Authentication Information - ISO 27001 Annex A Control

ISO 27001 Annex A 5.17

Passwords alone do not protect access - manage authentication properly.

ISO 27001 Annex A 5.17 - Authentication Information

Authentication information is what proves an identity - passwords, multi-factor codes, biometric data, cryptographic keys, hardware tokens. The control covers how this information is allocated, used and protected through its lifecycle.

Allocation has to follow a controlled process. Initial credentials should be issued securely, communicated through a separate channel from the username, and require change on first use where possible. Reset processes need to verify the user before issuing new credentials, and reset codes should be time-limited.

Day-to-day handling matters as much as allocation. Authentication information must not be shared, stored insecurely, or used in ways that expose it to other people. The supporting password policy sets the rules for staff - what makes a strong password, when to change it, what not to do with it. Multi-factor authentication on sensitive systems significantly reduces the impact if a password is compromised.

The current good practice on passwords has shifted from the old approach of forced 90-day resets to longer, stronger passwords with multi-factor on top. The standard does not prescribe a specific approach, but it expects the rules in your policy to reflect current good practice rather than rules that were drafted ten years ago and never updated.

Practical Compliance Guidance

Authentication information arrangements are described in the IMS1 manual at section 8.5 alongside the Identity Management and Password and Secure Authentication policies.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Password and Secure Authentication Policy, which sets out the rules for password management and the use of authentication factors.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does ISO 27001 require multi-factor authentication?

The standard does not mandate MFA explicitly, but the risk-based approach makes it hard to justify not using MFA on systems holding confidential information or providing privileged access. Most organisations and most auditors now expect MFA on email, remote access, administrative accounts and key business systems.

How often should staff change their passwords?

Current good practice has moved away from forced periodic resets towards longer, stronger passwords combined with MFA. Forced resets without a good reason tend to lead to weaker passwords. The policy should set the standard for password strength and require changes only on suspected compromise or end of role.

Can password managers be used?

Yes, where they are approved by the organisation. Password managers improve security by enabling unique, strong passwords across multiple systems. The policy should set out which password managers are approved and the controls expected, including a strong master password and MFA on the password manager itself.

Further Resources