Guest
ISO requirements for changing passwords
We are developing “password policy” now and have question about it. We want to add the following paragraph in the policy: all system level passwords (e.g. Root, enable, NT “Administrator” and etc.) must be changed at least every 90 days. Is this not contrary to the requirements of ISO? What is the ISO requirements or recommendations about it?
Assign topic to the user
Expert
Dejan Kosutic
Oct 19, 2016
Answer:
Actually, ISO 27001 (nor ISO 27002) do not prescribe the frequency of changing the passwords - what ISO 27001 is saying is that you have to assess the risks related to access to your systems, and then based on the potential incidents decide what frequency would be appropriate.
Read more about this concept here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Oct 18, 2016
Oct 18, 2016
Oct 18, 2016