Why Changes May Soon be Required to ISO 27001 Password Management Policies

Most accredited organization´s ISO 27001 password management policies are based on the 2013 version of the standard for information security management systems. However, with new controls about to be announced in an updated version of ISO 27001, it may be necessary to amend existing policies to reflect the new controls.

If your organization is ISO 27001 accredited, the accreditation is based on the 2013 version of the information security management system standard. However, over the past few years, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have been working on an updated version which is due to be published in October.

There are some significant changes planned in ISO 27001:2022 – not least that the fourteen control domains in Annex A (A.5 to A.18) are being compressed into just four domains – Organizational Controls (A.5), People Controls (A.6), Physical Controls (A.7), and Technological Controls (A.8). There are also 11 new controls, 23 renamed controls, and 24 merged controls.

As a result, the current controls are being reassigned to new domains – some with their existing names, some renamed, and others merged with other existing controls to create a new control. For example, in the context of ISO 27001 password management policies, most password management policies are based on the Access Control in Section 9 of Annex A. However:

  • 9.2.1 “User registration and de-registration” is moving to Organizational Controls (A.5.16).
  • 9.4.2 “Secure login procedures” is changing name to “Secure Authentication” and moving to Technological Controls (A.8.5).
  • 9.2.4 “Management of secret authentication information of users”, A.9.3.1 “Use of secret authentication methods”, and A.9.4.3” Password management system” are merging into one control – “Authentication information” – and moving to Technological Controls (A.5.17).

How Will This Affect ISO 27001 Password Management Policies?

As accredited organizations have to comply with all controls of ISO 27001 to obtain certification, reassigning controls to new domains is not going to make any difference to the content of existing policies. However, changes may have to be made to existing password management policies to account for the new controls introduced in ISO 27001:2022. In particular:

  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities

It may also be necessary for organizations with ISO 27001 password management policies to implement a more advanced password manager; for while many have the capabilities to cope with the existing access controls, some password managers lack features that make them suitable for business continuity or monitoring user activity – particularly in regulated industries.

Organizations that need to change password managers should evaluate those with mechanisms for importing existing passwords and other credentials stored in password manager vaults. Bitwarden is a good example of a password manager with both the capabilities to support revised ISO 27001 password management policies and import data from an existing solution.

Changes Should Not be Left Until the Last Minute

Certified organizations will have three years from the publication of ISO 27011:2022 to update ISO 27001 password management policies and information management security systems, however, it is not a good idea to leave the changes until the last minute. One of the advantages of being ISO 27001 accredited is that it gives customers peace of mind that the accredited organization takes data security seriously.

Any organization that is still advertising an accreditation based on a 2013 standard when others are advertising a 2022 accreditation may find they miss out on the benefits of accreditation due to the perception that their security practices are almost a decade out of date. Therefore, it is recommended organizations review the new version of ISO 27001 when it is published, assess where changes need to be made, and seek professional help if required.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news