ISO 27001 compliance question

Hi

I would like someone to clarify whether the implementation guidance in 27002 is mandatory? Specifically, looking at password management systems, 27002 states that the system should “force users to change their passwords at first log on” whereas the 27001 standard itself does not.

if I am conducting an audit and forcing users to change password at first log on does not happen, is this a non-conformance or not?

Thanks!

Find more posts tagged with

ISO27001 Foundation

ISO Certification

Comments

Info_Sec_Wannabe

Compliance with the control requirements defined in ISO 27002 is not mandatory. It is, however, intended as a guide for implementing good security practices to support the organization's ISMS (particularly on the Annex A controls).

It depends. If you have it defined as part of your policy or standard, it might qualify as an observation or minor non-conformity. If not, it would be an opportunity for improvement at best. IMHO.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of