ISO27001 and Password Controls
Submit Articles Back to Articles
I visit quite a number of businesses each year and those
seeking certification to ISO27001, the information security management
standard, are rising in numbers.
The first step in any 27001 assignment involves a gap audit
to see how near (or far) the company is from meeting this
standard. Usually it transpires that some significant
work is required to meet this exacting standard.
To put the standard into perspective; If
ISO9001 , the quality management standard, equated to a molehill then
27001 would equate to Everest. I hope I havenít put you off!!
One of the sections within 27001 deals with access control
and the part I want to cover is the control and use of
passwords. Here are some rules for passwords:
- Passwords should be complex, i.e should be six characters
or more, must contain at least one number , one uppercase letter and if
possible a non alpha or numeric character. I often
put £ in my passwords because only UK keyboards have this.
- The password should not be in a dictionary either forwards
- Never use Pa33w0rd (Password) or lEt m3 1n (letmein) or a
pet or partners name.
- Never disclose your password to anyone
- Change your password regularly
- Never write it down unless it is heavily disguised.
I see breaches of these rules on a regular basis including:
- Post it notes with the password stuck to monitors or under
- Passwords with three characters,
- Passwords that are really obvious like January-week 1,
which increments to January-week two and so on.
Most systems can be hacked in a relatively short time so I
recommend that a computer should lock if more than a set number of
incorrect passwords is entered. Make it harder and time consuming for
Let us make 2011 a more secure year for our computer
systems. Remember the data on your system is valuable and
can cause a great deal of distress, if not financial loss if it is
stolen by others.
About the Author
Chris Eden FIBC, MISSA, ACQI is a director of Quality Matters
Limited an established independent management consultancy based in
Essex, UK which specialises in ISO27001 Information Security
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2011-02-08 17:05:13 in Computer Articles