GRCWatch
Sign inStart free trial

PR.IP-1: Baseline Configuration Management

Baseline configuration management is the foundation of a secure IT environment. Without documented, approved baselines incorporating least functionality principles, your systems become inconsistent, vulnerable, and impossible to audit. This control requires you to establish and maintain secure baseline configurations for all IT and industrial control systems.

What this means

This control requires organizations to create and continuously maintain baseline configurations for information technology and industrial control systems. A baseline configuration is a documented, approved standard setup that incorporates security principles—particularly the concept of least functionality, meaning systems run only essential services and have unnecessary features disabled. This baseline serves as the source of truth for what a 'secure' system looks like in your environment, enabling you to detect unauthorized changes, manage system drift, and ensure consistent security posture across your infrastructure.

How to comply

  1. 1.Document baseline configurations for each system type (servers, workstations, network devices, IoT/ICS) with security controls embedded
  2. 2.Apply least functionality principle: disable unused ports, services, protocols, and software before deployment
  3. 3.Implement version control for all baseline configurations with approval workflows and change tracking
  4. 4.Deploy baseline configurations consistently across all systems using configuration management tools
  5. 5.Conduct regular audits to detect configuration drift and document authorized deviations
  6. 6.Maintain an inventory of all systems with their assigned baseline configuration and current status
  7. 7.Establish a change management process that requires baseline updates to follow the same approval workflow
  8. 8.Test baseline configurations in non-production environments before enterprise rollout

Evidence auditors look for

  • Baseline configuration documentation for each system class (e.g., Windows Server 2022 Standard, Ubuntu 22.04 LTS, Cisco IOS XE) stored in version control with approval dates
  • Configuration management tool reports (Ansible, Terraform, Chef, Puppet) showing deployed baseline states across all systems
  • Security hardening checklists or benchmark standards applied to baselines (CIS Benchmarks, DISA STIGs)
  • Audit logs from configuration management tools showing when baselines were applied and by whom
  • Configuration drift detection reports showing systems in or out of compliance with baseline standards
  • System inventory spreadsheet or CMDB entries linking each asset to its baseline configuration version
  • Change control records documenting authorized baseline modifications with business justification and approval
  • Screenshots or exports from configuration validation tools confirming least functionality implementation (disabled services, closed ports)

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates baseline configuration tracking and drift detection by continuously monitoring your systems against approved baselines, flagging deviations, and maintaining an audit-ready configuration inventory—eliminating manual spreadsheets and reducing remediation time from weeks to days.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PR.IP-3 (Configuration Change Management)ID.AM-2 (Software Inventory)DE.CM-1 (Network Monitoring)DE.CM-7 (Monitoring for Unauthorized Activity)