Buy the 27001 Toolkit

ISO 27001 Control 5.17: Authentication Information

ISO 27001 Control 5.17: Authentication Information

Authentication Information: Ensuring Secure Access to Organisational Resources

ISO 27001 Control 5.17 is about authentication information, enabling organisations to verify the identities of users and systems accessing sensitive data and resources. By implementing robust allocation and management processes, organisations can ensure secure access, enhance accountability, and mitigate the risk of unauthorised breaches.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Purpose of Authentication Information Management

The objectives of effective authentication information management include:

  • Facilitating secure authentication for all organisational resources.
  • Minimising vulnerabilities in authentication processes.
  • Educating personnel on secure handling practices for authentication credentials.

Guidelines for Allocating and Managing Authentication Information

1. Secure Credential Allocation

To maintain security, the allocation process must:

  • Generate unique, non-guessable temporary credentials (e.g., passwords or PINs) during enrolment, with mandatory changes upon first use.
  • Verify user identities before issuing new, replacement, or temporary credentials.
  • Transmit authentication information securely using protected channels, avoiding unencrypted communications.
  • Replace default vendor-provided authentication credentials immediately after installation.

2. Accountability and Documentation

  • Require users to formally acknowledge receipt of authentication credentials.
  • Maintain detailed records of significant events in authentication information allocation using approved tools, such as password vaults.

User Responsibilities for Secure Authentication

1. Credential Confidentiality

  • Users must keep authentication credentials private and refrain from sharing them.
  • Shared authentication credentials for non-personal entities should only be accessible to authorised personnel.

2. Addressing Compromises

  • Compromised or potentially compromised credentials must be changed immediately.

3. Best Practices for Passwords

Users should:

  • Avoid passwords based on easily guessable information (e.g., names, birthdays, or dictionary words).
  • Use strong passphrases incorporating alphanumeric and special characters.
  • Create distinct passwords for different systems and services.
  • Adhere to these rules as stipulated in organisational employment terms and policies.

Password Management Systems

Organisations relying on passwords should implement a secure password management system with features that:

  • Allow users to select and change passwords, including confirmation procedures to address input errors.
  • Enforce strong password policies aligned with best practices.
  • Mandate password changes upon first login and after security incidents.
  • Prevent password reuse and the use of commonly compromised or weak passwords.
  • Mask passwords during entry and ensure they are stored and transmitted securely.

Cryptographic Standards

All passwords should be encrypted and hashed using approved cryptographic techniques to ensure security.

Exploring Advanced Authentication Methods

Beyond traditional passwords, organisations can enhance security through advanced authentication methods such as:

  • Cryptographic Keys: Securely stored keys for user and system validation.
  • Hardware Tokens: Physical devices, like smart cards, that generate unique authentication codes.
  • Biometric Data: Fingerprints, iris scans, or facial recognition for identity verification.

Tools like Single Sign-On (SSO) and password vaults can simplify credential management while reducing the risk of human error. However, these tools must be configured to mitigate risks associated with compromised credentials.

FAQs

What is the focus of Control 5.17 in ISO 27001?

Control 5.17 ensures that authentication information (like passwords, tokens, and biometric data) is securely managed to prevent unauthorized access to systems and data. It helps safeguard identity and system integrity.

What counts as authentication information?

This includes any method used to verify a user’s identity, such as:

– Passwords
– PINs
– Smart cards
– Biometric data (fingerprints, facial recognition)
– One-time passwords (OTPs)
– Multi-factor authentication (MFA) tokens

What are best practices for protecting authentication information?

Some key practices include:

– Storing passwords hashed and salted
– Enforcing strong password policies
– Using MFA wherever possible
– Never sharing or reusing credentials
– Locking accounts after repeated failed login attempts

Is password management software acceptable under this control?

Yes, password managers are recommended tools, especially for managing complex, unique passwords. Just ensure the tool is secure, reputable, and used properly (e.g., protected by MFA).

How does this control support GDPR compliance?

Under GDPR, protecting personal data is essential — and that starts with strong access controls. Control 5.17 helps ensure only authorized users can access data, reducing the risk of data breaches and ensuring accountability.

Conclusion

Authentication information management is critical to organisational security. By adopting robust processes for allocation, educating users on secure handling, and implementing advanced authentication methods, organisations can protect sensitive resources, reduce risks, and build a resilient security posture. Strong authentication practices are essential for fostering trust, ensuring compliance, and safeguarding valuable organisational data.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG