Sorry for the late reply.
This control is pretty straightforward. As this is information security, the standard is saying that when you design systems, security should be part of the design and analysis stage. Not after. During the design stage the following should be considered:
1. who can access?
2. how to validate access?
3. if passwords, how long? complexity rules? expiration?
ISO/IEC 27002 provides a long-list of guides for ISMS controls.