Password management
Assign topic to the user
Answer:
In accordance with the control 9.4.3 Password management system of ISO 27002:2013 (or A.9.4.3 in the Annex A of ISO 27001:2013), you should enforce regular password changes and as needed (but the frequency is not established in the standard). So, you can establish the frequency that you want. However, you should define the frequency based on the results of the risk assessment related to your IT system - if the risks are very high, you might set the frequency to 1 month, if they are high then the frequency might be 3 or 6 months, if the risks are low then every 1 or 2 years.
By the way, we have a template that you can use as Password Policy, you can see a free version of this document clicking on “Free demo” tab here “Password Policy” : https://advisera.com/27001academy/documentation/Password-Policy/
And our on line course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 23, 2016