In order to comply with control A.8.9 Configuration management you might implement the following:
- Technology — the technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
- Organization/processes — you should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations. You can document those processes through Security Procedures for IT Department or a Configuration Management Procedure.
- People — make employees aware of why strict control of security configuration is needed, and train them on how to define and implement security configurations.