在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
A.9.2.4 Management of secret authentication information of users
使用者機密認證資訊的管理
Control 控制措施
The allocation of secret authentication information should be controlled through a formal management process.
宜有與正式管理過程以管理使用者機密認證資訊的配置。
Implementation guidance實作指引
The process should include the following requirements:
a) users should be required to sign a statement to keep personal secret authentication information confidential and to keep group (i.e. shared) secret authentication information solely within the members of the group; this signed statement may be included in the terms and conditions of employment (see 7.1.2);
b) when users are required to maintain their own secret authentication information they should be provided initially with secure temporary secret authentication information (see 9.2.3), which they are forced to change on first use;
c) procedures should be established to verify the identity of a user prior to providing a new, replacement or temporary secret authentication information;
d) temporary secret authentication information should be given to users in a secure manner; the use of external parties or unprotected (clear text) electronic mail messages should be avoided;
e) temporary secret authentication information should be unique to an individual and should not be guessable;
f) users should acknowledge receipt of secret authentication information;
g) default vendor secret authentication information should be altered following installation of systems or software.
新版的ISO 27001/27002將前版的password改為secret authentication information, 來涵蓋所有認證機制(包括password, 加密金鑰或其它硬體裝置), 此一控制措施涵蓋認證機制之使用方式 包括第一次使用時即變更, 提供給使用者的初始password也要確保其安全且不會被猜到; 也強調應該要求使用者確保不外洩, 包括如果使用群組共享password時, 也應要求使用者確保不外洩並簽署相關協議.