Arguments for control adoption

I have a specific reason to want advice. I've bought 4 or 5 items from you guys now and they are all excellent but the reason for looking at this one is because the other staff in the organisation are pushing back on the effects its having on them for convenience reasons. So they are not happy with having to remember their passwords - understandable of course it would be more convenient to rely on a browser remembering them or to use a simple password that doesn't expire etc.
ISO 27001 requires us to have a password policy or access policy which applies risk treatment But I am looking for something to back up my argument that we need real control measures specifically about web browsers storing password information and i was really hoping your standard document would have some kind of concrete best practice for me to produce as a compelling case to do that. Its a very specific question I know and I really appreciate any advice on it.

PS. I must say the Internal Audit Procedure document I downloaded from you guys were the best value. Actually my query was really focused on internet browsers saving passwords – in the free trial version I can’t see whether you guys make reference to that, but perhaps it’s implied by “files containing passwords must be stored separately from the application’s system data” ?

Answer:

To backup your argument about a password policy people that are uncomfortable with you should seek:
- the results of your risk assessment about the impacts of risks related to information compromise by means of weak or misused passwords.
- clauses related to contracts with customers or suppliers demanding the use of a password policy and the consequences of not fulfilling such clauses.
- clauses related to laws or regulations your organization must comply with demanding the use of a password policy and the consequences of not fulfilling such clauses.

With this information you can show them the potential impacts the organization is exposed to if they do not handle passwords properly.

For example, the compromise of customer information due to lack of care with passwords can lead to heavy fines considering EU GDPR (the fine can be up to 4% of the revenue, which might mean millions of dollars). This may be an argument strong enough to support the adoption of a password policy.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/