A written password management policy is one of the most straightforward security documents a UK business can produce — and yet it remains absent from the governance frameworks of a surprising number of small and medium-sized organisations. If your business holds personal data, operates under a quality management system, or is working towards ISO 27001 certification, a documented password policy is not optional. It is a demonstrable, auditable control that shows regulators, clients, and certification bodies that you take information security seriously. This article provides a practical template you can copy, adapt, and adopt as your own.
Why a Written Password Policy Is Required
Before we get to the template itself, it is worth understanding exactly why documented controls matter — because that understanding will help you tailor the policy to your circumstances rather than simply ticking a box.
ISO 27001 Annex A.5.17
ISO 27001:2022 Annex A control A.5.17 covers Authentication Information. It requires organisations to establish a policy governing how authentication credentials — passwords in particular — are allocated, managed, and protected. Critically, the control asks not just that passwords are managed well in practice, but that the rules are documented. Without a written policy, an auditor has no artefact to review. You may be doing everything right operationally, but if there is nothing on paper, you cannot demonstrate it.
ISO 9001 Clause 7.5
For businesses operating a Quality Management System (QMS), ISO 9001:2015 clause 7.5 sets out requirements for Documented Information. Where your QMS intersects with IT security — and for most businesses it does, since data integrity underpins quality processes — you are expected to maintain and control documented information. A password management policy is a logical and expected piece of that documentation, particularly if your QMS covers data handling, customer records, or system access.
UK GDPR Article 5(1)(f)
Under UK GDPR, the integrity and confidentiality principle (Article 5(1)(f)) requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised access. A password policy is a concrete, auditable organisational measure that demonstrates compliance. In the event of a data breach, the ICO will ask what policies you had in place. A clear, maintained password policy — especially one that mandates multi-factor authentication and a password manager — is meaningful evidence that you took reasonable steps.
The Role of a Password Manager
A business-grade password manager such as LastPass Business or 1Password Business does more than store credentials securely. Both platforms offer admin policy enforcement — you can mandate minimum password strength, prohibit reuse, require MFA at login, and control vault access by role. This means many of the rules in your policy below can be technically enforced rather than left to individual behaviour, which is exactly what ISO 27001 auditors want to see. A policy that references your chosen tool, and describes how its controls map to the policy requirements, is considerably more robust than a policy that relies on self-reporting alone.
Password Management Policy Template
The following template is intended for UK businesses. Replace all bracketed placeholders with your own organisational details. Sections are written in plain English suitable for a non-technical audience, whilst remaining sufficiently specific to satisfy an ISO 27001 internal or external audit.
Document Information
Policy Title: Password Management Policy
Document Reference: [e.g. ISMS-POL-005]
Version: 1.0
Date Issued: [Date]
Next Review Date: [Date + 12 months]
Policy Owner: [Name / Role, e.g. IT Manager / Operations Director]
Approved By: [Name / Role, e.g. Managing Director]
1. Purpose and Scope
This policy establishes the rules governing the creation, use, protection, and management of passwords and other authentication credentials at [Organisation Name] (referred to in this document as “the organisation”).
This policy applies to:
- All employees, contractors, and third-party users who access the organisation’s systems, applications, or data
- All devices — including personal devices used to access work systems (BYOD)
- All systems holding organisational or customer data, including cloud-based applications, email platforms, financial systems, and CRM tools
This policy supports compliance with ISO 27001:2022 Annex A.5.17, ISO 9001:2015 clause 7.5, and the UK General Data Protection Regulation (UK GDPR) Article 5(1)(f).
[Guidance: Auditors look for a clear statement of who is in scope. Vague scope — “all staff” without referencing contractors or third-party access — is a common gap. Your password manager’s admin console can enforce policies across all active user accounts, giving you a technical control that mirrors this written scope.]
2. Password Requirements
All passwords protecting organisational systems and data must meet the following minimum requirements:
- Minimum length: 14 characters for standard user accounts; 20 characters for privileged/admin accounts
- Complexity: Passwords must not be based on dictionary words, personal information (name, date of birth, company name), or common patterns (e.g. “Password1!”). Use of a password manager-generated random password is the preferred method and satisfies this requirement automatically.
- Uniqueness: Each system must have a unique password. Reusing a password across two or more systems is prohibited.
- Reuse restriction: Passwords must not repeat any of the previous 12 passwords used for that account.
- Expiry: Passwords do not need to be changed on a fixed schedule unless there is evidence of compromise or a change in the user’s role. This is in line with NCSC guidance, which discourages routine expiry in favour of longer, unique credentials. Passwords must be changed immediately upon any suspected or confirmed compromise.
- Sharing: Passwords must never be shared by email, SMS, instant message, or verbally, except through an approved password manager’s secure sharing feature.
[Guidance: The 14-character minimum, prohibition on reuse, and no-fixed-expiry approach all align with current NCSC guidance and are increasingly expected by ISO 27001 auditors over legacy 90-day rotation policies. Tools like 1Password Business and LastPass Business enforce minimum length and complexity at the vault level, and can prevent users from saving weak credentials.]
3. Use of a Password Manager
The organisation has approved the use of [Name of Password Manager, e.g. 1Password Business / LastPass Teams] as its designated password management tool.
- All employees are required to use the approved password manager to store and generate credentials for work-related systems.
- The use of browser-based password saving (e.g. Chrome, Edge, Safari built-in password storage) for work accounts is prohibited unless explicitly approved by [IT Manager / Policy Owner].
- All work credentials must be stored in the organisational vault, not a personal vault, unless a personal vault has been explicitly permitted by the Policy Owner for designated use cases.
- The password manager must be protected by a strong master password (meeting the requirements in section 2) and multi-factor authentication (see section 6).
[Guidance: Mandating a specific tool rather than leaving the choice to individuals is best practice. Auditors want to see that the organisation has implemented a technical control, not simply told staff to “use a password manager.” For a deeper look at how password managers map to ISO 27001 controls, see our guide: Password Managers and ISO 27001 Compliance.]
4. Privileged and Administrator Account Rules
Privileged accounts — those with elevated access rights such as system administrator, domain admin, or database admin roles — carry a higher risk if compromised and must be subject to additional controls:
- Privileged account credentials must be stored in a dedicated, access-controlled vault or collection within the password manager, visible only to authorised individuals.
- Privileged account passwords must meet the higher minimum length requirement (20 characters) specified in section 2.
- Privileged access must be granted on a least-privilege basis: users should not hold admin credentials unless their role requires it.
- Admin accounts must not be used for routine tasks such as checking email or browsing the web. A separate standard account must be used for day-to-day activity.
- All use of privileged accounts should be logged where technically feasible, and logs reviewed periodically by [IT Manager / Policy Owner].
[Guidance: ISO 27001 Annex A.8.2 covers privileged access rights separately, but password requirements for those accounts are assessed alongside A.5.17. Auditors will often ask to see evidence that admin credentials are stored separately and with higher scrutiny. 1Password Business supports dedicated “Admin” vaults with restricted visibility; LastPass Business offers similar controls via its Admin Console.]
5. Shared Accounts and Service Accounts
Where shared accounts are unavoidable (for example, a team social media account, a service account used by automated processes, or a supplier portal accessible by multiple staff), the following rules apply:
- Shared credentials must be stored in a shared vault or collection within the approved password manager, accessible only to those with a legitimate business need.
- Access to shared vaults must be reviewed and confirmed at least every six months, or following any change in team membership.
- When a member of staff with access to a shared account leaves the organisation, or changes role, the shared password must be changed promptly (see section 7).
- Service accounts used by applications or automated processes must be documented in the password manager or a separate service account register, with a named owner responsible for each account.
- Shared personal logins (where one individual’s credentials are shared with colleagues) are prohibited.
[Guidance: Shared accounts are one of the trickiest areas for auditors to assess, because individual accountability is lost. The answer is not to ban shared accounts (that is often impractical) but to demonstrate that they are tracked, time-limited in access, and immediately updated on personnel changes. A team vault in your password manager is the most auditable solution available.]
6. Multi-Factor Authentication (MFA)
Multi-factor authentication provides a critical second layer of defence against unauthorised access and is required as follows:
- MFA is mandatory for access to the password manager itself.
- MFA is mandatory for all cloud-based services holding personal or sensitive data, including but not limited to: Microsoft 365, Google Workspace, accounting software, CRM platforms, and any service processing payments.
- MFA is mandatory for all remote access, including VPN, Remote Desktop, and any cloud infrastructure console.
- Where a system does not support MFA natively, this must be reported to [IT Manager / Policy Owner] and an alternative compensating control documented.
- Authenticator app-based MFA (e.g. Microsoft Authenticator, Google Authenticator, Authy) is preferred over SMS-based codes, which are susceptible to SIM-swap attacks.
[Guidance: ISO 27001 A.8.5 covers secure authentication. MFA is increasingly treated as a baseline expectation rather than a bonus control. Cyber Essentials — the UK government-backed scheme — also mandates MFA for cloud services and remote access. 1Password Business and LastPass Business both enforce MFA at login via admin policy, so you can ensure no user can bypass it.]
7. Offboarding Procedure
When an employee, contractor, or third-party user leaves the organisation or changes role, the following steps must be completed within [24 hours / one business day] of the effective leaving date:
- The user’s password manager account must be suspended or removed by [IT Manager / Policy Owner], preventing further access to all stored credentials.
- Any shared vault credentials to which the departing user had access must be rotated immediately.
- Any privileged account credentials known to the departing user must be changed, even if stored only in the password manager, to eliminate the risk of memorised credentials.
- Access to all other systems (email, cloud storage, line-of-business software) must be revoked in parallel, following the organisation’s standard joiner/mover/leaver procedure.
- Completion of these steps must be recorded in the organisation’s HR or IT access management log.
[Guidance: This is consistently one of the highest-risk areas identified in ISO 27001 audits and UK GDPR assessments. Credentials not revoked promptly after a departure represent a live data breach risk. A password manager simplifies this significantly — revoking a user from the admin console removes their access to all shared vaults in a single action. For a practical guide on deploying this process, see: How to Roll Out a Password Manager in Your Business.]
8. Incident Response — Compromised Credentials
If a user suspects or discovers that a password or set of credentials has been compromised, the following steps must be taken immediately:
- Do not delay. Report the suspected compromise to [IT Manager / Policy Owner / [email protected]] immediately — even outside business hours if the system involved holds personal or financial data.
- Change the affected password immediately via the password manager. Use a newly generated random password.
- Review for reuse. If the compromised password was (in breach of this policy) used elsewhere, change it on all affected systems.
- Check for active sessions. Where the system permits, review active sessions and force logout of all sessions other than the current one.
- Document the incident in the organisation’s information security incident log, including the date, systems affected, likely cause, and actions taken.
- Assess for UK GDPR reporting obligations. If personal data may have been accessed as a result of the compromised credentials, the incident must be assessed for ICO reporting under Article 33 UK GDPR (72-hour notification window).
[Guidance: ISO 27001 A.5.26 and A.5.27 cover incident response and learning from incidents. Auditors look for a clear, documented response process — not perfection, but demonstrable structure. Having this in your password policy, rather than a separate document buried in a file share, means it is in front of users when they need it most.]
9. Review Frequency
This policy will be reviewed:
- Annually, on or before the date shown in the document information section
- Following any significant change to the organisation’s IT infrastructure or cloud service landscape
- Following any password-related security incident
- Following any relevant change to UK GDPR guidance, NCSC guidance, or ISO 27001 controls
The Policy Owner is responsible for initiating and documenting each review. Version history must be maintained below.
[Guidance: ISO 27001 and ISO 9001 both require that documents are kept current. An annual review cycle is the minimum expectation. Noting the trigger events for out-of-cycle reviews demonstrates a mature, responsive approach to policy governance.]
10. Policy Owner and Approval
This policy is owned by [Name / Role] and was approved by [Name / Role, e.g. Managing Director / Board] on [Date].
Queries regarding this policy should be directed to [Email address / Name].
All staff are required to confirm they have read and understood this policy as part of their onboarding process and following each annual review. Confirmation records are maintained by [HR / IT Manager].
[Guidance: A named owner and a documented approval trail are both required under ISO 27001 and ISO 9001. If your policy has no named owner and no record of who approved it, it is unlikely to pass an audit. Many organisations link this to an annual staff sign-off exercise — a password manager admin portal can support this by showing which users have accepted updated policies if the tool supports it.]
Implementing the Policy: Where a Password Manager Helps
A password policy is only as strong as its enforcement. For small businesses without a dedicated IT team, the gap between a written policy and day-to-day practice can be significant. This is where a business-grade password manager earns its subscription fee.
Both 1Password Business and LastPass Business offer admin policy consoles that allow you to enforce password strength, mandate MFA, restrict which applications can store credentials, manage shared vaults, and receive alerts when credentials appear in known data breaches. These controls translate written policy into technical enforcement — which is exactly what ISO 27001 auditors and GDPR assessors are looking for when they ask for evidence of appropriate technical and organisational measures.
For a detailed comparison of how these tools support ISO 27001 compliance specifically, see our guide: Password Managers and ISO 27001 Compliance. If you are at the stage of choosing and deploying a password manager for your team, our best business password manager UK guide for 2026 covers the current options in detail.
Version History
Maintain a brief version history below each issued copy of your policy. This is a simple but important audit requirement under both ISO 27001 and ISO 9001.
| Version | Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | [Date] | [Name] | Initial issue |
Disclaimer
This template is provided for general guidance purposes only. It is not legal advice and does not constitute a ready-to-use compliance document. Password management requirements vary depending on your industry sector, the nature of the data you hold, your certification scope, and your specific IT environment. Before adopting this policy, you should have it reviewed and, if necessary, adapted by your ISMS lead, data protection officer, or a qualified legal adviser with experience in UK information security and data protection law. Serverman.co.uk accepts no liability for the use or misuse of this template.
