🏛️ ISO/IEC 27001:2022 Annex A Access Control: Password Policy Requirements
ISO/IEC 27001:2022 Annex A Access Control: Password Policy Requirements
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). Annex A control 5.15 (Access Control) and 5.17 (Authentication Information) contain the password-specific requirements organisations must implement for certification.
Relevant Annex A Controls for Passwords
| Control | Title | Password Relevance |
|---|---|---|
| 5.15 | Access Control | Who can access what, password-protected access levels |
| 5.16 | Identity Management | Unique user IDs — no generic admin accounts |
| 5.17 | Authentication Information | Password policy management, rotation, reset process |
| 5.18 | Access Rights | Review and revoke access for leavers |
| 8.5 | Secure Authentication | Technical controls for authentication |
What ISO 27001:2022 Requires for Passwords
Control 5.17 — Authentication Information
This is the primary control governing passwords. The standard requires:
- Secret storage: Passwords must be hashed and salted, never stored in plaintext
- Transmission security: Passwords must be encrypted in transit
- Initial passwords: Temporary passwords must be changed on first use
- No hardcoded passwords: Application code must not contain embedded credentials
- Password reset: Must verify identity before allowing reset
- Default passwords: Must be changed before system deployment
Control 8.5 — Secure Authentication
For systems handling sensitive information, additional requirements:
- Multi-factor authentication for remote access and privileged accounts
- Strong authentication mechanisms (beyond simple passwords)
- Session timeout after inactivity
- Failed attempt logging and alerting
Interpretive Guidance for Auditors
ISO 27001:2022 doesn't specify exact password length or complexity (unlike PCI-DSS or NIST). Instead, it requires that you define and document your organisation's password policy based on risk assessment.
What auditors look for:
| Audit Item | Expectation |
|---|---|
| Documented password policy | ✅ Must exist and be approved by management |
| Policy aligned to risk | ✅ Policy should reference the ISO risk assessment |
| Technical enforcement | ✅ Active Directory/IdP must enforce the policy |
| Password storage | ✅ Hashed + salted, no plaintext |
| Training evidence | ✅ Users must be trained on the policy |
| Regular review | ✅ Policy reviewed at least annually |
Recommended Password Policy for ISO 27001 Compliance
Here's a policy template that passes most ISO 27001 audits:
password_policy:
minimum_length: 12 characters
complexity: optional (no mandatory character types)
maximum_age: none (only change on compromise)
history: last 5 passwords remembered
lockout: 5 failed attempts = 15-minute lockout
storage: bcrypt or Argon2 hashed
transmission: TLS 1.2+ for all auth requests
default_passwords: must change within 24 hours of deployment
sharing: prohibited
resets: verified identity before reset, new password different from old
review: annual policy review and risk reassessment
Common ISO 27001 Audit Findings
- Shared accounts without compensating controls (most common finding)
- No password policy document approved by management
- Service accounts with non-expiring, never-changed passwords
- Default passwords still active on network equipment
- No failed login monitoring or response process
Integration with Other Standards
ISO 27001:2022 maps well to NIST SP 800-53 and CIS Controls. If you're already compliant with NIST guidance, you're 80% of the way to ISO 27001 password compliance.
Bottom line: ISO 27001 doesn't dictate exact password rules but requires a documented, risk-based policy that's technically enforced and regularly reviewed. Document, train, monitor, repeat.