Expert Advice Community

A.9.4.3 Password Management System

  Quote
Nika Created:   Jan 21, 2021 Last commented:   Jan 22, 2021

A.9.4.3 Password Management System

Hello Advisera,

looking more detailed at the A.9.4.3.

What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?

Thank you!

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 22, 2021

What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

In the context of ISO 27001, a Password Management System is a software that enforces the generation, use, and maintenance of passwords by users, according to a defined set of rules (which may be written in the Access Control Policy).

For example, the Windows operating system has a password management system where the administrator can define rules for creating passwords (e.g., a minimal number of characters, use of numbers, special characters, etc.), for periodically change of passwords, etc. Application software, as an ERP also can have its own Password Management System.

For further information, see:

This material will also help you regarding password management system:

But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?
Thank you!

ISO 27001 does not prescribe which systems apply password rules, so both of your suggested approaches are acceptable.

The main criteria you should consider are the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts). By evaluating these issues, you can identify if your rules should be applied in a general way or only to specific systems.

For example, your risk assessment may identify that there are relevant risks requiring this control only for Windows operational systems, but a contract with a customer requires that all software used by your organization to process the information of this customers adopts this control.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jan 21, 2021

Jan 22, 2021