Professional Documents
Culture Documents
Password Policy
1 Introduction
2 Scope
This policy sets out <Short Name>’s requirements for the use of strong passwords, the
protection of those passwords, and the regular changing of those passwords.
This policy applies to all staff, including employees, contractors and interns etc. working
under the control of <Short Name>.
3 Revision History
Revision Date Record of Changes Approved By
0.0 [Date of Issue] Initial Issue
5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls
7 Responsibilities
Password Policy Page 1 of 4
<Short Name> Information Security Policy
The <IT Manager> is responsible for all aspects of the implementation and management of
this procedure, unless noted otherwise.
Managers and supervisors are responsible for the implementation of this policy, within the
scope of their responsibilities, and must ensure that all personnel under their control
understand and undertake their responsibilities accordingly.
8 Password Policy
You should set out your password policy below. We have provided a ‘good practice’ model
which hopefully meets most of your requirements. This document is part of your ISMS.
9 General
To ensure the continuing security and integrity of all <Short Name>’s system/access logon
accounts the following procedures and practices must be followed:
all users must ensure that their password is not divulged or shared with anyone else
all users must not write down and store their passwords within the office
passwords must not be inserted into email messages or other forms of electronic
communication
at initial setup some systems may automatically generate temporary passwords and
these should be changed at the earliest opportunity
all ICT devices which may require local logon privileges for configuration and
maintenance must have the built-in default admin (or equivalent) account password
promptly changed in line with the guidelines of this policy wherever possible
- prevent the storing of passwords in clear text or in any easily reversible form
- provide for management of specific roles and functions within a system enabling
delegation of tasks to individuals
- not contain or utilise embedded (hard-coded) passwords
users are prompted to change password at logon 7 days prior to the existing one
expiring.
- uppercase – (A-Z)
- lowercase – (a-z)
- birthdays and other personal information such as addresses and phone numbers.
use the "Remember Password" feature of applications (e.g., Internet Explorer, SAP
etc…)
12 Breaches of policy
<Short Name> will take all necessary measures to remedy any breach of this policy
including the use of our disciplinary or contractual processes where appropriate.
1 Records
Records retained in support of this procedure are listed in the ISMS Controlled Records
Register and controlled according to the Control of Management System Records
Procedure.