Skip to content
English
More support Sign in
  • There are no suggestions because the search field is empty.

39. Configuration Management Policy


Document Identification 

HSNZ/POL/39

Document Name

Configuration Management Policy

Master Copy

 

Version Number

1.0

Date Of Release 

22 May 2026

Prepared By

 

 

Approved by

 

 

 

 

VERSION HISTORY

Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

 

 

Current

21 May 2026

Release

 

DOCUMENT STATUS

Date

Document Status

21 May 2026

Released

 

Table of Contents

  1. Purpose

  2. Scope

  3. Policy Statement

  4. Roles & Responsibilities

  5. Baseline Configuration Requirements

  6. Configuration Implementation

  7. Configuration Monitoring

  8. Configuration Review

  9. Change Control

  10. Exceptions

  11. Enforcement

  12. Review & Maintenance

1. Purpose

 The purpose of this policy is to ensure that configurations of hardware, software, cloud services, networks, and SaaS platforms are established, documented, implemented, monitored, and reviewed in accordance with ISO/IEC 27001:2022 Annex A 8.9. This policy ensures systems are deployed securely, remain consistent over time, and deviations are identified and corrected promptly. 

2. Scope

This policy applies to:

  • All company‑owned or managed hardware
  • All software and operating systems
  • All cloud environments (e.g., AWS)
  • All network devices and configurations
  • All SaaS applications used by the organization
  • All employees, contractors, and third parties who manage or modify configurations

3. Policy Statement

The organization shall maintain secure, approved, and documented configurations for all information systems. Configurations must be:

  • Established (baseline defined)
  • Documented (stored in ISMS repository)
  • Implemented (applied consistently)
  • Monitored (automated or manual checks)
  • Reviewed (periodically validated)

No system may be deployed into production without an approved baseline configuration.

4. Roles & Responsibilities

CISO

  • Owns this policy
  • Approves baseline configurations
  • Ensures monitoring and reviews occur
  • Approves deviations and exceptions

IT Manager / Cloud Engineer

  • Implements baseline configurations
  • Maintains configuration documentation
  • Performs monitoring and remediation
  • Reports deviations to the CISO

Internal Audit

  • Verifies compliance with this policy
  • Reviews configuration evidence during audits

5. Baseline Configuration Requirements

Baseline configurations must be created for:

5.1 Cloud Services (AWS)

  • IAM password policy
  • MFA enforcement
  • Logging (CloudTrail, Config)
  • Encryption defaults
  • Security groups and firewall rules
  • Backup and retention settings

5.2 Endpoints

  • OS hardening
  • Patch management
  • Antivirus/EDR
  • Local firewall settings

5.3 Network

  • Firewall rules
  • VPN configuration
  • VLAN segmentation

5.4 SaaS Applications

  • MFA
  • Access control
  • Logging
  • Session timeout

Baselines must be stored in the ISMS repository and version‑controlled.

6. Configuration Implementation

All new systems must be configured according to the approved baseline before deployment. Any deviation must be:

  • Documented
  • Risk‑assessed
  • Approved by the CISO

7. Configuration Monitoring

The organization shall use automated and manual monitoring to detect configuration drift.

Examples include:

  • AWS Config compliance rules
  • IAM Access Analyzer
  • Intune compliance reports
  • Firewall rule audits
  • Monthly configuration checks

Monitoring results must be recorded and retained as evidence.

8. Configuration Review

Configuration reviews must be conducted twice a year and include:

  • Review of baseline configurations
  • Review of monitoring reports
  • Identification of deviations
  • Documentation of corrective actions
  • Approval by the CISO

Review evidence must be stored in the ISMS evidence library.

9. Change Control

All configuration changes must follow the Change Management Procedure and include:

  • Change request
  • Impact assessment
  • Approval
  • Testing
  • Rollback plan
  • Documentation update

Unauthorized changes are prohibited.

 10. Exceptions 

Any exceptions to this policy must:

  • Be documented
  • Include a risk assessment
  • Be approved by the CISO
  • Have a defined expiry date

11. Enforcement

 Violations of this policy may result in disciplinary action and will be treated as security incidents. 

12. Review & Maintenance

This policy must be reviewed annually or when significant changes occur in:

  • Technology
  • Cloud architecture
  • Regulatory requirements
  • ISO/IEC 27001 updates