Zero Data RetentionQuantum-Ready Entropy256-bit MinimumClient-Side OnlyPost-Quantum ReadyZero KnowledgeNIST SP 800-63BFIPS 140-3 AlignedNo Account NeededDoD CompliantZero Data RetentionQuantum-Ready Entropy256-bit MinimumClient-Side OnlyPost-Quantum ReadyZero KnowledgeNIST SP 800-63BFIPS 140-3 AlignedNo Account NeededDoD Compliant
ISO 2700111 min readUpdated February 2025

ISO 27001 Password Requirements: Annex A.9 Explained

ISO 27001:2022 Annex A.9 covers access control and password management. Here is exactly what it requires and how to implement it.

ISO 27001:2022 overview

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving an ISMS — a systematic approach to managing sensitive information. Certification to ISO 27001 demonstrates to customers, partners, and regulators that your organisation has implemented documented and audited controls for information security.

The 2022 revision (replacing ISO 27001:2013) restructured Annex A, reducing the number of controls from 114 to 93 and grouping them into four themes: Organisational, People, Physical, and Technological. Password and authentication controls appear primarily under Annex A.9 (Access Control) in the technological theme, though authentication is also referenced in Annex A.8 (Asset Management).

Annex A.9 access control

Annex A.9 in ISO 27001:2022 maps to the following controls. The controls most relevant to password management:

ControlTitleKey requirement
A.9.2.1User registration and de-registrationFormal process for granting and removing access
A.9.2.2User access provisioningFormal authorisation for access rights
A.9.2.3Management of privileged access rightsSeparate management of privileged credentials
A.9.2.4Management of secret authentication informationPassword management policy and controls
A.9.2.5Review of user access rightsPeriodic access reviews
A.9.2.6Removal or adjustment of access rightsTimely revocation on role change or departure
A.9.3.1Use of secret authentication informationUser obligations for credential handling
A.9.4.2Secure log-on proceduresAuthentication process controls
A.9.4.3Password management systemTechnical password system requirements

Specific password requirements

ISO 27001 does not mandate specific password lengths in the standard text. Instead, it requires organisations to implement "appropriate" controls and to reference ISO 27002 for implementation guidance. ISO 27002:2022 (the companion guidance document) provides specific recommendations for A.9.4.3 (Password management system):

  • Enforce minimum password quality — length, character composition, and avoidance of common or guessable passwords
  • Require users to change temporary passwords on first use
  • Keep a history of previous passwords and prevent reuse
  • Not display passwords on screen during entry
  • Store password files separately from application system data
  • Store and transmit passwords in protected form only (hashed, not plaintext)

For certification purposes, auditors evaluate whether your stated password standards are "appropriate" for the sensitivity classification of the information being protected. Industry consensus for ISO 27001 certification:

Standard user accounts≥ 12 characters
Privileged accounts≥ 14–16 characters
System and service accounts≥ 20 characters (randomly generated)
Password complexityMixed case + numbers + symbols
Breached password checkRecommended (HIBP or equivalent)
Account lockoutAfter 5–10 failures; configurable
Session timeoutRisk-based; ≤ 30 minutes for sensitive systems

Secret authenticator management (A.9.2.4)

A.9.2.4 specifically covers the management of secret authentication information — passwords, PINs, and cryptographic keys. The ISO 27002 guidance for this control requires:

  • All users must sign an agreement to keep personal authentication information confidential
  • Initial passwords must be temporary, unique, and changed on first use
  • System administrators must never send passwords in plaintext — use secure delivery mechanisms
  • Passwords must not be stored in readable format anywhere in the system
  • Default system passwords must be changed after installation

For password managers: ISO 27002 explicitly recommends password management tools as an implementation mechanism for this control. Organisations that deploy enterprise password managers (1Password Business, Bitwarden Teams) and can demonstrate adoption are generally viewed favourably by auditors on A.9.2.4 compliance.

Password manager integration: ISO 27001 certification is significantly easier when an enterprise password manager is deployed. 1Password Business and Bitwarden Teams both provide audit logs, centrally managed policies, and user adoption reporting — all directly useful as evidence for A.9.2.4 audits.

User access management (A.9.2)

A.9.2 covers the full lifecycle of user access: provisioning, modification, and revocation. The key controls that auditors examine alongside password requirements:

  • A.9.2.1 Registration: Formal process documented for granting accounts. No ad-hoc access grants. New accounts require written authorisation.
  • A.9.2.2 Provisioning: Access granted based on least-privilege. Business justification required for each access grant. No "copy from existing user" as sole basis for access.
  • A.9.2.5 Review: Periodic review of who has access to what. Frequency depends on sensitivity — quarterly for privileged access, semi-annual for standard. Reviews must be documented with evidence of who performed the review and when.
  • A.9.2.6 Revocation: Access revoked promptly on departure or role change. Documented timelines in the offboarding procedure. HR process must trigger IT action.

Privileged access management (A.9.2.3)

ISO 27001 treats privileged access management as a separate, higher-risk control. Auditors scrutinise this more than standard user access. Requirements:

  • Inventory of all privileged accounts — system administrators, database admins, network administrators, cloud console access
  • Privileged accounts must not be used for routine non-privileged activities — dual accounts for administrators
  • Strong, unique passwords for each privileged account — 14–20 characters, randomly generated
  • Privileged account credentials stored in a privileged access management (PAM) solution or equivalent vault
  • Regular rotation of privileged credentials — at minimum on departure of any administrator
  • All privileged access activity logged and reviewed

MFA under ISO 27001

ISO 27001:2022 added a new control — A.8.5 (Secure Authentication) — that explicitly addresses multi-factor authentication. The ISO 27002 guidance for A.8.5 states that MFA should be used for all privileged access and for all remote access, and recommends it for general user access to sensitive systems.

For certification purposes, MFA is expected for:

  • All remote access (VPN, SSH, RDP)
  • All cloud infrastructure console access (AWS, Azure, GCP)
  • All privileged accounts without exception
  • Access to systems handling personal data, financial data, or other classified information

Phishing-resistant MFA — hardware FIDO2 keys — is noted in ISO 27002 as the strongest option. For organisations seeking certification to both ISO 27001 and SOC 2 simultaneously, hardware keys for admin accounts satisfy both standards.

ISMS documentation requirements

ISO 27001 requires formal documentation. For access and password controls:

  1. Information Security Policy (mandatory): Top-level policy establishing the ISMS
  2. Access Control Policy: Password standards, MFA requirements, session controls
  3. User Access Management Procedure: Provisioning, modification, revocation workflows
  4. Privileged Access Management Procedure: How privileged credentials are issued, stored, rotated, and audited
  5. Risk Assessment: ISO 27001 requires a formal risk assessment. Authentication strength is a risk treatment for the credential theft risk.
  6. Statement of Applicability (SoA): Documents which Annex A controls apply to your organisation and why
  7. Access Review Records: Evidence of completed periodic access reviews

Path to certification

ISO 27001 certification requires a two-stage audit by an accredited certification body (BSI, Bureau Veritas, DNV, LRQA, etc.):

  • Stage 1 (Documentation review): Auditor reviews your ISMS documentation — policies, procedures, risk assessment, Statement of Applicability. No on-site testing.
  • Stage 2 (Certification audit): Auditor tests whether controls are actually operational. Interviews, system configuration reviews, evidence requests.

Common password-related findings in Stage 2 audits: password policies not technically enforced, MFA deployed but not mandatory, access reviews completed on paper but not documented, privileged account passwords not rotated on administrator departure.

Once certified, surveillance audits occur annually and recertification every three years.

PassGeni's ISO 27001 preset enforces 14-character minimum length with full character set, aligned with the privileged access standards that ISO 27002:2022 guidance recommends. Generated credentials are cryptographically random — no dictionary words, no patterns, nothing that auditors can flag as inadequate.

Frequently asked questions

What are the ISO 27001 password requirements?

ISO 27001 Annex A.9 requires a minimum 14-character password, enforced complexity (uppercase, lowercase, numbers, symbols), no password reuse within the last 12 passwords, and MFA for privileged access. Passwords must be changed immediately upon compromise.

Does ISO 27001 specify a minimum password length?

ISO 27001 Annex A.9 guidance recommends a minimum of 14 characters for general accounts and 16+ characters for privileged/admin accounts. These are minimum thresholds — longer passwords are always acceptable.

Is MFA required for ISO 27001 certification?

ISO 27001 strongly recommends MFA for privileged access and remote access. Auditors increasingly expect MFA for all administrative accounts and any access to critical business systems as part of Annex A.9 controls.

How does ISO 27001 handle service account passwords?

Service account passwords under ISO 27001 must meet the same minimum length and complexity requirements as user accounts, with the addition of stricter rotation policies (typically quarterly) and storage in a privileged access management (PAM) system.

Can passphrases be used for ISO 27001 compliance?

Yes. ISO 27001 does not prohibit passphrases. A 4-5 word passphrase typically exceeds the 14-character minimum and provides sufficient entropy. NIST 800-63B recommendations are compatible with ISO 27001 Annex A.9 requirements.

How often must passwords be changed under ISO 27001?

ISO 27001 does not mandate periodic rotation. Following NIST 800-63B guidance, passwords should only be changed when there is evidence of compromise. Mandatory periodic rotation is no longer considered best practice and is explicitly discouraged in current NIST guidance.

What password storage requirements does ISO 27001 impose?

ISO 27001 requires passwords to be stored using strong one-way hashing with salt. Acceptable algorithms include bcrypt, Argon2id, and scrypt. MD5, SHA-1, and unsalted hashes are not acceptable. Plaintext storage is strictly prohibited.

Does ISO 27001 require a written password policy?

Yes. ISO 27001 Annex A.9 requires documented access control policies including password requirements. The written policy must be approved by management, communicated to all users, and reviewed at defined intervals.

What is the difference between ISO 27001 and SOC 2 password requirements?

ISO 27001 is an internationally recognised standard with certification by accredited audit bodies, requiring 14-character minimum passwords. SOC 2 is a US-focused attestation framework with more flexible requirements (auditor discretion), typically expecting 16-character minimums for CC6.1 compliance.

How can PassGeni help with ISO 27001 compliance?

PassGeni's ISO 27001 compliance preset automatically enforces the 14-character minimum, required character types, and complexity rules. The Policy Generator tool can produce a written password policy meeting Annex A.9 documentation requirements in minutes.

Related guides
← All guidesGenerate password →