A.8.9 Configuration management
- Andy Systems
- ISMS Guides
A.8.9 Configuration Management would include:
-
Configuration Management Policy: Documentation of a configuration management policy that outlines the organization's approach to managing and controlling the configuration of information systems, software, and hardware.
-
Configuration Baselines: Evidence of established configuration baselines for different information systems, applications, and hardware components. These baselines serve as reference points for configuration changes and ensure consistency and integrity.
-
Configuration Change Control Process: Documentation of the process for requesting, reviewing, approving, and implementing configuration changes. This process should include change management controls to prevent unauthorized or unapproved changes
-
Change Authorization Records: Records of authorized configuration changes, including details such as the change request, approval, implementation date, and person responsible for the change.
-
Configuration Item Identification: Identification of configuration items (CIs) and their relationships, including hardware components, software modules, and network devices.
-
Configuration Item Status Accounting: Tracking and recording the status of configuration items throughout their lifecycle, including updates, changes, and retirement.
-
Configuration Management Tools: Evidence of tools or software used for configuration management, such as version control systems, configuration management databases (CMDBs), or automated change management systems.
-
Configuration Auditing: Records of configuration audits conducted to verify the accuracy and completeness of configuration items against the established baselines.
-
Security Settings and Controls: Documentation of security settings and controls applied to configuration items to ensure compliance with security policies and standards.
-
Configuration Management Training: Evidence of training provided to relevant personnel on configuration management procedures, processes, and best practices.
-
Incident and Issue Tracking: Logs or records of incidents or issues related to configuration management, along with the organization's response and resolution actions.
-
Compliance Documentation: Evidence of compliance with relevant industry regulations, legal requirements, and standards related to configuration management.
These pieces of evidence to assess the organization's configuration management practices. This includes evaluating the effectiveness of their change control processes, the accuracy and completeness of configuration data, and their ability to maintain a secure and controlled IT environment through proper configuration management.