I was wondering if you could clear up a question for me. I have a client that says for their users of their cloud based application they need both an inactivity time-out as well as a timed session time out to be compliant. Can you shed any light on this as its hard to determine what is actually required as opposed to recommended.
These terms are not used in the current ISO 27001:2013. They were used in the ISO 27001:2005 (but focused on Operating Systems) -Controls A.11.5.5 Session time-out (shut down inactive sessions after a defined time) and A.11.5.6 Limitation of connection time (shut down connection after a defined time in high risk applications), so we can think that now are not mandatory. Anyway if your client have implemented both controls, I think that the best is to maintain them.