ISO27001A.8.9voice-validated
ISO27001 A.8.9: A.8.9
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.9.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Attackers exploit public-facing applications with insecure configurations. ISO27001 A.8.9 mandates establishing, documenting, and reviewing security configurations to prevent such vulnerabilities, reducing the attack surface for initial access. | 90% |
| T1133 | 1. External remote services, if misconfigured, provide an initial access vector. ISO27001 A.8.9 requires secure configuration of services, including remote access, to limit unauthorised entry points. | 80% |
| T1543.003 | 1. Attackers modify system service configurations for persistence. ISO27001 A.8.9 requires monitoring and reviewing configurations of software and services, preventing unauthorised changes that establish persistence. | 80% |
| T1547.001 | 1. Misconfigured boot or logon autostart entries enable persistence. ISO27001 A.8.9 mandates secure configuration of hardware and software, including startup settings, to prevent malicious persistence mechanisms. | 80% |
| T1068 | 1. Exploitation for privilege escalation often targets system misconfigurations. ISO27001 A.8.9 requires establishing and implementing secure configurations to minimise vulnerabilities that allow privilege escalation. | 90% |
| T1562.001 | 1. Attackers impair defences by disabling or modifying system firewalls, often through configuration changes. ISO27001 A.8.9 requires monitoring and reviewing security configurations to detect and prevent such defense evasion tactics. | 90% |
| T1003 | 1. OS credential dumping is facilitated by weak system configurations. ISO27001 A.8.9 mandates secure configuration of hardware and software, including memory protection and credential storage, to hinder credential access. | 80% |
| T1552.001 | 1. Unsecured credentials in files result from insecure configurations. ISO27001 A.8.9 requires establishing and implementing secure configurations for software and file systems, preventing the storage of credentials in cleartext or with weak permissions. | 90% |
| T1087.001 | 1. Local account discovery can be aided by verbose or insecure system configurations. ISO27001 A.8.9 requires secure configurations to limit information exposure, making account discovery more difficult for attackers. | 70% |
| T1046 | 1. Network share discovery is often successful due to default or insecure share configurations. ISO27001 A.8.9 mandates establishing and reviewing network configurations to restrict unauthorised access and discovery of shared resources. | 80% |
| T1021.001 | 1. Misconfigured Remote Desktop Protocol (RDP) services enable lateral movement. ISO27001 A.8.9 requires secure configuration of network services, including RDP, to prevent unauthorised remote access and lateral movement. | 80% |
| T1005 | 1. Data from local systems can be collected due to misconfigured file permissions or access controls. ISO27001 A.8.9 mandates secure configurations for software and hardware to protect sensitive data from unauthorised collection. | 80% |
| T1071.001 | 1. Misconfigured web protocols or services can be exploited for command and control. ISO27001 A.8.9 requires secure configuration of services and networks, limiting opportunities for attackers to establish C2 channels. | 70% |
| T1041 | 1. Exfiltration over C2 channels can go undetected if network configurations lack proper monitoring or filtering. ISO27001 A.8.9 mandates monitoring and reviewing network configurations to detect and prevent data exfiltration. | 70% |
| T1486 | 1. Data encryption for impact (e.g., ransomware) can succeed if system configurations lack robust backup, recovery, or access controls. ISO27001 A.8.9 requires secure configurations to mitigate the impact of such attacks. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1038 | 1. Security Policy Enforcement directly implements ISO27001 A.8.9 by ensuring configurations adhere to defined security policies, preventing deviations that could introduce vulnerabilities. | 95% |
| M1040 | 1. Vulnerability Scanning identifies misconfigurations in hardware, software, services, and networks. This directly supports the 'monitored and reviewed' aspect of ISO27001 A.8.9, enabling proactive remediation. | 90% |
| M1017 | 1. User Account Management involves configuring user privileges and access controls securely. This aligns with ISO27001 A.8.9's requirement for secure configurations to prevent unauthorised access and privilege escalation. | 85% |
| M1028 | 1. Operating System Configuration directly addresses the secure establishment, documentation, and review of hardware and software configurations as mandated by ISO27001 A.8.9. | 95% |
| M1031 | 1. Network Segmentation limits the impact of a compromised system due to misconfiguration. While not directly configuring a system, it's a network configuration strategy supporting the intent of ISO27001 A.8.9. | 80% |
| M1047 | 1. Audit mechanisms monitor configuration changes and adherence to baselines. This directly supports the 'monitored and reviewed' requirement of ISO27001 A.8.9, ensuring configuration integrity. | 90% |
| M1051 | 1. Software Configuration directly addresses the secure establishment, documentation, and review of software and service configurations as mandated by ISO27001 A.8.9. | 95% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-264 | 1. Improper permissions, privileges, and access controls are common configuration weaknesses. ISO27001 A.8.9 requires secure configurations to prevent these, ensuring proper access management. | 90% |
| CWE-312 | 1. Cleartext storage of sensitive information is a critical configuration flaw. ISO27001 A.8.9 mandates secure configurations for software and systems to prevent such insecure data handling. | 85% |
| CWE-522 | 1. Insufficiently protected credentials result from weak security configurations. ISO27001 A.8.9 requires secure configurations for credential management, preventing this weakness. | 90% |
| CWE-668 | 1. Exposure of resources to the wrong sphere (e.g., public network) is a configuration error. ISO27001 A.8.9 mandates secure network and service configurations to prevent unintended resource exposure. | 85% |
| CWE-732 | 1. Incorrect permission assignment for critical resources is a direct configuration weakness. ISO27001 A.8.9 requires establishing and reviewing configurations to ensure correct permissions are set. | 90% |
| CWE-200 | 1. Exposure of sensitive information to an unauthorised actor often stems from misconfigurations. ISO27001 A.8.9 mandates secure configurations to limit information disclosure and protect sensitive data. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0202 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation