Guest user Created: Feb 23, 2016 Last commented: Feb 23, 2016

Password management

I have a query regarding password management in ISO 27001. What approach should we take on a password policy about changing email account passwords? Should that be changed periodicall? What you think?Please let me know.

0 0

Assign topic to the user

Select user

Guest

Antonio Jose Segovia Feb 23, 2016

Answer:
In accordance with the control 9.4.3 Password management system of ISO 27002:2013 (or A.9.4.3 in the Annex A of ISO 27001:2013), you should enforce regular password changes and as needed (but the frequency is not established in the standard). So, you can establish the frequency that you want. However, you should define the frequency based on the results of the risk assessment related to your IT system - if the risks are very high, you might set the frequency to 1 month, if they are high then the frequency might be 3 or 6 months, if the risks are low then every 1 or 2 years.

By the way, we have a template that you can use as Password Policy, you can see a free version of this document clicking on “Free demo” tab here “Password Policy” : https://advisera.com/27001academy/documentation/Password-Policy/

And our on line course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 23, 2016

Expert Advice Community