A.8.9 Configuration Management

What is this control?

ISO 27001 control A.8.9 Configuration Management ensures all technology configurations are managed as code in version-controlled repositories, deployed via automated CI/CD pipelines, and continuously monitored for drift. Infrastructure is defined in Terraform and stored in Azure Repos with changes requiring pull request review. Microsoft 365 tenant configuration is versioned with automated deployment.

User endpoint configuration is managed via Microsoft Intune Device Configuration Profiles and Security Baselines aligned with CIS benchmarks.

How to implement in Microsoft 365

Implement A.8.9 by setting up Azure Repos for Infrastructure Code with Terraform files defining all Azure and Arc resource configurations. Store all Terraform configurations in main branch as the authoritative desired state with branch protection requiring PR review. Configure Azure Pipelines for IaC deployment that validates Terraform syntax, performs plan review, and applies approved changes with full audit logging.

Disable manual configuration by prohibiting direct Azure portal changes. Deploy Intune Configuration Profiles for OS settings, firewall, encryption, and password policy. Deploy CIS-aligned Security Baselines with naming conventions D-I, DX-I, and DO-I.

What an auditor looks for

Auditors will verify Azure Repos repository with Terraform files defining infrastructure desired state. They will check Azure Pipeline deployment history showing PR-based change control and approvals. Auditors will verify no evidence of manual Azure portal configuration changes in audit logs.

They will check Intune Configuration Profiles are assigned with CIS-aligned naming conventions. Auditors will verify Intune Security Baselines for Windows 11 and iOS are assigned to device groups. They will check device compliance status is 95% or higher compliant in Intune dashboard.