompliance and automatically correcting it.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organization and relevant legislation.
Version 1
Page 2 of 9
[Insert date]
Configuration Management Policy [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 9
[Insert date]
Configuration Management Policy [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 9
[Insert date]
Configuration Management Policy [Insert classification]
Configuration Management Policy
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
ISMS-DOC-A08-9-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 9
[Insert date]
Configuration Management Policy [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 9
DATE
[Insert date]
Configuration Management Policy [Insert classification]
Contents 1
Introduction .................................................................................................................. 8
2
Configuration management policy ............................................................................... 9
Version 1
Page 7 of 9
[Insert date]
Configuration Management Policy [Insert classification]
1 Introduction [Organization Name] uses a wide variety of components in creating and running its ICT infrastructure and end-user devices. These consist of hardware, software, cloud services and networks and all are potentially vulnerable to attack from threats from different sources. In order to lessen the risk of these components becoming compromised, it is important that we identify the most appropriate ways of configuring them and then ensure that these methods are used throughout our ICT landscape. This policy describes the main principles on which such standard configurations must be based and sets out the rules for their use. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • • • •
Information Security Policy Mobile Device Policy Network Security Policy Cloud Services Policy Configuration Management Process Change Management Process
Version 1
Page 8 of 9
[Insert date]
Configuration Management Policy [Insert classification]
2 Configuration management policy New components that make up [Organization Name] hardware, software, services and networks must have their required security settings defined and correctly configured prior to their implementation within our ICT environment. Configurations of existing components must be reviewed periodically to ensure they meet the requirements of this policy. Such components will include, but are not limited to: • • • •
Endpoint devices, such as desktops, laptops, mobile phones and tablets Physical network devices, such as routers, switches and firewalls Physical servers, including system software such as operating systems, databases and web servers Cloud infrastructure, such as virtual servers, networks and storage
Where possible, standard templates will be used to document the required configuration of ICT components. These templates will be subject to change and version control. The configurations defined will take appropriate account of available sources of information about securing the relevant components, such as vendor templates, guidance from cyber security authorities and best practice organizations, system hardening guides and our own information security policies. Details of configuration standards will be protected as sensitive information which would be of use to an attacker. Configuration standards must be reviewed on a regular basis and kept up to date with changes in the components themselves (such as new hardware or software versions) and the threats and vulnerabilities they face. The correct configuration of components will be monitored and instances where existing settings deviate from the established standard will be investigated and, if necessary, corrected. Where feasible, automated software methods such as Infrastructure as Code (IaC) will be used to create components with the correct configuration. Automated audit tools may also be used to check configurations regularly and report on and correct those found to be noncompliant.
Version 1
Page 9 of 9
[Insert date]