Expert Advice Community

Guest

Access control policy and password policy

  Quote
Guest
Guest user Created:   Jul 26, 2019 Last commented:   Jul 26, 2019

Access control policy and password policy

If we decide to have an Access Control Policy and a Password Policy - which sections of annex A of the ISO standard are relevant for each document (which reference controls out of annex A)? I’m having a hard time getting the right controls into each document. Of course you put them in each policy, but sometimes I’m able to delete one control out of the policy if I decide to have a separate policy for a specific topic. Maybe some have to exist in both documents, maybe some are enough if they’re just in one. Can you please list them quick for me for each document?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 26, 2019
I guess the Password Policy will be: A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3

And the Access Control Policy?

Answer: First is important to note that ISO 27001 allows flexibility for each company to decide how many documents they want to have, and what to include in those documents. Of course, you still need to have all mandatory documents, but you are free on how to create them. For further information, see: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Additionally, controls must be kept in the documentation only if they are stated as applicable in the Statement of Applicability. The one that are not applicable on SoA must be deleted.

Considering that, if Access Control Policy and Password Policy are separated documents for your organization, the section 2 (reference documents) of each policy, regarding ISO 27001 requirements will be like this:

Section 2 of the Access Control Policy:
- ISO/IEC 27001 standard, clauses A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1. (you need to delete controls A.9.2.4, A.9.3.1, and A.9.4.3)
- All other references must be kept.

Section 2 of the Password Policy:
- ISO/IEC 27001 standard, clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
- All other references must be kept.

As you noted, controls A.9.2.1, A.9.2.2 must be kept on both documents.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 26, 2019

Jul 26, 2019

Suggested Topics

Nika Created:   Jan 21, 2021 ISO 27001 & 22301
Replies: 1
0 0

A.9.4.3 Password Management System

Guest user Created:   Nov 26, 2019 ISO 27001 & 22301
Replies: 3
0 0

Risk Assessment

Guest user Created:   Nov 19, 2019 ISO 27001 & 22301
Replies: 1
0 0

ISO 27000 definition