ISO 27001:2022 Control 5.17 (A.5.17)

Explaining Annex A Control 5.17 Authentication information

Control 5.17 (A.5.17) of ISO 27001:2022 focuses on the secure allocation and management of authentication information, such as passwords and cryptographic keys. Its primary aim is to ensure proper entity authentication and prevent failures in authentication processes, thereby safeguarding information security properties like confidentiality, integrity, and availability.

Control Type

Information Security Properties

Cybersecurity Concepts

Operational Capabilities

Security Domains

Objective of Control 5.17

The primary objective of this control is to establish a robust process for managing authentication information in your organization. This includes ensuring that authentication credentials are securely generated, distributed, and stored, while also promoting responsible usage by all personnel. Via addressing these areas, your organization can prevent failures in authentication processes, which could lead to unauthorized access to critical systems and data.

Purpose of Control 5.17

Control 5.17 is designed to:

Facilitate proper entity authentication by ensuring that users are accurately identified before being granted access to systems or information.
Protect authentication information from unauthorized disclosure, loss, or compromise.
Prevent security failures that may arise due to poor handling, weak passwords, or ineffective authentication practices.

Components of Authentication Information Management

1. Allocation and Management of Authentication Information

The allocation and management process ensures that authentication credentials are securely created, distributed, and maintained. Specific considerations include:

Secure Generation of Credentials: Temporary passwords or PINs generated during enrollment processes should be unique, non-guessable, and issued with a requirement for users to change them after first use. Automating this process reduces the risk of human error and ensures compliance with security best practices.
Identity Verification: Establish procedures to confirm the identity of a user before issuing or resetting authentication credentials. For example, users may need to provide personal identifiers or use multi-factor authentication (MFA) during the identity verification process.
Secure Transmission: Authentication credentials must be transmitted using secure channels, such as encrypted communication protocols, to prevent interception. Avoid using clear-text email or other unprotected methods for transmitting sensitive information.
Acknowledgment of Receipt: Users should formally acknowledge receipt of their credentials. This step ensures that they are aware of their responsibilities regarding the use and protection of authentication information.
Changing Default Credentials: Default passwords or credentials provided by vendors must be changed immediately after system installation. Failing to do so creates a significant security vulnerability.
Record-Keeping: Maintain logs of significant events related to the allocation and management of authentication credentials. These records should be stored securely and reviewed periodically to identify potential issues or anomalies.

2. User Responsibilities

Users play a critical role in maintaining the security of authentication information. Your organization should establish clear guidelines for users, including:

Confidentiality of Credentials: Users must ensure that passwords or other forms of authentication information remain confidential. Personal passwords should never be shared, and credentials associated with shared accounts should only be accessible to authorized individuals.
Handling Compromised Credentials: If a user suspects that their credentials have been compromised, they must report the issue immediately and change their authentication information without delay.
Strong Password Practices: Encourage users to follow best practices for creating secure passwords:
- Avoid using personal information, such as names or birthdates, in passwords.
- Use passphrases that include a mix of uppercase letters, lowercase letters, numbers, and special characters.
- Ensure that passwords meet a minimum length requirement, such as 12 characters or more.
- Refrain from using the same password for multiple accounts or services.
Training and Awareness: Users should be regularly educated on the importance of authentication security and the potential risks of poor practices. Include these requirements in employment contracts and terms of service.

3. Password Management Systems

A password management system can significantly enhance the security and usability of authentication processes. Key features include:

User Control: Enable users to create and change their own passwords, while implementing confirmation steps to reduce input errors.
Enforcement of Policies: Automatically enforce strong password policies to ensure compliance with security standards. For example, the system should reject passwords that are too weak, commonly used, or part of known compromised databases.
Mandatory Password Changes: Require users to change passwords after their first login, after a suspected compromise, or upon termination of employment.
Prevention of Reuse: Prevent users from reusing previously used passwords to reduce the risk of compromised credentials.
Secure Storage and Encryption: Store passwords using approved encryption and hashing techniques. Ensure that passwords are never stored or transmitted in plaintext.

4. Supplementary Authentication Methods

In addition to passwords, your organization should consider implementing alternative or supplementary authentication methods, such as:

Multi-Factor Authentication (MFA): Combine something the user knows (e.g., a password) with something they have (e.g., a hardware token) or something they are (e.g., a biometric).
Biometric Authentication: Use biometric data, such as fingerprints or facial recognition, to enhance security.
Cryptographic Keys: Deploy cryptographic key pairs for more advanced authentication scenarios.

Considerations for Employee Changes and Termination

Whenever an employee’s status changes (promotion, transfer, resignation, or termination), access rights should be adjusted to prevent security risks.

Key factors to consider:

Who initiated the termination? Voluntary exits pose lower risks than involuntary terminations.
What systems did the employee access? Remove access to all business-critical applications.
Is there an offboarding checklist? Ensure no lingering access remains.

Relevant Controls in ISO 27001

Control 5.17 is closely linked to several other controls within ISO 27001, including:

Control 5.16 – Identity Management: Focuses on the proper creation and management of user identities to ensure secure access.
Control 5.18 – Access Rights: Provides guidelines for managing user access rights based on their roles and responsibilities.
Control 8.24 – Secure Password Encryption and Hashing: Details the cryptographic standards required for storing and transmitting passwords securely.

Supporting Templates Available on Our Website

To facilitate the implementation of Control 5.17 in your organization, we offer the following templates:

Access Control Policy Template: A comprehensive guide for defining and managing user access and authentication policies.
Password Policy Template: Detailed procedures for creating, distributing, and maintaining secure passwords.
User Authentication Information Acknowledgment Form: A form for users to confirm receipt and understanding of authentication credentials.
Incident Response Plan Template: Step-by-step guidance for responding to authentication credential compromises and other security incidents.

Conclusion

Authentication information is a critical aspect of your organization’s cybersecurity framework. By implementing the practices outlined in ISO 27001 Control 5.17, your organization can reduce the risk of unauthorized access, safeguard sensitive information, and maintain compliance with international security standards. Supporting users with training, robust management systems, and well-defined policies ensures that authentication processes remain secure and effective.