Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Guest

Password security and ISO 27001

  Quote
Guest
Guest user Created:   Nov 14, 2017 Last commented:   Nov 14, 2017

Password security and ISO 27001

I was stunned by upper management today and did not have an answer for them. What is ISO 27001 policy on keeping system passwords, service passwords, and application passwords. This is at the administrator Level. Obviously writing them in a “little black book” is not the answer. Is there a recommended password vault. How does other handle this issue.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 14, 2017

Thanks for taking time from your busy schedule to reply to me.

Answer: ISO 27001 does not prescribe any solution to be applied for security controls in Annex A, only objectives to be achieved. This gives organizations freedom to implement the most adequate solutions according to their context. For guidelines and recommendations about what to consider in the implementation of security controls, you should consider the ISO 27002 standard.

That said, regarding security of system passwords, service passwords, and application passwords, including passwords at administrator level, you should consider ISO 27002 recommendations for the following controls:
- Control A.9.2.3 (Management of privileged access rights): for shared administration user IDs, you should consider practices like changing passwords frequently and as soon as possible when a privileged one user of these shared IDs leaves or changes job, and communicating these passwords to administrators through secure mechanisms. Besides that, all other recommendations from control A.9.3.1 (Use of secret authentication information), aimed for general users, should also be applicable to administrators.
- Control A.9.3.1 (Use of secret authentication information): when passwords need to be part of automated log on procedures they must be properly protected (e.g., do not store password on plain text)
- Control 9.4.3 (Password management system): when stored, password should be kept on files separated from application system data.

This article will provide you further explanation about use of passwords:- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

These materials will also help you regarding use of passwords:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 14, 2017

Nov 14, 2017

Suggested Topics