Hur lösenordshantering hjälper företag att uppnå ISO 27001-certifiering

Update: As of March 2025, Bitwarden is ISO 27001 certified in compliance with ISO 27001 control sets surrounding data security.

ISO 27001, an international standard, sets the foundation for creating, maintaining, and developing information security management systems (ISMS), including data management. Companies aiming to achieve ISO 27001 compliance or certification should consider adding

The

To certify as an ISO 27001 company, you must comply with 93 control sets.

The ISO 27001 certification process consists of an audit conducted by

ISO 27001 certification gives organizations a competitive advantage in attracting and retaining customers because certification demonstrates robust information security controls. Certification can also attract and retain suppliers and other stakeholders concerned about how their information is managed and protected.

Even preparing for the audit process can strengthen existing ISO 27001 policies, and improve internal systems, structures, and day-to-day business processes. The risk management process can also help organizations better comply with data protection laws such as CCPA and GDPR, and avoid fines for non-compliance or loss of reputation due to an avoidable data breach.

The 93 control sets are contained within Annex A and fall under 4 larger themes. To achieve ISO 27001 certification, companies need to demonstrate compliance with these controls. The categories are:

• Organizational controls (37 controls)

• People controls (8 controls)

• Physical controls (14 controls)

• Technological controls (34 controls)

The previous version of ISO included 114 controls divided into 14 categories. That version also included language governing secure log-on and password management systems. 

The secure log-on control specified “access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.” With a password manager, users benefit from adding another layer of security to logins, and having one place to help manage and integrate

The password management system control stated “password management systems shall be cooperative to ensure the quality of passwords.” ISO recommends using a

Password managers establish password strength, enforce 2FA, and use event logs to monitor user activity–all capabilities businesses must achieve to meet ISO access control, protection of PII, and endpoint protection requirements.

The latest version of ISO 27001 addresses password management in Annex A 5.17. There are many additional Annex A requirements that can be met or supported by adopting a password manager. While not exhaustive, examples include:

• Annex A 5.3, Segregation of duties: Conflicting duties and conflicting areas of responsibilities shall be segregated.

• Annex A 5.14, Information transfer: Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

• Annex A 5.15, Access control: Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

• Annex A 5.16, Identity management: The full life cycle of identities shall be managed.

• Annex A 5.17, Authentication information: Allocation and management of authentication information shall be controlled by a management process, including advising personnel on best practice handling of authentication information.

  • A

    detailed primer
    about this criteria lays out password recommendations with advice on managing passwords, including the ability to create secure passwords. In addition, the objective recommends organizations avoid weak, widely used, or compromised credentials.

Given this criteria, organizations would ideally deploy a password management system that enables them to report on, and have actionable insights about, exposed, reused, weak, or potentially compromised passwords.

• Annex A 5.34, Privacy and protection of personal identifiable information (PII): The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

• Annex A 8.1, User endpoint devices: Information stored on, processed by or accessible via user end point devices shall be protected.

• Annex A 8.4, Access to source code: Read and write access to source code, development tools and software libraries shall be appropriately managed.

• Annex A 8.5, Secure authentication: Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

  • This objective

    focuses on using multi-factor authentication
    for logging in securely to systems. With a password manager, users benefit from adding another layer of security to logins, and also having one place to help manage and integrate two-factor authentication (2FA) for all websites that support it. The objective also highlights that passwords should be kept confidential at all times, making a strong case for a fully encrypted password vault.

Password management systems enable organizations to identify any items in their vaults with inactive 2FA.

• Annex A 8.11, Data masking: Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

• Annex A 8.12, Data leakage: Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

A password management system supports the numerous requirements of Annex A listed above, and with many of the requirements included in the overall control sets. 

Users can keep authentication information secret, apply

Organizations that use password managers establish password strength requirements, enforce

When evaluating password managers for supporting ISO 27001 certification, organizations should evaluate if the software follows enterprise-grade

Interested in leveraging the Bitwarden ISO 27001-compliant password manager to help meet ISO 27001 standards for information security management systems? Start an