ISMS Mission 2 — Password Management
The most common cause of organisational security incidents is also the most preventable. Employees know they should use strong passwords. Most of them don't — because knowing a principle and having a habit are two different things.
The Credential Problem
Compromised credentials are the entry point for more security incidents than any other single cause. Not sophisticated exploits. Not zero-day vulnerabilities. Passwords — reused across accounts, guessed from predictable patterns, shared informally between colleagues, or handed over to someone who seemed convincing enough on email.
What makes this particularly frustrating from an organisational security perspective is that the solution is not technical. The tools to manage passwords well exist, they are accessible, and they cost less than the average data breach. The gap is behavioural — employees who understand password requirements in the abstract but do not have the habits that translate them into practice.
This mission is not another list of password rules. It is a training experience designed to turn the knowledge employees already have into the habits they don't yet have — through scenario-based practice that makes the right behaviours feel automatic rather than effortful.
What the Password Management Mission Covers
What makes a password strong — and why most people's instincts are wrong. Length matters more than complexity. A random four-word phrase is more secure than a complex substitution of a memorable word. Predictable "complexity" — replacing an 'a' with '@', adding a '1' at the end — is not security, it is security theatre.
Credential hygiene. Password reuse across accounts is the single most common way a breach in one organisation becomes a breach in another. The mission covers unique passwords, password managers, and insecure storage methods.
Multi-factor authentication. MFA is the single most effective control for protecting against compromised credentials. The mission explains what MFA does, when it should be used, and how to use common MFA methods correctly.
Social engineering and credential theft. Phishing, vishing, and pretexting are primarily credential theft mechanisms. The mission covers the tactics used to extract passwords and the scepticism employees should apply when any channel asks for credentials.
Shared accounts. Shared credentials undermine both security and incident response. The mission addresses why and what alternatives organisations should use instead.
Format and Delivery
The Password Management mission runs in the same immersive futuristic environment as the full ISMS programme — scenario-based decision points, realistic phishing simulations, and consequence feedback for each choice.
Deploy standalone — particularly after a phishing incident — or as Mission 2 of the ISMS programme. Hosted online or custom SCORM for your LMS.
ISO 27001 and Access Control
ISO 27001 Annex A includes specific controls for access management and authentication — including requirements for secret authentication information to be kept confidential, managed through a formal process, and changed when there is any suspicion of compromise. Clause 7.3 requires that relevant personnel understand the organisation's information security policies and their responsibilities.
Employees who have not been trained on what good credential management looks like cannot meet these requirements in practice — regardless of how clear the policy document is. This mission provides the behavioural training that connects the policy to the daily decisions employees make about how they manage their access.
FAQs
Why is password management the most common security incident entry point?▼
Compromised credentials are involved in the majority of data breaches, for a straightforward reason: once an attacker has a valid username and password, they do not look like an attacker — they look like a legitimate user. This bypasses most technical security controls. Credentials are compromised through phishing (employees tricked into entering them on fake sites), password reuse (a breach in one organisation compromises accounts in others using the same password), weak passwords guessed through automated tools, and social engineering (employees who give credentials to someone impersonating IT support). Each of these failure modes is preventable through employee behaviour.
What should password management training for employees include?▼
Effective password management training should cover: what makes a password strong (length and randomness over predictable complexity patterns); why password reuse across accounts is a critical risk; how to use a password manager; what multi-factor authentication is and how to use it correctly; how to recognise credential theft attempts via phishing and social engineering; and what to do when an unexpected authentication request or suspicious login attempt occurs. Training that only covers password complexity rules without addressing these broader behaviours leaves employees vulnerable to the most common attack vectors.
What is multi-factor authentication and should all employees use it?▼
Multi-factor authentication (MFA) is a security method that requires users to verify their identity through two or more independent factors — typically something they know (a password) and something they have (a phone receiving a code or authentication app). MFA dramatically reduces the effectiveness of compromised credentials, because an attacker with a correct password still cannot log in without the second factor. Most security standards, including ISO 27001 controls for privileged access, recommend or require MFA. For general employee accounts, MFA is increasingly considered standard practice rather than an optional additional control.
How is this different from a phishing awareness training module?▼
Phishing awareness training focuses specifically on recognising and responding to phishing attempts — suspicious emails, fake login pages, and social engineering tactics. The Password Management mission has a broader scope: it covers the full range of credential security behaviours, of which phishing resistance is one component. Employees who complete the Password Management mission will be better equipped to resist phishing attempts, but the mission also develops the practices (strong unique passwords, MFA, password manager use) that limit the damage when phishing attempts succeed — which is where most phishing-only training stops.
Related: Data Privacy · Password Management · AI Management & Security · Vulnerability · Cloud Security