How Password Management Helps Companies Achieve ISO 27001 Certification

ISO 27001, an international standard, sets the foundation for creating, maintaining, and developing information security management systems (ISMS), including data management. Companies aiming to achieve ISO 27001 compliance or certification should consider adding ISO 27001 password management to their toolset.

The International Organization for Standardization (ISO) global group develops and publishes worldwide technical, industrial, and commercial standards. The ISO 27001 standard for ISMS provides a framework for data security consisting of fourteen control sets. To achieve ISO 27001 certification, companies need to demonstrate compliance with all fourteen.

The ISO 27001 certification process consists of an audit conducted by independent certification bodies who review company data security policies and procedures and how they are applied. The process can be a long one but passing an ISO 27001 audit shows that your company has identified security risks and measures to protect against data breaches.

ISO 27001 certification gives you a competitive edge in attracting and retaining customers as certification demonstrates robust information security management. Certification can also benefit in attracting and retaining suppliers and other stakeholders concerned about how their information is managed and protected.

Even preparing for the audit process can strengthen existing ISO 27001 policies and procedures and improve your internal systems, structure, and day-to-day procedures. The process can also help you better comply with data protection laws such as CCPA and GDPR and avoid fines for non-compliance or loss of reputation due to an avoidable data breach.

The 14 control sets are contained within Annex A of ISO 27001 and include:

• Information security policies

• Organization of information security

• Human resource security

• Asset management

• Access control

• Cryptography

• Physical and environmental security

• Operations security

• Communications security

• System acquisition, development, and maintenance

• Supplier relationships

• Information security incident management

• Information security aspects of business continuity management

• Compliance

While each control set has important high-level objectives around organizational security and secure procedures, businesses should pay close attention to Annex A:9. ISO bodies refer to Annex A:9 as Access Control but it consists of far more than just access controls. We’re focusing on A:9.4.2 Secure Log-on Procedures and A.9.4.3 Password Management System.

• A.9.4.2 Secure log-on Procedures: This objective focuses on using multi-factor authentication for logging in securely to systems. With a password manager, users benefit from not only adding another layer of security to logins but also having one place to help manage and integrate two-factor authentication for all websites that support it. The objective also highlights that passwords should be kept confidential at all times, making a strong case for a fully encrypted password vault.

• A.9.4.3 Password Management System: This objective focuses on managing passwords, including the ability to create secure passwords. Sharing passwords is discouraged and with some password managers, you can set policies to require certain criteria for creating password managers like character length, ideally creating an ISO 27001 password policy.

>> Case Study: How One Company Handles User Provisioning and Deprovisioning

The ISO 27001 standard does not mandate specific tools, solutions, or methods to control access to systems and applications. However, a password management system can help with numerous requirements of Annex A9, and with many of the requirements included in other control sets of Annex A.

Users can keep authentication information secret, apply password best practices such as generating strong, unique passwords and avoid password sharing mistakes with a password manager that secures confidential information with end-to-end encryption.

When evaluating password managers for supporting ISO 27001 certification, make sure you evaluate if the software follows enterprise-grade security and compliance standards, which means end-to-end encryption with absolutely zero knowledge of your vault data or URL history.

See for yourself how you can leverage the Bitwarden ISO 27001-compliant password manager to help your company meet ISO 27001 standards for Information Security Management Systems.

Start an Enterprise free trial with Bitwarden today!

__

Editor's Note: This blog was originally published on Tuesday, July 20th 2021 and was updated on Friday, May 20th 2022.