ISO 27001 compliance question
RebSec25
Member Posts: 1 ■□□□□□□□□□
Hi
I would like someone to clarify whether the implementation guidance in 27002 is mandatory? Specifically, looking at password management systems, 27002 states that the system should “force users to change their passwords at first log on” whereas the 27001 standard itself does not.
if I am conducting an audit and forcing users to change password at first log on does not happen, is this a non-conformance or not?
I would like someone to clarify whether the implementation guidance in 27002 is mandatory? Specifically, looking at password management systems, 27002 states that the system should “force users to change their passwords at first log on” whereas the 27001 standard itself does not.
if I am conducting an audit and forcing users to change password at first log on does not happen, is this a non-conformance or not?
Thanks!
Tagged:
Comments
-
Info_Sec_Wannabe Member Posts: 428 ■■■■□□□□□□Compliance with the control requirements defined in ISO 27002 is not mandatory. It is, however, intended as a guide for implementing good security practices to support the organization's ISMS (particularly on the Annex A controls).
It depends. If you have it defined as part of your policy or standard, it might qualify as an observation or minor non-conformity. If not, it would be an opportunity for improvement at best. IMHO.X year plan: (20XX) OSCP [ ], CCSP [ ]