Minimal Changes to ISO 27001 Password Management Controls Anticipated in Updated Standard

The latest version of ISO 27001 standard will be published next month. Although the control domains are going to be considerably changed, there are just minimal modifications anticipated to the ISO 27001 password management settings.

The ISO 27001 standard is an international data security standard collectively released by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). The goal of the standard is to enable companies to better protect information by listing the important requirements for building an efficient information security management system.

Companies that satisfy the ISO 27001 requirements can opt to get certification from an authorized certification body. Certification helps to improve a company´s reputation for data protection (which could help entice new clients), minimizing the number and duration of security audits, and – in the healthcare sector – restricting enforcement action in case a data breach happens.

Additionally, companies that don’t like to enforce a complete information security management system could implement selected settings. Though this means the companies won’t be eligible for ISO 27001 certification, the controls nevertheless help to keep data secure, increase awareness of information security among the employees, and mitigate the threat of a data breach.

Current ISO 27001 Password Management Controls

At this time, the ISO 27001 password management controls are in Subsection 9 of Annex A, which is The “Access Controls” domain. This domain has fourteen controls split into four control groups. Due to the intricacy of provisioning, controlling, examining, and changing users´ access rights, a lot of companies wanting to adopt the ISO 27001 password management controls use a vault-based password manager like Bitwarden with a Security and Compliance Program based upon the ISO 27001 standard.

The merits of vault-based password managers are that they are useful in all operating systems and devices, password guidelines could be employed universally, by group, or per person, and each vault could be kept secure with 2FA. Admins could add and delete users, apply and alter RBACs, and share passwords with authorized users safely using the password manager.

Vault-dependent password managers are likewise zero-knowledge solutions. What this means is that even though it is still required to enter into a Business Associate Agreement with the vendor whenever sharing ePHI via the password manager – no one besides the authorized user(s) can access and see information kept in a vault without using a master password and get access using the 2FA authenticator approach.

Expected Modifications to the ISO 27001 Controls in 2022

In July 2022, the latest version of ISO 27001 – the “Final Draft International Standard” or “FDIS” was sent out to the National Standards Bodies for official approval. The National Standards Bodies are going to vote on the latest version in late September; and if the vote supports the updates, ISO 27001:2022 is going to be released in October 2022.

Though the ten conditions of the standard just have language modifications, Annex A included the necessary controls. The fourteen control domains (A.5 to A.18) were crammed into just four control domains. 11 new controls were created, 23 controls were given other names, and 24 controls were combined with other controls. The four new control domains are as follows:

  • A.5 Organizational Controls (37 Controls)
  • A.6 People Controls (8 Controls)
  • A.7 Physical Controls (14 Controls)
  • A.8 Technological Controls (34 Controls)

In the framework of ISO 27001 password management controls, the majority of the current controls in the past Access Controls domain (A.9) are going to be distributed to the 4 new domains. Nevertheless, a number of current controls are going to be combined into new controls – for instance, the content of A.9.2.4, A.9.3.1, and A.9.4.3 will be put in control A.5.17 “Authentication Information”.

Other new controls that are applicable to password management (based on whether a company saves information online or utilizes an activity monitoring software program) consist of:

  • A.5.23 “Info Security for Use of Cloud Services”
  • A.8.12 “Data Leakage Prevention”
  • A.8.16 “Monitoring Activities”
  • A.8.32 “Change Management” might likewise be appropriate to some companies.

Modify Your Password Management Controls as Needed

When the new ISO 27001:2022 is released, certified companies can do the required changes to their data security management system in 3 years so as to keep their certification. Non-certified companies that have applied selected controls may carry on utilizing the current controls as guidelines or change them as needed.

Definitely, vendors of password managers are going to give information concerning how companies can conform to the revisions to the ISO 27001 password management controls. If your company has already implemented a password manager, make sure to subscribe to their newsletter or blog, or follow them on social media to receive updated news.