A baseline (security baseline) is a defined minimum security standard for the configuration of systems, applications, or networks. It specifies which settings a system must have before it may go into production.
ISO 27001 Annex A control A.8.9 (Configuration Management) requires that configurations are documented and monitored — the baseline serves as the reference document. Recognized sources for baselines include CIS Benchmarks, DISA STIGs, and BSI recommendations in IT-Grundschutz. A baseline typically covers password policies, enabled/disabled services, firewall rules, logging settings, and patch levels. Compliance scanners automatically check whether systems conform to the baseline and report deviations.