The purpose of this ISO27001 control is to ensure that the person (or system) attempting to access your systems or data is who they say they are. Keep in mind that it relates to both people and systems. Also, don’t confuse authentication, with identification. There is a difference.
Identification would be someone showing an ID Card.
Authentication is the process of verifying if the ID Card is accurate, and that it belongs to you.
For example, imagine someone walks into the reception of an office blog with an ID card. They can use the ID card to ‘swipe’ themselves into the prime office space with no issues. However, secure authentication would require that person to show the card to the security officer or receptionist, who would then authenticate that the card belongs to the individual.
For authentication to work effectively, there must be an internal check against a trusted source. In the example above, the security officer or receptionist might check an internal register of people, and verify that the card belongs to the card carrier.
What does the standard require?
The standard states that “Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.” (A8.5 – Secure Authentication)
Note that this control refers to the topic-specific Access Control Policy which is covered in ISO27001 Annex A Control (A5.15 - Access Control), but it also mentions access restrictions. Therefore keep in mind that ISO27001 Annex A control (A8.3 - Information Access Restriction) needs to be read and understood too.
Why is this required?
It’s important to ensure that the people and systems you allow to access your processing facilities (physical or digital), are who they say they are. Without secure authentication controls in place, you run the risk of data breaches and disruption to systems and services.
To authenticate someone (or something) means that you can verify their identity and therefore they can be trusted.
What the auditor is looking for
For this ISO27001 control, the auditor will look for evidence of both technical and operational security measures, including;
Segregation of duties (A5.3 - Segregation of duties).
Access Control Policy (A5.15 – Access Control).
Process for allocating authentication information (A5.17 - Authentication Information).
Access Rights (A5.18 – Access Rights).
Physical Entry Controls (A7.2 - Physical entry controls).
Secure Login Procedures (e.g. HTTPS protocols for online portals).
Multi-Factor Authentication (MFA) technologies are in place.
Awareness, education and training (A7.9 - Security of assets off-premises).
Logs and monitoring (A8.15 – Logging & A8.16 Monitoring Activities).
Risk Register.
What do you need to do?
Note that this ISO27001 Annex A Control specifically mentions the Access Control Policy that you defined in ISO27001 Annex A Control (A5.15 - Access Control). So your first task is to ensure you have this Access Control Policy in place. If you haven’t addressed this yet, then you should review the information we’ve provided on this ISO27001 control, as you will not be able to demonstrate compliance without it.
One of the simplest ways to start is to gain access to the systems yourself. How are you authenticated? If this is an online portal, how do you prevent brute-force attacks from being carried out? For example, do you allow the pasting of credentials on the site? This is a technique known as ‘credential stuffing’ and is a form of brute-force attack. Also, does the system hide important or sensitive data until you have securely authenticated? If not, then this could be a potential risk and it is important to take note of it.
Assuming your Access Control Policy is in place, you should ensure it contains specific references to secure authentication techniques, such as Multi-Factor Authentication (MFA), Two-Factor Authentication (2FA), Biometrics and strong passwords.
Speak to your IT team about access to systems from external parties, so that you can gain an understanding of how they are authenticated. For example, an outsourced provider may provide the IT support. Are they required to login using MFA or some other tokenised system?
When it comes to physical security, authentication is just as important, so speak to your facilities teams, receptionists or security to understand what happens if someone enters the building. How are they authenticated and given access to the site? What happens if someone attends the site claiming to have lost their ID Card? Is there a process for verifying their ID before allowing them into the premises? If not, then this is a process you will need to establish.
Difficulty rating
We rate this a 3 out of 5 difficulty rating. This control can become relatively technical as you will need to understand what different secure authentication mechanisms there are available to you. From suggesting biometric and MFA technologies, to developing physical authentication processes you will need to understand what works best and is most appropriate for your business.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.