HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Minor Changes to ISO 27001 Password Management Controls Expected in Updated Standard

The ISO 27001 standard is currently being updated and the latest version is due for publication next month. The early indications are that, although the control domains will be significantly revised, there are only minor changes expected to the ISO 27001 password management controls.

The ISO 27001 standard is an international information security standard jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The aim of the standard is to help organizations better secure data by listing the necessary requirements for establishing an effective information security management system.

Organizations that meet the requirements of ISO 27001 can choose to be certified by an accredited certification body. Certification has the benefits of enhancing an organization´s reputation for data security (which can help attract new customers), reducing the number and length of security audits, and – in the healthcare industry – limiting enforcement action should a data breach occur.

Alternatively, organizations that do not want to commit to implementing a full information security management system can implement selected controls. Although this means the organizations will not qualify for ISO 27001 certification, the controls still help protect data from unauthorized access, raise awareness of data security among the workforce, and mitigate the risk of a data breach.

Existing ISO 27001 Password Management Controls

Currently, the existing ISO 27001 password management controls can be found in Subsection 9 of Annex A – The “Access Controls” domain. There are fourteen controls divided into four control groups in this domain:

9.1 Access Controls

  • 1.1 Access Control Policy
  • 1.2 Access to Networks and Network Services

9.2 User Access Management

  • 2.1 User Registration and Deregistration
  • 2.2 User Access Provisioning
  • 2.3 Management of Privileged Access Rights
  • 2.4 Management of Secret Authentication Information of Users
  • 2.5 Review of User Access Rights
  • 2.6 Removal or Adjustment of Access Rights

9.3 User Responsibilities

  • 3.1 Use of Secret Authentication Methods

9.4 Application Access Controls

  • 4.1 Information Access Restriction
  • 4.2 Secure Login Procedures
  • 4.3 Password Management System
  • 4.4 Use of Privileged Utility Programs
  • 4.5 Access Control to Program Source Code

Because of the complexity of provisioning, managing, reviewing, and adjusting users´ access rights, many organizations looking to comply with the ISO 27001 password management controls implement a vault-based password manager such as Bitwarden, whose “Security and Compliance Program” is itself based on the ISO 27001 standard.

The advantages of vault-based password managers are that they are effective across all devices and operating systems, password policies can be applied by universally, by group, or individually, and each vault can be secured with 2FA. Admins can add and remove users, apply and adjust RBACs, and share passwords among authorized users securely through the password manager.

Vault-based password managers are also zero-knowledge solutions. This means that, although it is still necessary to sign a Business Associate Agreement with the vendor if sharing ePHI through the password manager – nobody other than the authorized user(s) is able to access and view data stored in a vault without the master password and access to the 2FA authenticator method.

Anticipated Changes to the ISO 27001 Controls in 2022

In July 2022, an updated version of ISO 27001 – the “Final Draft International Standard” or “FDIS” was distributed among National Standards Bodies for formal approval. The National Standards Bodies will vote on the update version by the end of September; and provided the vote is in favor of the updates, ISO 27001:2022 will be published in October 2022.

Although the ten clauses of the standard only have language changes, Annex A – which contains the required controls – has been revised significantly. The fourteen control domains (A.5 to A.18) are being compressed into just four control domains, there are 11 new controls, 23 controls have been renamed, and 24 controls merged with other controls. The four new control domains will be:

A.5 Organizational Controls (37 Controls)

A.6 People Controls (8 Controls)

A.7 Physical Controls (14 Controls)

A.8 Technological Controls (34 Controls)

In the context of ISO 27001 password management controls, most of the existing controls in the former Access Controls domain (A.9) will be dispersed among the four new domains. However, some existing controls will be merged into new controls – for example, the content of A.9.2.4, A.9.3.1, and A.9.4.3 will be merged into a new control A.5.17 “Authentication Information”.

Other new controls that may apply to password management (depending on whether an organization saves data in the cloud or uses activity monitoring software) include A.5.23 “Info Security for Use of Cloud Services”, A.8.12 “Data Leakage Prevention”, and A.8.16 “Monitoring Activities”. A.8.32 “Change Management” may also be relevant to some organizations.

Be Sure to Adjust Your Password Management Controls as Necessary

When the new ISO 27001:2022 is published, certified organizations will have three years to make any necessary changes to their information security management system in order to maintain their accreditation. Non-certified organizations that have implemented selected controls can continue using the existing controls as best practices or adjust them as necessary.

Undoubtedly vendors of password managers will release information about how organizations can comply with the changes to the ISO 27001 password management controls; and, if your organization has already deployed a password manager, be sure to sign up to their newsletter, follow them on social media, or subscribe to their blog to keep up to date with the latest recommendations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.