IT systems have standard configurations that follow recommended hardening guidelines.
Before new systems are taken into production, the systems are tested for adhering to the hardening guidelines.
The standard images are tested for security vulnerabilities during regular vulnerability management process and are updated accordingly.
Systems are periodically checked against the hardening baseline, preferably automatically.
Specification
Hardening or security guidelines by the supplier are followed. If supplier guidelines are absent or insufficient, third party guidelines should be used.
OR:
The most recent version of the CIS Benchmarks are taken into account when configuring devices or operating systems. L1 controls are implemented. If a control cannot be implemented because of business reasons, the exclusion and the reason(s) is/are documented.
ISO 27001 & 27002:2022
A5.8,
A5.36,
A5.37
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.01 Security Baselines