Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
ISO 27001 is an internationally recognized standard for managing sensitive company data, and it involves several key elements. Many organizations wonder about the ISO 27001 password policy. While the framework doesn’t have a specific, prescriptive policy around passwords, it does offer some critical guidelines for access control and authentication.
ISO 27001 password guidelines outline a few measures to protect information. Annex A.9 specifically deals with access controls, which help ensure that only authorized parties gain access to restricted services. For example, whenever users are registered or de-registered, businesses are required to go through a formal process to update the system accordingly.
Annex A.9.4.3 is about password management systems, encouraging users to enforce strong password policies through best practices such as:
ISO ultimately leaves a lot of discretion up to organizations. It’s important to consider your specific business rules, policies, and parameters when deciding how to manage passwords.
Considering the amount of flexibility ISO grants when it comes to password policies, it can be hard to know where to start. Here are some tips for aligning with ISO 27001 best practices.
For most of us, the importance of creating strong passwords has been hammered into our heads from an early age. Strong, secure passwords are especially critical when it comes to ISO 27001 compliance. There are a few rules to follow when creating passwords, namely that they should include both upper and lower case letters, numbers, and special characters. Avoid using predictable patterns (i.e., 1-2-3-4) and information that can easily be found out, such as names and birthdays.
To create a strong ISO 27001 password policy, you should also consider setting a minimum password length. CISA recommends using passwords that are at least 16 characters long and contain a string of mixed-case letters, numbers, and symbols.
Passwords don’t have an infinite shelf life. ISO 27001 does not dictate specific password expiration timelines, but it’s usually best to change passwords every 60 to 90 days. For systems that use multi-factor authentication (MFA), longer expiration periods may suffice, but as a rule of thumb, it’s better to be safe than sorry.
Password expiration policies help mitigate the risk of passwords being compromised. If a password is stolen, regular expiration limits the window of opportunity for exploitation. While you may be tempted to use a set-it-and-leave-it approach with your passwords, failure to update them can lead to trouble down the road.
We all get in a rush from time to time and may mistype our passwords. However, multiple failed login attempts should raise red flags. After a certain number of incorrect password attempts, the account should be temporarily locked and require additional verification methods to unlock.
Sometimes we can be our own worst enemy. No matter the technical controls you have in place, human error may just be your downfall––unless you invest in the right training and education. Make ongoing education priority in your organization, focusing on topics like password security and the proper use of authentication tools.
Your ISO 27001 password policy can and most likely will change over time as you discover improved security techniques. Good password policies aren’t static––they change over time to reflect organizations’ evolving needs. For that reason, it’s important to review and update your policy from time to time.
There’s no set rule for how often you should revise your policy, as so much depends on your specific security posture. For example, if you’ve noticed an uptick in phishing attacks, you might change your policy to prioritize stronger MFA protocols. By regularly revisiting your policy, you can keep your procedures up to date with the latest password best practices.
While reviewing and updating your policy is a great way to keep your password management processes fresh, “routine maintenance” may not always be enough. If you suddenly find your password policy to be severely lacking, there are a few corrective steps you should take to immediately get back on track and comply with ISO 27001.
First, you need to understand your system’s vulnerabilities and where you’ve gone wrong. You can learn more about those vulnerabilities by conducting a risk assessment. Then, based on the results of your risk assessment report, you can plan for remediation.
Your remediation plan should cover your findings from the risk report, such as improving enforcement mechanisms and using stronger authentication tools. Your remediation plan should also establish a timeline for each task and assign clear responsibilities for implementation.
Don’t forget about the third-party vendors that have access to their systems. Be sure to communicate with them and ensure their password policies are up to par. Many breaches occur through compromised third-party credentials, so it’s important to talk with your vendors and make sure they’re on the same page in terms of security.
Once you’ve updated your policy, keep a close eye on password usage. Be on the lookout for any red flags, such as weak password creation and repeated password reset requests. Regular audits can also help facilitate ongoing compliance and help you detect any gaps in your security posture.
ISO 27001 mandates a lot of things, but it offers a surprising amount of flexibility when it comes to password policy. Compyl can help you stay on track to achieve ISO 27001 certification and ensure effective password protocols, acting as an extension of your information security team. That way, you don’t have to manage your policies alone. To learn more about how Compyl can help you develop a robust ISO 27001 password policy, contact us today.
