ISO 27701, Clause 6.6.3 – User Responsibilities

ISO 27701 Clause 6.6.3.1 – Use of Secret Authentication Information

References ISO 27002 Control 5.17

Issuing and Managing Authentication Information

Authentication details should be distributed and managed so that:

• Automatically-generated authentication information (passwords etc.) are kept secret from anyone not authorised to used them, aren’t guessable and are managed in a way that forces a user to change them after initial login.
• Before issuing or replacing authentication details, procedures are put in place to verify the identity of the individual who requires them.
• The correct secure channels are used to transmit authentication details (i.e not via email).
• After the details have been successfully communicate to whomever needs them, the user(s) acknowledge receipt in a timely manner.
• Any vendor-provided authentication information (such as the default username and password routers and firewalls) is changed upon receipt.
• Records are kept of relevant authentication events – especially regarding the initial allocation and subsequent administration of authentication details.

Any personnel who uses organisational authentication information should ensure that:

• All authentication details are kept strictly confidential.
• If authentication details are either compromised, viewed or shared by anyone other than the original owner, such details are changed immediately.
• Any passwords are created and/or generated in line with the organisation’s password policy, and passwords are unique across various different platforms (i.e. domain passwords are not the same as cloud service passwords).
• Contracts of employment contain an explicit requirement to follow company password policy (see ISO 27002 control 6.2).

Password Management Systems

Organisations should consider implementing a password management system (specialised password control applications) that:

• Caters for users who need to change any password that they use.
• Is programmed to reject passwords that fall outside of best practice guidelines.
• Forces users to change their system-generated password, after they use it for the first time.
• Does not permit the continued use of old passwords, or similar phrases and alphanumeric combinations.
• Hides passwords whilst they are being inputted.
• Stores and sends password information in a secure manner.
• Caters for password encryption and similar encryption techniques (see ISO 27002 control 8.24).

Password Data

To safeguard PII and improve organisational privacy protection efforts, passwords should follow four guiding principles:

• Passwords shouldn’t be constructed around guessable or biographic information.
• Passwords shouldn’t contain any recognisable words, in place of random alphanumeric characters.
• Special characters should be used to increase password complexity.
• All passwords should have a minimum length (ideally 12 characters).

Organisations should also consider the use of authentication protocols such as Single Sign-On (SSO) to improve password security, but such measures should only be considered alongside the organisations unique technical and operational requirements.

Relevant ISO 27002 Controls

• ISO 27002 6.2
• ISO 27002 8.24

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

How do we help?

By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27002 and ISO 27701 at the click of a button.

All the features you need:

• ROPA made easy
• Built in Risk Bank
• Secure space for DRR

Find out how much time and money you’ll save on your journey to a combined ISO 27002 and 27701 certification using ISMS.online by booking a demo.