Configuration Management is now a separate control in #iso27002. This is what you must do to comply ⦠𧡠π
#ConfigMgt #cybersecurity #infosec #iso27001
Previously, configuration was only mentioned in subcontrols of Operating procedures, Logging and monitoring, and Requirements specification.
Development and maintenance of configuration profiles was audited against the 'Security in development and support' control, ...
#infosec
... which caused awkward discussions when auditing #managedIT/ #managedservices providers for #iso27001, as they did not consider themselves developers at all.
#ITservices #ConfigMgt #infosec #cybersecurity
#iso27002 now fully recognises the importance of #ConfigMgt, which is especially relevant to the use of #cloudservices, where misconfiguration can cause vulnerabilities leading to massive data breaches.
#cybersecurity #infosec #databreach
To comply with #iso27002 A 8.9 you must:
1) Define configuration templates
2) Implement processes and tools to enforce configs
3) Review configuration templates periodically
4) Implement #ConfigMgt
... for hardware, software, services and networks.
#cybersecurity #infosec
When reviewing configuration templates, consider:
- changes in the threat landscape
- newly identified vulnerabilities
- changes in software and hardware.
... also see the thread about #threatintel: twitter.com/iso27diy/status/1500790423408627716
#iso27002 #ConfigMgt must include:
a) roles and responsibilities definition
b) monitoring configuration changes
c) change log reviews
d) comparing actual configs with templates
e) addressing deviations.
Note that configuration info must be stored securely!
#infosec #iso27001
When establishing configuration templates:
- minimize identities with privileged access
- disable redundant and vulnerable id's
- disable unneeded functions
- restrict access to superuser tools
- sync clocks
- change defaults
- set auto log off after time-out.
#ConfigMgt
I hope this thread helps you prepare your #ConfigMgt for the transition to the new #iso27001 coming later this year.
Contact me with any questions you may have.
Stay safe and secure! β @richardk
#cybersecurity #infosec
ISO 27001 Toolkit
@iso27diy
π§° Implement ISO 27001 yourself!π Get Certified π§ββοΈ Build Customer Trust π Accelerate Sales! #infosec #iso27001 by @richardk