The differences between the controls in ISO 27002 and ISO 27001. The controls in ISO 27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002, control 6.1.2 is named “Segregation of duties,” while in ISO 27001 it is “A.6.1.2 Segregation of duties.”. ISO 27001 requires management of passwords and requires having password policies. Someone in your company is interpreting this as needing to inspect all passwords in the clear to ensure that they meet the password policy. But this is a terrible way of doing this audit. Also Read: ISO 27001 Annex: A.9.2 User Access Management. In this new era, where technology and the internet play a vital role personally and professionally there also exits an increase in the number of cyber-attacks, it’s always advisable to limit and control access privileges. For an organization, it’s really important that its.
Hi Gary.
I’m not surprised there is conflicting advice out there concerning regular or periodic password changes: that idea is decades old, for reasons I have never fully understood or supported. It may have made sense when we were mostly using simply passwords (e.g. 6 letters) as a way to frustrate password guessers, but failed password lockouts and alarms have always been a better approach. Within the past few years, professional opinion has shifted towards using long, preferably complex passwords or pass phrases (e.g. generated and stored in password vaults), or better still multifactor authentication since we know passwords are inherently flawed. Cryptographic tokens typically generate a new code every minute or so: imagine trying to do that with passwords!
Just a few weeks back, someone from NIST (?) who was involved in standardizing the advice to enforce regular/periodic password changes admitted that, with hindsight, it was a mistake. The NIST standards are influential, even if the advice is bad. Luckily that’s a rare exception, in my experience, which is of course why the NIST standards are so influential in the first place: on the whole they are sound, excellent in fact.
Just to be clear, there is a separate issue concerning forced password change on first use, for example if a Help Desker or automated password reset routine authenticates then securely issues a new password for someone, the person should be required to choose and set their own private password as soon as practicable. This advice remains sound, I think. [I’m not clear from your email if you appreciate the distinction between this and periodic changes.]
As to your particular situation, the driver is your organization’s assessment of the associated information risks, including perhaps the risks arising from not following recommendations or requirements concerning periodic password changes if you don’t believe that is a valid approach. If the PCI-DSS requirement is firm, as you imply, noncompliance would be a problem since compliance is a contractual obligation: good luck resolving that with the PCI auditors and credit card companies, or the courts. Noncompliance is less of an issue with advisory good-practice standards, including ISO27k and NIST SP800.
Kind regards,
The Other Gary
________________________________________________
Waves maxxaudio asus driver download. Dr Gary Hinson PhD MBA CISSP
CEO of IsecT Ltd., New Zealand www.isect.com
Passionate about information risk and security awareness, standards and metrics
www.NoticeBored.comwww.ISO27001security.comwww.SecurityMetametrics.com
--
You received this message because you are subscribed to the ISO27k Forum.
To post a message to ISO27k Forum, send an email to iso27001..@googlegroups.com or online through groups.google.com
For more information about ISO27k, visit www.iso27001security.com
Please respect the Forum's rules at www.iso27001security.com/html/forum.html#TipsAndEtiquette
---
You received this message because you are subscribed to the Google Groups 'ISO 27001 security' group.
To unsubscribe from this group and stop receiving emails from it, send an email to iso27001..@googlegroups.com.
For more options, visit https://groups.google.com/d/optout. Land korcari.
Amazon Iso 27001
Assign topic to the user
Iso 27001 Standard Free Download
Please select user.
Toshiba response code generator download. ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
ISO 27001 DOCUMENTATION TOOLKIT
Aws Iso 27001 Certificate
Step-by-step implementation for smaller companies.
Iso 27001 Controls Checklist
Thanks for taking time from your busy schedule to reply to me.
Answer: ISO 27001 does not prescribe any solution to be applied for security controls in Annex A, only objectives to be achieved. This gives organizations freedom to implement the most adequate solutions according to their context. For guidelines and recommendations about what to consider in the implementation of security controls, you should consider the ISO 27002 standard.
That said, regarding security of system passwords, service passwords, and application passwords, including passwords at administrator level, you should consider ISO 27002 recommendations for the following controls:
- Control A.9.2.3 (Management of privileged access rights): for shared administration user IDs, you should consider practices like changing passwords frequently and as soon as possible when a privileged one user of these shared IDs leaves or changes job, and communicating these passwords to administrators through secure mechanisms. Besides that, all other recommendations from control A.9.3.1 (Use of secret authentication information), aimed for general users, should also be applicable to administrators.
- Control A.9.3.1 (Use of secret authentication information): when passwords need to be part of automated log on procedures they must be properly protected (e.g., do not store password on plain text)
- Control 9.4.3 (Password management system): when stored, password should be kept on files separated from application system data.
This article will provide you further explanation about use of passwords:- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding use of passwords:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course http://training.advisera.com/course/iso-27001-foundations-course/
1password Iso 27001
Nov 14, 2017