Are you using the database-based security mechanism built into Portal? If so, then before the user can login, the user must register and provide a password as part of that registration. Would that not qualify as "changing the password on first login" as required by ISO 9001?
I know that the inspectors can be a little anal, but it is worth asking. Usually the "change password" requirement assumes that someone else, such as the Portal or a Portal admin, created the login id along with a temporary password.
Users cannot register but their account is created through the default admin module. Therefore the password is a password created by the admin. Unfortunately the provided email validation does not qualify. I have to implement a forced password change on first login. It was silly that I did not mention it in my previous post.
I was hoping to save development time with an off the shelf solution but it seems I will have to develop it.