Ensuring Strong Authentication: User Responsibilities Under ISO 27701
Proper and secure authentication procedures are the backbone of most general and topic-specific access policies, whether they relate to PII or information, assets and data in general.
Easily guessable and poorly constructed passwords are low hanging fruit for would-be cybercriminals seeking to gain access to an organisation’s PII, which is usually either ransomed back, used as reputational fodder or sold on the dark web to the highest bidder.
Users need to adhered to a strictly-enforced password policy that covers off generation, distribution, password construction and makes use of available authentication technology (SSO, password vaults).
What’s Covered in ISO 27701 Clause 6.6.3
ISO 27702 6.6.3 features just one sub clause, which contains amalgamated guidance from ISO 27002 that outlines how organisations should approach authentication security:
- ISO 27701 6.6.3.1 – Use of secret authentication information (References ISO 27002 Control 5.17)
There are no UK GDPR citations to consider, nor do ISO provide any PIMS or PII-specific guidance points to adhere to.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.6.3.1 – Use of Secret Authentication Information
References ISO 27002 Control 5.17
Issuing and Managing Authentication Information
Authentication details should be distributed and managed so that:
- Automatically-generated authentication information (passwords etc.) are kept secret from anyone not authorised to used them, aren’t guessable and are managed in a way that forces a user to change them after initial login.
- Before issuing or replacing authentication details, procedures are put in place to verify the identity of the individual who requires them.
- The correct secure channels are used to transmit authentication details (i.e not via email).
- After the details have been successfully communicate to whomever needs them, the user(s) acknowledge receipt in a timely manner.
- Any vendor-provided authentication information (such as the default username and password routers and firewalls) is changed upon receipt.
- Records are kept of relevant authentication events – especially regarding the initial allocation and subsequent administration of authentication details.
Any personnel who uses organisational authentication information should ensure that:
- All authentication details are kept strictly confidential.
- If authentication details are either compromised, viewed or shared by anyone other than the original owner, such details are changed immediately.
- Any passwords are created and/or generated in line with the organisation’s password policy, and passwords are unique across various different platforms (i.e. domain passwords are not the same as cloud service passwords).
- Contracts of employment contain an explicit requirement to follow company password policy (see ISO 27002 control 6.2).
Password Management Systems
Organisations should consider implementing a password management system (specialised password control applications) that:
- Caters for users who need to change any password that they use.
- Is programmed to reject passwords that fall outside of best practice guidelines.
- Forces users to change their system-generated password, after they use it for the first time.
- Does not permit the continued use of old passwords, or similar phrases and alphanumeric combinations.
- Hides passwords whilst they are being inputted.
- Stores and sends password information in a secure manner.
- Caters for password encryption and similar encryption techniques (see ISO 27002 control 8.24).
Password Data
To safeguard PII and improve organisational privacy protection efforts, passwords should follow four guiding principles:
- Passwords shouldn’t be constructed around guessable or biographic information.
- Passwords shouldn’t contain any recognisable words, in place of random alphanumeric characters.
- Special characters should be used to increase password complexity.
- All passwords should have a minimum length (ideally 12 characters).
Organisations should also consider the use of authentication protocols such as Single Sign-On (SSO) to improve password security, but such measures should only be considered alongside the organisations unique technical and operational requirements.
Relevant ISO 27002 Controls
- ISO 27002 6.2
- ISO 27002 8.24
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.6.3.1 | Use of Secret Authentication Information | 5.17 – Authentication Information for ISO 27002 | None |
How ISMS.online Helps
How do we help?
By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.
With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27002 and ISO 27701 at the click of a button.
All the features you need:
- ROPA made easy
- Built in Risk Bank
- Secure space for DRR
Find out how much time and money you’ll save on your journey to a combined ISO 27002 and 27701 certification using ISMS.online by booking a demo.
