I work with a multinational organisation who uses the IEC\ISO 270001 standards to base Policy on, I posted a question and reason why we should embrace Passwordless (https://www.microsoft.com/en-us/security/business/identity/passwordless) and a question came up about if we are using 270001 as he base of policy could we really go this method.
Could you help with advice on how you read this?
Darren
ISO 27001 is a set of requirements. Many people often simply look at Annex A, but if you examine clause 6.1.3 you'll see that it's valid to identify risk treatments for your risks from any source. That's means not simply 27001 or 27002, but any reasonable source of technical control.
So it would be valid to use passphrases in place of passwords, passwords with another factor, a smartcard, an application that generates an OTP etc etc. Password are simply the traditional low tech means of authenticating users.