Secure Authentication - ISO 27001 Annex A Control

ISO 27001 Annex A 8.5

Authentication is where access control gets tested in real time.

ISO 27001 Annex A 8.5 - Secure Authentication

Authentication is the control that confirms a user is who they claim to be. Get it wrong and every other access control falls because the wrong person is now operating with the right person's permissions. The control asks for authentication mechanisms to be matched to the sensitivity of the access they protect.

Multi-factor authentication is the baseline for anything beyond purely public services. Passwords alone are not sufficient because they get reused, phished and leaked. Adding a second factor - typically a hardware token, authenticator app, or biometric - makes credential theft much harder to operationalise. The standard expectation is now multi-factor for all staff access to organisational systems.

Authentication design also has to account for the user experience. Mechanisms that are too friction-heavy drive workarounds; mechanisms that are too lightweight provide insufficient protection. Risk-based authentication - applying stronger factors when the context looks unusual - is one way to balance the two.

Multi-factor authentication is now the audit baseline for organisational access. An ISMS without MFA on staff accounts will face hard questions about whether the access controls are operating effectively. Coverage matters as much as deployment - MFA on most accounts but not all is a gap that needs closing rather than explaining.

The authentication that gets bypassed most often is the one that does not feel proportionate to what it protects. Forcing MFA on a low-sensitivity service every time someone logs in trains people to click through prompts without thinking. Reserving stronger authentication for higher-stakes actions makes the control work as intended.

Practical Compliance Guidance

Authentication arrangements are described in the IMS1 manual at section 8.5 alongside the Access Control Policy. Identity provider configuration provides the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Access Control Policy including the authentication requirements for different system categories. Use as the source for authentication standards.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Should we require MFA on all systems?

As a baseline yes, with the second factor proportionate to the system. Some systems may use phishing-resistant authentication (hardware keys), some may use authenticator apps, and some may use SMS or email codes for less sensitive access. The policy should set the standard and the implementation should follow.

How do we handle service accounts?

Service accounts cannot present a second factor in the way human users can. The control compensates through other means - certificate-based authentication, restricted source IPs, short-lived tokens, and tight monitoring of usage. The Privileged Access controls under A.8.2 cover the wider service account population.

What about password requirements?

Modern guidance has moved away from forced periodic rotation toward longer, less complex passwords with rotation only on suspicion of compromise. The position should be set in the policy and reflect current expectations from sources such as NCSC.

Further Resources