top of page

ISO27001:2022 - A5.17 Authentication information

Updated: May 14

In A5.16 Identity Management the requirement is that the full life cycle of identities shall be managed, and A5.17 takes this forward and explains what is actually required.


What does the standard require?

The standard states that “Allocation and management of authentication information shall be controlled by a management process, including advising personnel on the appropriate handling of authentication information.” (A5.17 Authentication Information)


Before looking at why this is important, let’s be clear about what ‘authentication information’ is.  Essentially it’s information that tells the logical or physical location that you are ‘authentic’, and that you are who you say you (and who is permitted access).


Authentication information can be;

  • A Username – An identifier such as an email address or account name.

  • Passwords and PIN codes– Secret keys that are known by only one person.

  • Biometric data - Fingerprint, retina scans or facial recognition (such as those used on modern mobile devices)

  • Secret Tokens – A token or code sent to a trusted device or created using a specific ‘Authentication App’ (e.g. Google Authenticator)


Good authentication systems will use a combination of these factors, which takes us to talking about ‘Multi-factor Authentication’.  This is often referred to as 2FA (Two Factor Authentication) because it uses just two of the above (e.g. a user name and biometric)


Why is this required?

How access to your physical or virtual environments is important because without these controls, you’re at risk of a cyber incident or data breach occurring.  For example, ensuring you use 2FA on your own social media or banking apps is important, to prevent fraud and hacking of your personal data.


Putting in place appropriate authentication processes ensures that access to critical systems or sensitive data is fully controlled.


What the auditor is looking for

Although there isn’t a requirement for a documented policy or procedure, you must again be able to evidence that there is a process for the allocation of authentication information. This could include a process that demonstrates how passwords are shared, what password strength (ie. length and complexity) are applied and how they are changed (if someone needs a password resetting).


The auditor will normally want to see that there is some form of MFA in place, and that users have received some training on the topic.



Q & A

Do I need a written policy?

 No, there’s no need for a policy but you do need to be able to evidence that there is a process in place for providing authentication information. You might also be able to evidence this through the use of authentication apps, and appropriate processes documented which education users on how to use the tool.


How often should passwords be changed?

There is a common misconception that passwords should be changed regularly. But we know this leads to poor habits, such as writing them down, or using a sequence (e.g. MyPassword-1, MyPassword-2 etc).  It is far better that you select a complex password (or passphrase) and only change it when you know that the platform you’re using has been compromised.  Of course this means you cannot use that password on other systems (but you would never do that, right?!)


Personally, I have passwords which have not been changed for over 12mths, but they are sufficiently complex, and I know the systems they are on, have not been involved in a cyber attack.


Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little technical knowledge, but you will need to become familiar with terms like ‘2FA’ and ‘MFA’, and different methods of authentication.  However, your IT or technical lead should be able to provide advice on this.


This control expects you to have implemented appropriate authentication methods, so at the most simple level, ensure everyone has their own ID and password, and build out from there.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement an RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.

9 views0 comments

Recent Posts

See All


bottom of page