The Cookie Machine - Click here to drag window

DUMMY TEXT - Real text set in assets/js/theCookieMachine.js

Views: 20,334     Votes:  45 
Tags: passwords   password-management   iso27001  
Link: 🔍 See Original Answer on Information Security 🔗

URL: https://security.stackexchange.com/q/153596
Title: Does an ISO27001 audit require users to reveal their passwords?
ID: /2017/03/12/Does-an-ISO27001-audit-require-users-to-reveal-their-passwords_
Created: March 12, 2017
Upload: November 24, 2022    Layout:  post
TOC: false    Navigation:  false    Copy to clipboard:  false


What ISO27001 says about passwords

From (https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/) there is a summary about user passwords:

User responsibilities (subsection A.9.3)

This is a very short
subsection (with one control only) that requires you to define how the
users will keep their authentication information secret (e.g., protect
their passwords). This is usually done through some document like the
Acceptable Use Policy, which defines rules like these: do not write
the passwords down, do not disclose them to anyone, do not use the
same password in different systems, etc.

In essence if a user reveals his or her password the company fails the audit.

Importance of passwords

Your password is more important than your signature used to be in the old days. Because in the old days your signature could be forged but now days your password is invisible (in theory at least).

Your password authenticates your User ID. Your User ID gives you certain but restricted powers within areas of your company. Accounting controls require separation of duties. For example a user who approves purchase orders cannot approve receipt of goods. A user who approves receipt of goods cannot approve vendor invoices.

If a criminal (or ISO27001 auditor or IT person) had access to all three passwords they could setup a fake vendor account, setup a fake purchase order, setup fake receipt of goods and pay funds to the fake vendor account.

⇧ Automatically adjust display brightness based on sunrise and sunset Are there any default programs in Ubuntu 16.10 which take my data and pose a privacy risk?  ⇩