top of page

ISO27001:2022─Configuration management

Password length, password complexity, mandatory password change cycle for software and hardware service login, use of 2-layer or 3-layer AES encryption in network management, disable unnecessary service ports, enable MAC location filtering, enable hacking The requirements for list control and setting log records are scattered in chapters A.9, A.12, A.13, etc. in the old version of ISO27001:2013.

In the future, the A.8.9 configuration management (Configuration management) of the new version of ISO27001:2022 will make one-time requirements for the aforementioned so-called security configuration and settings such as software and hardware, services, and networks.

First of all, it will be necessary to organize the operation guidelines published by external reference, such as the configuration baseline (GCB) regularly updated by the Technical Service Center of the National Information and Communication Security Council of the Executive Yuan, or the security benchmark Security required when undertaking multinational companies such as Microsoft and Meta. Baseline builds a set of templates based on internal information security policy, availability and suitability of equipment.

In addition, through automation, regular manual spot checks, etc. to monitor whether the current configuration conforms to the model, and to manage it properly; among them, the most important concept is change management, and all software and hardware, network, and service changes must be considered. Whether the previously set configuration benchmark is applicable, and whether it affects the configuration of other devices and services, also needs to be considered.


bottom of page