Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
> 1 - Let's say in a Construction Company, they have only desktops and the employees (95%) are mostly working in sites for months if not years. For such a company, if I'm planning to develop a Password and Account Lockout Policy , is it practical to follow some of the best practices such as Password History=5, Maximum Password Length=45 days, account lockout threshold=3 times ?
Answer: Yes. ISO 27001 does not set strict rules on how to set password policies, so an organization has a great degree of freedom to define its policy as it considers appropriated. According to the standard, what you should consider when defining this policy details are the results of risk assessment (e.g., if it does not identify any risks that require more strict rules), legal requirements you must follow defining any other configuration, and top management decisions. You should note that for ISO 27001 any control implemented should be based on results of risk assessment, compliance with legal requirements or based on a top management decision.
> 2 - When developing and implementing the polic y in a way that would violate the common password & account lockout policy settings(which doesn't have an industry specific best practice as such), what influence will it make when certifying to ISO 27001 ?
Answer: I'm assuming that by "common password & account lockout policy settings" you are referring to the settings your organization defined as the rules to be followed. Considering that, any development or implementation that violates this policy would be considered a non conformity in a certification audit, and depending on the situation, this non conformity may cause failure at the certification audit.
This article will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding access control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Sep 04, 2017