Minor Changes to ISO 27001 Password Management Controls Expected in Updated Standard

The ISO 27001 standard is being updated and the latest version is expected to be released next month. Early indications are that while the control domains will be significantly revised, only minor changes are expected for the ISO 27001 password management controls.

ISO 27001 is an international information security standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The objective of the standard is to help organizations better secure data by listing the requirements needed to set up an effective information security management system.

Organizations that meet the requirements of ISO 27001 can choose to be certified by an accredited certification body. Certification has the benefits of improving an organization’s reputation for data security (which can help attract new customers), reducing the number and duration of security audits and, in the health, to limit enforcement measures in the event of a data breach.

Alternatively, organizations that do not wish to commit to implementing a comprehensive information security management system can implement selected controls. While this means organizations will not qualify for ISO 27001 certification, the controls still help protect data from unauthorized access, educate staff about data security, and mitigate the risk of a data breach.

Existing ISO 27001 password management controls

Currently, existing ISO 27001 password management controls are found in Appendix A, Subsection 9 – The “Access Controls” domain. There are fourteen controls divided into four control groups in this domain:

9.1 Access controls

  • 1.1 Access control policy
  • 1.2 Access to networks and network services

9.2 User access management

  • 2.1 Registration and deregistration of users
  • 2.2 Provisioning user access
  • 2.3 Management of privileged access rights
  • 2.4 Managing Secret User Authentication Information
  • 2.5 Review of user access rights
  • 2.6 Removal or modification of access rights

9.3 User Responsibilities

  • 3.1 Use of secret authentication methods

9.4 Application Access Controls

  • 4.1 Restriction of access to information
  • 4.2 Secure Connection Procedures
  • 4.3 Password management system
  • 4.4 Using privileged utility programs
  • 4.5 Program Source Code Access Control

Due to the complexity of provisioning, managing, reviewing and adjusting user access rights, many organizations seeking to comply with ISO 27001 password management controls implement implements a vault-based password manager such as Bitwarden, whose “Security and Compliance Program” is itself based on the ISO 27001 standard.

The advantages of vault-based password managers are that they are effective on all devices and operating systems, password policies can be applied universally, by group or individually, and each vault can be secured with 2FA. Administrators can add and remove users, apply and adjust RBACs, and share passwords between authorized users securely through the password manager.

Vault-based password managers are also zero-knowledge solutions. This means that while it is still necessary to sign a Business Associate Agreement with the vendor if ePHI is shared through the password manager, no one other than the authorized user(s) can access and view data stored in a vault without the master password. and access to the 2FA authentication method.

Planned changes to ISO 27001 controls in 2022

In July 2022, an updated version of ISO 27001 – the “Final Draft International Standard” or “FDIS” was circulated to national standards bodies for formal approval. National standards bodies will vote on the updated version by the end of September; and provided the vote is in favor of the updates, ISO 27001:2022 will be published in October 2022.

Although the standard’s ten clauses only have language changes, Appendix A – which contains the required controls – has been significantly revised. The fourteen control domains (A.5 to A.18) are compressed into only four control domains, there are 11 new controls, 23 controls have been renamed, and 24 controls merged with other controls. The four new areas of control will be:

A.5 Organizational controls (37 controls)

A.6 Checks on people (8 checks)

A.7 Physical commands (14 commands)

A.8 Technological controls (34 controls)

As part of the ISO 27001 password management controls, most of the existing controls in the old access control domain (A.9) will be dispersed into the four new domains. However, some existing controls will be merged into new controls – for example, content from A.9.2.4, A.9.3.1 and A.9.4.3 will be merged into a new control A.5.17 “Authentication Information” .

Other new controls that may apply to password management (depending on whether an organization stores data in the cloud or uses activity monitoring software) include A.5.23 “Info Security for Use of Cloud Services “, A.8.12 “Data Leakage Prevention” and A.8.16 “Monitoring Activities”. A.8.32 “Change management” may also be relevant for some organizations.

Be sure to adjust your password management controls if necessary

When the new ISO 27001:2022 standard is published, certified organizations will have three years to make the necessary changes to their information security management system in order to maintain their accreditation. Non-certified organizations that have implemented selected controls can continue to use existing controls as best practices or adjust them as needed.

No doubt password manager vendors will post information on how organizations can comply with changes to ISO 27001 password management controls; and, if your organization has already deployed a password manager, be sure to sign up for their newsletter, follow them on social media, or subscribe to their blog to keep up to date with the latest recommendations.