You'll get breached if you implement ISO 27001

Wait a second. We were told that implementing and certifying to ISO 27001 was best practice when considering benchmarks for information security.

In theory, it can be considered best practice, but only if your organization rigorously follows the governance aspects outlined in this International Standard. Let us explain.

Your opinion might differ, but it's crucial to highlight that the single most important requirement when setting up your management system for the first time is outlined in section 6 of this standard.

The organization shall define and apply an information security risk treatment process to (a) select appropriate information security risk treatment options, taking account of the risk assessment results; (b) determine all controls that are necessary to implement the information security risk treatment options chosen. NOTE 1: Organizations can design controls as required, or identify them from any source.

ISO/IEC 27001:2022, Clause 6.1.3

Let’s use the above requirement in the context of passwords. Every system and application had some form of authentication mechanism with the most common example being a username + password combo. If we take ISO 27001 at face value without applying the governance elements of section 6.1.3, this “best practice” standard states only the following:

Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

ISO/IEC 27001:2022, A.5.17

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

ISO/IEC 27001:2022, A.8.5

That’s it. Those are the only requirements around “authentication”. In fact, the keyword “password” is not mentioned anywhere in the 2022 revision of ISO 27001, which actually might be forward-looking by JTC 1 since we are quickly moving to password-less authentication. In reality, technology frequently outpaces these standards as they do not receive major revisions but approximately once per decade.

For instance, an organization can meet both controls by implementing a policy specifying password requirements, such as an 8-character length using letters only and enforcing this configuration for all users. The policy does not have to address complexity, rotation, or prohibiting the use of recent passwords by the same user.

Supplemental Guidance from ISO 27002

If we look for further information, ISO 27002 says “when passwords are used as authentication information, strong passwords according to best practice recommendations are selected.” This standard goes onto to provide examples by stating not to use personal information (e.g., date of birth) or dictionary words in a password while suggesting the use of “easy to remember passphrases and try to include alphanumerical and special characters” while ensuring passwords have a minimal length.

At first glance, this seems to be basic password security, but even when considered collectively, it still raises questions. Why are we encouraging an “easy to remember passphrase”? That recommendation does not scream security.

Additionally, “alphanumerical” – in other words, a combo of letters and numbers – should not be a “try” but a must at all costs when that password is protecting unauthorized access to any system containing even the lowest levels of sensitive data.

Even if ISO 27002 had some defensible criteria, this standard is informative (i.e., guidance) only and is not required to be implemented by an organization seeking ISO 27001 certification.

However, if you were to re-read these control statements under the perspective of section 6.1.3 where the standard states controls should be applied while “taking account of the risk assessment results” then these controls inherit a completely different flavor. Now, we have to consider what these authentication mechanisms are protecting, such as the data stored within the systems being authenticated through this form of access control. If there is customer data in these systems, as an example, then an auditor can say that your organization may have met the most minimal requirements for authentication, but it failed to consider the risks of unauthorized access when designing its authentication policies and procedures.

This theme is just the tip of the iceberg. Following the risk will be a recurring theme as we delve deeper into the common pitfalls of implementing these global frameworks.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.


or to participate.