SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Password and Account Lockout Policy Requirements

  Quote
Created:   Sep 02, 2017 Last commented:   Sep 04, 2017

Password and Account Lockout Policy Requirements

Hi Dejan, Let's say in a Construction Company, they have only desktops and the employees (95%) are mostly working in sites for months if not years. For such a company, if I'm planning to develop a Password and Account Lockout Policy , is it practical to follow some of the best practices such as Password History=5, Maximum Password Length=45 days, account lockout threshold=3 times ? When developing and implementing the policy in a way that would violates the common password & account lockout policy settings(which doesn't have an industry specific best practice as such), what influence will it make when certifying to ISO 27001 ? Thanks and Best Regards, Wageesha De Alwis
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 04, 2017

> 1 - Let's say in a Construction Company, they have only desktops and the employees (95%) are mostly working in sites for months if not years. For such a company, if I'm planning to develop a Password and Account Lockout Policy , is it practical to follow some of the best practices such as Password History=5, Maximum Password Length=45 days, account lockout threshold=3 times ?

Answer: Yes. ISO 27001 does not set strict rules on how to set password policies, so an organization has a great degree of freedom to define its policy as it considers appropriated. According to the standard, what you should consider when defining this policy details are the results of risk assessment (e.g., if it does not identify any risks that require more strict rules), legal requirements you must follow defining any other configuration, and top management decisions. You should note that for ISO 27001 any control implemented should be based on results of risk assessment, compliance with legal requirements or based on a top management decision.

> 2 - When developing and implementing the polic y in a way that would violate the common password & account lockout policy settings(which doesn't have an industry specific best practice as such), what influence will it make when certifying to ISO 27001 ?

Answer: I'm assuming that by "common password & account lockout policy settings" you are referring to the settings your organization defined as the rules to be followed. Considering that, any development or implementation that violates this policy would be considered a non conformity in a certification audit, and depending on the situation, this non conformity may cause failure at the certification audit.

This article will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

These materials will also help you regarding access control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 02, 2017

Sep 04, 2017