A.9.4.3 Password Management System

What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

In the context of ISO 27001, a Password Management System is a software that enforces the generation, use, and maintenance of passwords by users, according to a defined set of rules (which may be written in the Access Control Policy).

For example, the Windows operating system has a password management system where the administrator can define rules for creating passwords (e.g., a minimal number of characters, use of numbers, special characters, etc.), for periodically change of passwords, etc. Application software, as an ERP also can have its own Password Management System.

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

This material will also help you regarding password management system:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/  

But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?
Thank you!

ISO 27001 does not prescribe which systems apply password rules, so both of your suggested approaches are acceptable.

The main criteria you should consider are the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts). By evaluating these issues, you can identify if your rules should be applied in a general way or only to specific systems.

For example, your risk assessment may identify that there are relevant risks requiring this control only for Windows operational systems, but a contract with a customer requires that all software used by your organization to process the information of this customers adopts this control.