Does an ISO27001 audit require users to reveal their passwords?

Absolutely not!

ISO 27001 requires management of passwords and requires having password policies. Someone in your company is interpreting this as needing to inspect all passwords in the clear to ensure that they meet the password policy.

But this is a terrible way of doing this audit. Technology should be in place to force people to comply with password policies when they make passwords, not to inspect them by hand once they are made.

There is a wide-ranging series of failures if they want to audit passwords by looking at them ...


This is not true. Besides the fact that a sysadmin should be able to change your password when needed, it is probably in breach of the very controls they claim to be enforcing.

It is their job to ensure that controls are in place around passwords, but it is the users responsibility to keep their passwords confidential.

Any shared admin passwords should be managed centrally by your sysadmin.

An example of a compliant password policy


What ISO27001 says about passwords

From (https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/) there is a summary about user passwords:

User responsibilities (subsection A.9.3)

This is a very short subsection (with one control only) that requires you to define how the users will keep their authentication information secret (e.g., protect their passwords). This is usually done through some document like the Acceptable Use Policy, which defines rules like these: do not write the passwords down, do not disclose them to anyone, do not use the same password in different systems, etc.

In essence if a user reveals his or her password the company fails the audit.

Importance of passwords

Your password is more important than your signature used to be in the old days. Because in the old days your signature could be forged but now days your password is invisible (in theory at least).

Your password authenticates your User ID. Your User ID gives you certain but restricted powers within areas of your company. Accounting controls require separation of duties. For example a user who approves purchase orders cannot approve receipt of goods. A user who approves receipt of goods cannot approve vendor invoices.

If a criminal (or ISO27001 auditor or IT person) had access to all three passwords they could setup a fake vendor account, setup a fake purchase order, setup fake receipt of goods and pay funds to the fake vendor account.