cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DG-ncl
Newcomer I

A world Without Passwords

I work with a multinational organisation who uses the IEC\ISO 270001 standards to base Policy on, I posted a question and reason why we should embrace Passwordless (https://www.microsoft.com/en-us/security/business/identity/passwordless) and a question came up about if we are using 270001 as he base of policy could we really go this method.

 

Could you help with advice on how you read this?

 

Darren

2 Replies
Steve-Wilme
Advocate II

ISO 27001 is a set of requirements.  Many people often simply look at Annex A, but if you examine clause 6.1.3 you'll see that it's valid to identify risk treatments for your risks from any source.  That's means not simply 27001 or 27002, but any reasonable source of technical control.

 

So it would be valid to use passphrases in place of passwords, passwords with another factor, a smartcard, an application that generates an OTP etc etc.  Password are simply the traditional low tech means of authenticating users.

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
DG-ncl
Newcomer I

Thank you for this information.