In the kick-off event of the APMG series on the USM Revolution, we received more live questions than we could handle online. Let's now answer Live Question 5:
ISO 27001:2022 Added Configuration Mgt as part of 93 controls. How does an organization add this process with USM if they are already certified for ISO 27001:2013?
The short answer is "You shouldn't - it's already covered." Configuration Management is not a (customer-facing) process. It is a practice. The USM process model covers all practices. Handling Configuration Management as a new process would only bring you further away from becoming a mature, customer-driven organization.
The longer answer would be "You should first set up an integrated management system to get in control of your service management activities." This service management system should then encompass the three essential components of any management system: people, process, and technology, in an integrated, maximum efficient way. The process dimension covers all service management activities in the same integrated, maximum efficient way. And because, redundancy is the archenemy of efficiency, the process model should be non-redundant. Furthermore, a mature, customer-driven service strategy requires all processes to be customer-facing, otherwise you'd end up with a focus on internal issues at the lower levels of the Value Maturity Model.
Looking at the activities involved in 'Configuration Management', we see registration/administration ("documenting") as the main, original activity. Everything else is already covered by other activities in the USM process model.
In IT, the database that is called 'CMDB' is what USM calls the MIR - the Managed Infrastructure Register - because that's what it is: a register that holds the information about the infrastructure that is managed, and that (for that reason) should be kept under control. If it's not important enough to keep it under control, it doesn't need to be registered. This makes the 'configuration documenting activity' simply an activity in the Change Management process, because that is the only process that changes the managed infrastructure. And that is exactly what USM does: the Change Management process includes an "update MIR" activity that is used for the administration of the changed infrastructure in the register.
Every other activity in the ISO27001 Clause A.8.9 ("Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed") is already covered:
- "establishing, implementing, and monitoring security configurations of hardware, software, services and networks" is part of Operations Management
- "documenting this infrastructure" is covered in the Change Management activity "update MIR"
- "reviewing this infrastructure" is covered in Change Management and in Risk Management
And because the Change Management process already enforces the administration of all changed infrastructure, this carries us back to the short answer: "You shouldn't - it's already covered." 🙂
This is an example of how USM makes it simpler to manage all the work of a service organization. And this applies to any activity that is part of a requirement of ISO27000. And to any service organization of any size in any line of business where ISO27000 applies.