Expert Advice Community

Home / ISO 27001 & 22301 / ISO requirements for changing passwords

Guest

ISO requirements for changing passwords

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Oct 19, 2016 Last commented:   Oct 19, 2016

ISO requirements for changing passwords

ISO 27001 & 22301
We are developing “password policy” now and have question about it. We want to add the following paragraph in the policy: all system level passwords (e.g. Root, enable, NT “Administrator” and etc.) must be changed at least every 90 days. Is this not contrary to the requirements of ISO? What is the ISO requirements or recommendations about it?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.
Expert
Dejan Kosutic Oct 19, 2016

Answer:

Actually, ISO 27001 (nor ISO 27002) do not prescribe the frequency of changing the passwords - what ISO 27001 is saying is that you have to assess the risks related to access to your systems, and then based on the potential incidents decide what frequency would be appropriate.

Read more about this concept here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 18, 2016

Oct 18, 2016

Suggested Topics
Atheer AlMartan Created:   Feb 06, 2024 ISO 27001 & 22301
Replies: 1
0 1

Register of legal, contractual and other requirements
Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Internal Audits
Garry Created:   Dec 10, 2023 ISO 27001 & 22301
Replies: 3
0 0

Understanding the core concepts of RPO & RTO - ISO 22301