- See ISO 27002:2022 Control 5.17 for more information.
- See ISO 27001:2013 Annex A 9.2.4 for more information.
- See ISO 27001:2013 Annex A 9.3.1 for more information.
- See ISO 27001:2013 Annex A 9.4.3 for more information.
ISO 27001:2022 Control 5.17 Explained: Safeguarding Authentication Data
ISO 27001:2022 Annex A Control 5.17 states that authentication information should be kept secure.
This means that organisations must take appropriate steps to protect user credentials, such as passwords and security questions, from unauthorised access. They must also ensure that users are able to access the system with their credentials in a secure manner. Furthermore, organisations should also make sure that users can reset their credentials when necessary.
Authentication details (passwords, encryption keys and card chips) provide entry to information systems containing sensitive data.
Poor handling of authentication information can lead to unauthorised access to data systems and the loss of confidentiality, availability, and integrity of sensitive data.
What Is the Purpose of ISO 27001:2022 Annex A Control 5.17?
Annex A Control 5.17 allows organisations to effectively allocate and manage authentication information, avoiding breakdowns in the authentication process and guarding against security threats that could result from the manipulation of authentication information.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Annex A 5.17
ISO 27001:2022 Annex A Control 5.17 requires the establishment and implementation of organisation-wide rules, procedures, and measures for the allocation and management of authentication information. Information security officers should ensure compliance with this control.
Annex A 5.17 Guidance on Allocation of Authentication Information
Organisations should adhere to these six requirements for the allotment and administration of authentication information:
- Upon enrolment of new users, automatically generated personal passwords and personal identification numbers must be non-guessable. Additionally, each user must have a unique password and it is obligatory to change passwords after initial use.
- Organisations should have solid processes to check a user’s identity before they are given new or replacement authentication info, or are provided with temporary info.
- Organisations should guarantee the secure transmission of authentication details to individuals via secure pathways, and must not send such information over unsecure electronic messages (e.g. plain text).
- Users must ensure they have received the authentication details.
- Organisations should act quickly after installing new IT systems and software, altering the default authentication details straight away.
- Organisations ought to set up and persistently keep records of all significant events in relation to the management and allocation of authentication information. These records must be kept private and methods of record-keeping should be authorised, e.g. with the use of an authorised password tool.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Annex A 5.17 Guidance on User Responsibilities
Users with access to authentication information should be instructed to adhere to the following:
- Users must keep secret authentication information such as passwords confidential and must not share it with anyone else. When multiple users are involved in the use of authentication information or the information is linked to non-personal entities, they must not disclose it to unauthorised individuals.
- Users must switch their passwords straight away if the secrecy of their passwords has been breached.
- Users should select hard-to-guess, strong passwords in compliance with industry standards. For example:
- Passwords should not be based on personal information that can be easily obtained, such as names or birthdates.
- Passwords should not be founded on information that can be readily guessed.
- Passwords must not comprise of words or sequences of words that are common.
- Use alphanumerics and special characters in your password.
- Passwords should have a minimum length requirement.
- Users must not employ the same password for various services.
- Organisations should have their employees accept the responsibility for creating and using passwords in their employment contracts.
Annex A 5.17 Guidance on Password Management Systems
Organisations should observe the following when setting up a password management system:
- Users should have the ability to create and modify their passwords, with a verification procedure in place to detect and rectify any mistakes when entering data.
- Organisations should abide by industry best practices when developing a robust password selection process.
- Users must change their default passwords upon first accessing a system.
- It’s essential to change passwords when appropriate. For instance, after a security incident or when an employee leaves their job, and had access to passwords, a password change is necessary.
- Previous passwords should not be recycled.
- The use of passwords that are widely known, or have been accessed in a breach of security, should not be permitted for accessing any hacked systems.
- When passwords are inputted, they should be displayed on the screen in clear text.
- Passwords must be transmitted and stored through secure channels in a secure format.
Organisations should also implement hashing and encryption procedures in line with the approved cryptographic methods for passwords stated in Annex A Control 8.24 of ISO 27001:2022.
Supplementary Guidance on Annex A Control 5.17
In addition to passwords, other forms of authentication, such as cryptographic keys, smart cards, and biometric data like fingerprints.
Organisations should look to the ISO/IEC 24760 series for further advice on authentication data.
Considering the hassle and annoyance of regularly changing passwords, organisations may consider alternatives such as single sign-on or password vaults. It should be noted, however, that these options increase the risk of confidential authentication information being exposed to unauthorised parties.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 5.17 is the replacement for ISO 27001:2013 Annex A 9.2.4, 9.3.1 and 9.4.3.
ISO 27001:2022 Contains a New Requirement for Allocation and Management of Authentication Information
In 2013, the requirements for allocating and managing authentication information were very similar. However, ISO 27001:2022 Annex A Control 5.17 introduced a requirement that was not present in 2013.
Organisations must create and maintain records for all significant events associated with the management and distribution of authentication info. These records should be kept confidential, with authorised record-keeping techniques, for example, the use of an accepted password tool.
The 2022 Version Contains an Additional Requirement for Use of Authentication Information
ISO 27001:2022 Annex A Control 5.17 introduces a requirement for user responsibilities that wasn’t specified in Control 9.3.1 of the 2013 version.
Organisations should include password requirements in their contracts with employees and staff. Such requirements should cover the creation and use of passwords.
ISO 27001:2013 Contained an Additional Requirements for User Responsibilities That Was Not Included in the 2022 Version
In comparison to the 2022 Version, Control 9.3.1 contained the following mandate for the employment of authentication data:
Users ought not to employ the same authentication details, for example a password, for both work and non-work purposes.
ISO 27001:2013 Contained an Additional Requirement for Password Management Systems That Was Not Included in the 2022 Version
Control 9.4.3 of the 2013 Version requires that password management systems must:
Ensure files with passwords should be held on a different system to the one hosting application data.
ISO 27001:2022 Annex A Control 5.17 does not require this.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
How ISMS.online Help
ISMS.Online enables organisations and businesses to comply with ISO 27001:2022 necessities by providing them with a platform that facilitates managing, updating, testing and monitoring the effectiveness of their confidentiality or non-disclosure policies and procedures.
We offer a cloud-based platform for administering Confidentiality and Information Security Management Systems, featuring non-disclosure clauses, risk management, policies, plans, and procedures, all in one convenient location. It is straightforward to use, with an intuitive interface that makes it simple to learn.
Get in touch with us today to arrange a demonstration.
