ISO 27002:2022, Control 8.5, Secure Authentication

ISO 27002:2022 – Control 8.5 – Secure Authentication

ISO 27002 Control 8.5 focuses on implementing secure authentication methods like multi-factor authentication (MFA), biometrics, and secure tokens to prevent unauthorised access to IT systems. It emphasises best practices such as restricting information display before login, using pre-logon warnings, and limiting login assistance to unauthorised users.

Purpose of Control 8.5

Secure authentication is the primary method which human and non-human users engage with when attempting to utilise an organisation’s ICT assets.

Over the past decade, authentication technology has undergone a fundamental shift from traditional username/password-based validations into a variety of complementing techniques involving biometric information, logical and physical access controls, external device authentications, SMS codes and one time passwords (OTP).

27002:2022-8.5 puts all of this into context and advises organisations on precisely how they should be controlling access to their ICT systems and assets via a secure login gateway.

Control 8.5 is a preventative control that maintains risk by implementing technology and establishing topic-specific secure authentication procedures that ensure human and non-human users and identities undergo a robust and secure authentication procedure when attempting to access ICT resources.

Attributes Table of Control 8.5

Control Type	Information Security Properties	Cybersecurity Concepts	Operational Capabilities	Security Domains
#Preventive	#Confidentiality	#Protect	#Identity and Access Management	#Protection
	#Integrity
	#Availability

Ownership of Control 8.5

Control 8.5 deals with an organisation’s ability to control access to its network (and the information and data contained within) at critical junctions, such as a login gateway.

Whilst the control does deal with information and data security as a broader concept, the operational guidance is primarily of a technical nature.

As such, ownership should reside with the Head of IT (or organisational equivalent), who holds responsibility for the organisation’s day-to-day IT administration functions.

ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started

General Guidance on Control 8.5

Control 8.5 asks organisations to consider authentication controls that are relevant to the type and sensitivity of the data and network that’s being accessed, including:

Multi-factor authentication (MFA)
Digital certificates
Smart access controls (smart cards)
Biometric logins
Secure tokens

The overriding goal of an organisation’s secure authentication controls should be to prevent and/or minimise the risk of unauthorised access to its protected systems.

To achieve this, Control 8.5 outlines 12 main guidance points. Organisations should:

Restrict the display of information until after a successful authentication attempt.
Display a warning pre-logon which clearly states that information should only be accessed by authorised users.
Minimise the assistance it provides to unauthenticated users who are attempting to access the system e.g. organisations should not divulge which specific part of a login attempt is incorrect, such as a biometric aspect of an MFA login, and instead simply state that the login attempt has failed.
Validate the login attempt only when all required information has been provided to the login service, to maintain security.
Implement industry-standard security measures that protect against blanket access and/or brute force attacks on login portals. These measures can include:

CAPTCHA controls
Enforcing a password reset after a set amount of failed login attempts
Preventing further login attempts following a predefined number of failed attempts

Recording all failed login attempts for auditing and security purposes, including their use in criminal and/or regulatory proceedings.
Initiating a security incident whenever a major login discrepancy is detected, such as a perceived intrusion. In these cases, all relevant internal personnel should be notified, particularly those with systems administrator access or any ability to combat malicious login attempts.
Upon validating a login, relay certain pieces of information to a separate data source that list:

The date and time of the previous successful logon
A list of all login attempts since the last validated logon

Display passwords as asterisk’s (or similarly abstract symbols), where there is no pressing need not to do so (e.g. user accessibility).
Strictly prohibit the sharing of or display of passwords as clear, legible text.
Maintain a policy of terminating dormant login sessions after a specific period of time. This is particularly relevant for sessions that are active in high risk locations (remote working environments) or on user-supplied assets such as personal laptops or mobile phones.
Limiting the amount of time that an authenticated session can remain open – even when active – relative to the information that’s being accessed (i.e. business critical information or financially sensitive applications).

Guidance – Biometric Logins

ISO recommends that due to a number of factors related to the effectiveness and integrity of biometric login processes over traditional measures (passwords, MFA, tokens etc.), biometric authentication methods should not be used in isolation, and accompanied by at least one other login technique.

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo

Changes and Differences from ISO 27002:2013

27002:2022-8.5 replaces 27002:2014-9.4.2 (Secure log-on procedures).

27002:2022-8.5 contains the same 12 guidance points as its 2013 counterpart, with minor adjustments to the wording, and follows the same set of underlying security principles.

In-line with the rise of MFA and biometric login technologies over the past decade, 27002:2022-8.5 contains explicit guidance on the use of both techniques that organisations should consider when formulating their own set of login controls.

New ISO 27002 Controls

New Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
5.7	NEW	Threat intelligence
5.23	NEW	Information security for use of cloud services
5.30	NEW	ICT readiness for business continuity
7.4	NEW	Physical security monitoring
8.9	NEW	Configuration management
8.10	NEW	Information deletion
8.11	NEW	Data masking
8.12	NEW	Data leakage prevention
8.16	NEW	Monitoring activities
8.23	NEW	Web filtering
8.28	NEW	Secure coding

Organisational Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
5.1	05.1.1, 05.1.2	Policies for information security
5.2	06.1.1	Information security roles and responsibilities
5.3	06.1.2	Segregation of duties
5.4	07.2.1	Management responsibilities
5.5	06.1.3	Contact with authorities
5.6	06.1.4	Contact with special interest groups
5.7	NEW	Threat intelligence
5.8	06.1.5, 14.1.1	Information security in project management
5.9	08.1.1, 08.1.2	Inventory of information and other associated assets
5.10	08.1.3, 08.2.3	Acceptable use of information and other associated assets
5.11	08.1.4	Return of assets
5.12	08.2.1	Classification of information
5.13	08.2.2	Labelling of information
5.14	13.2.1, 13.2.2, 13.2.3	Information transfer
5.15	09.1.1, 09.1.2	Access control
5.16	09.2.1	Identity management
5.17	09.2.4, 09.3.1, 09.4.3	Authentication information
5.18	09.2.2, 09.2.5, 09.2.6	Access rights
5.19	15.1.1	Information security in supplier relationships
5.20	15.1.2	Addressing information security within supplier agreements
5.21	15.1.3	Managing information security in the ICT supply chain
5.22	15.2.1, 15.2.2	Monitoring, review and change management of supplier services
5.23	NEW	Information security for use of cloud services
5.24	16.1.1	Information security incident management planning and preparation
5.25	16.1.4	Assessment and decision on information security events
5.26	16.1.5	Response to information security incidents
5.27	16.1.6	Learning from information security incidents
5.28	16.1.7	Collection of evidence
5.29	17.1.1, 17.1.2, 17.1.3	Information security during disruption
5.30	5.30	ICT readiness for business continuity
5.31	18.1.1, 18.1.5	Legal, statutory, regulatory and contractual requirements
5.32	18.1.2	Intellectual property rights
5.33	18.1.3	Protection of records
5.34	18.1.4	Privacy and protection of PII
5.35	18.2.1	Independent review of information security
5.36	18.2.2, 18.2.3	Compliance with policies, rules and standards for information security
5.37	12.1.1	Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
6.1	07.1.1	Screening
6.2	07.1.2	Terms and conditions of employment
6.3	07.2.2	Information security awareness, education and training
6.4	07.2.3	Disciplinary process
6.5	07.3.1	Responsibilities after termination or change of employment
6.6	13.2.4	Confidentiality or non-disclosure agreements
6.7	06.2.2	Remote working
6.8	16.1.2, 16.1.3	Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
7.1	11.1.1	Physical security perimeters
7.2	11.1.2, 11.1.6	Physical entry
7.3	11.1.3	Securing offices, rooms and facilities
7.4	NEW	Physical security monitoring
7.5	11.1.4	Protecting against physical and environmental threats
7.6	11.1.5	Working in secure areas
7.7	11.2.9	Clear desk and clear screen
7.8	11.2.1	Equipment siting and protection
7.9	11.2.6	Security of assets off-premises
7.10	08.3.1, 08.3.2, 08.3.3, 11.2.5	Storage media
7.11	11.2.2	Supporting utilities
7.12	11.2.3	Cabling security
7.13	11.2.4	Equipment maintenance
7.14	11.2.7	Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
8.1	06.2.1, 11.2.8	User endpoint devices
8.2	09.2.3	Privileged access rights
8.3	09.4.1	Information access restriction
8.4	09.4.5	Access to source code
8.5	09.4.2	Secure authentication
8.6	12.1.3	Capacity management
8.7	12.2.1	Protection against malware
8.8	12.6.1, 18.2.3	Management of technical vulnerabilities
8.9	NEW	Configuration management
8.10	NEW	Information deletion
8.11	NEW	Data masking
8.12	NEW	Data leakage prevention
8.13	12.3.1	Information backup
8.14	17.2.1	Redundancy of information processing facilities
8.15	12.4.1, 12.4.2, 12.4.3	Logging
8.16	NEW	Monitoring activities
8.17	12.4.4	Clock synchronization
8.18	09.4.4	Use of privileged utility programs
8.19	12.5.1, 12.6.2	Installation of software on operational systems
8.20	13.1.1	Networks security
8.21	13.1.2	Security of network services
8.22	13.1.3	Segregation of networks
8.23	NEW	Web filtering
8.24	10.1.1, 10.1.2	Use of cryptography
8.25	14.2.1	Secure development life cycle
8.26	14.1.2, 14.1.3	Application security requirements
8.27	14.2.5	Secure system architecture and engineering principles
8.28	NEW	Secure coding
8.29	14.2.8, 14.2.9	Security testing in development and acceptance
8.30	14.2.7	Outsourced development
8.31	12.1.4, 14.2.6	Separation of development, test and production environments
8.32	12.1.2, 14.2.2, 14.2.3, 14.2.4	Change management
8.33	14.3.1	Test information
8.34	12.7.1	Protection of information systems during audit testing

How ISMS.online Helps

Our cloud-based platform provides you with a robust framework of information security controls so that you can checklist your ISMS process as you go to ensure that it meets the requirements for ISO 27000k. Used properly, ISMS. online can assist you in achieving certification with the bare minimum of time and resources.

Get in touch today to book a demo.

We’re a Leader in our Field