Good quality passwords

June 24th, 2011 By The Quality Manager

One of the key control objectives under ISO 27001 is a user’s responsibility to prevent unauthorised access to systems that could compromise information, enable the information to be stolen or cause the facility holding the information to be compromised.

One of the key safeguards is good security practice in the selection and use of passwords.

Information processing systems should encourage the use of good quality passwords by:

  1. Asking employees to sign an agreement to keep their passwords confidential and including this within their conditions of employment
  2. Providing users with an initial secure temporary password that they are forced to change on first use
  3. Verifying the user’s identity before providing, in a secure manner, a new password
  4. Enforcing a use of “good quality passwords” – see below
  5. Enforcing password changes (after a set period of time, for example)
  6. Preventing re-use of previously used passwords

Good quality passwords are:

  1. Easy to remember
  2. Not easily guessable (not based on your name, telephone number, date of birth)
  3. Not in the dictionary
  4. Do not have consecutive identical, all-numeric, or all-alphabetic characters (not “abc123″ or “123456″ or “abcdef”)

This advice for choosing a memorable password would be a good start.


Posted in Information Security, ISO/IEC 27001, Passwords | No Comments »

Integrating your management systems

January 18th, 2010 By The Quality Manager

As organisations adopt more formal management system standards (such as ISO 9001, ISO 14001, ISO/IEC 27001 and ISO/IEC 20000) these are frequently implemented as standalone systems.

However, there are 6 common elements in these management system standards that can be managed as a integrated management system across all these standards (including ISO 22000 and OHSAS 18001 as well) to the benefit of the whole organisation.

These common elements are:

  1. Policy
  2. Planning
  3. Implementation and operation
  4. Performance assessment
  5. Improvement, and
  6. Management review

Although each standard has its own specific requirements that need to be addressed, these six elements are present in all the above management system standards. ISO is working, through its ISO Guide 72, to ensure not only that these elements exist in all management system standards, but that they have the same clause numbers in each standard.

PAS 99:2006 Specification of common management system requirements as a framework for integration has been produced to help organisations benefit from consolidating the common requirements. If your organisation has adopted, or is adopting, more than one of these standards, the use of this integrated approach can reduce duplication and complexity and make internal and external audits more effective and efficient.

Posted in Audits, Certification, ISO 14001, ISO 22000, ISO 9001, ISO 9001:2008, ISO/IEC 20000, ISO/IEC 27001, OHSAS 18001, Standards | No Comments »

BS 10012:2009 Data Protection – Specification for a Personal Information Management System

August 10th, 2009 By The Quality Manager


The Data Protection Act applies to any organisation in the UK that holds personal information about living individuals. Compliance with the Data Protection Act is required by law and this standard will help you demonstrate compliance.

The BS 10012 standard:

  • provides a framework for developing an infrastructure to maintain and improve compliance
  • allows you to assess your current level of compliance, recognise weaknesses and provide opportunties for improvement
  • enables effective assessment of compliance by internal auditors and external assessors

This is provides in a straightforward format following the management system style of “plan-do-check-act”, also known as the Deming cycle, used in ISO 9001, ISO 14001, ISO 27001, etc.

The standard is available in hardcopy and PDF download for £100 (or £50 for BSI members) from BSI.

BSI also publish a simple guide to the Data Protection Act – Data Protection Pocket Guide – Essential Facts at Your Fingertips.

Posted in BS 10012, BSI, Data Protection, Deming, Deming Cycle, ISO 14001, ISO 9001, ISO/IEC 27001, Plan-Do-Check-Act | No Comments »