Think of Authentication Information as the special keys you use to prove you are who you say you are when you access systems or data. This rule is all about managing and protecting those keys, things like your passwords, PINs, biometric data (like your fingerprint), or security tokens. Essentially, it makes sure you have a safe way to log in.
Table of contents
What is ISO 27001 Annex A 5.17?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Authentication Information”.
What is the ISO 27001 Annex A 5.17 control objective?
The formal definition and control objective in the standard is: “Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.”
The main goal is to prevent unauthorised access. You want to make sure only the right people can get into the right systems. By properly managing this information, you stop others from easily guessing or stealing your keys and pretending to be you.
What is the purpose of ISO 27001 Annex A 5.17?
The purpose of ISO 27001 Annex A 5.17 is “To ensure proper entity authentication and prevents failures of authentication processes.”
It is to make sure your authentication information is kept secure and confidential. You need good processes for creating, assigning, revoking, and protecting all the things people use to prove their identity. This includes making sure your passwords are strong and that you don’t share them with anyone.
Is ISO 27001 Annex A 5.17 Mandatory?
ISO 27001 Annex A control 5.17 (Authentication Information in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.17 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Why is ISO 27001 Annex A 5.17 Important?
This is a fundamental building block of security. If your passwords and other login details aren’t protected, everything else you do to secure your systems could be useless. Having strong, well-managed authentication information stops hackers, former employees, or anyone else from easily breaking into your sensitive data.
Key parts of the rule
The rule mostly focuses on:
- Protecting the information (e.g., storing passwords in a scrambled/encrypted way).
- Assigning the information only to the intended user (it shouldn’t be shared).
- Making sure the information is not accessible to anyone else, even system administrators, unless absolutely necessary.
- Revoking or changing the information immediately when someone leaves the company or if there’s a security scare.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will check:
- Documentation: Do you have a clear policy on how users must protect their passwords (e.g., strong password rules, not writing them down)?
- System Controls: Are the systems storing authentication details (like hashed passwords) securely?
- Processes: Do you have a formal process for issuing new login details and revoking them immediately when a person’s role changes or they leave the organization?
- Evidence: They might ask employees or IT staff about how they manage their own login details to see if the policy is followed in real life.
