ISO 27001 Annex A 8.5 is about secure authentication, which means you must have a system to handle how people authenticate based on access restrictions and the access control policy.
Table of contents
What Is Secure Authentication?
Authentication means you prove your identity. We need to be certain that you are the person asking for access.
Authentication is the process of setting your identity and checking your right to use a computer or network.
So, you will decide who needs to use what. You then set your access rules. After that, you give people a way to show us who they are so you can let them in.
You prove your identity based on three main ideas. You show who you are by using one of these:
- Something you are
- Something you know
- Something you have
What is ISO 27001 Annex A 8.5?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Secure Authentication”.
What is the ISO 27001 Annex A 8.5 control objective?
The formal definition and control objective in the standard is: “The full life cycle of identities shall be managed.“
What is the purpose of ISO 27001 Annex A 8.5?
The purpose of ISO 27001 Annex A 8.5 is “To allow for the unique identification of individuals and systems accessing the organisation’s information and other associated assets and to enable appropriate assignment of access rights.“
Is ISO 27001 Annex A 8.5 Mandatory?
ISO 27001 Annex A control 8.5 (Secure Authentication in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.5 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
The Three Ways to Prove Identity
1. Something You Know
This is the most common way to check identity and the easiest to start. The best example is using a password or a special phrase. You must know the secret word to get in. The problem is that passwords are easy to guess, lose, share, or write down.
2. Something You Have
You see this when banks give you small key devices. They might be real or just on your phone. You need this device to see a quick, random code. This is a very strong way to check identity. You often use this with something you know, like a password.
3. Something You Are
This relies on a trait that is only yours. This could be your finger print or a scan of your eye. This type is called biometric. It is the safest but costs the most and is hard to set up. Think about Apple Touch ID, which uses your finger print, or your iPhone, which unlocks by scanning your face.
Multi-Factor Authentication
Multi-factor authentication is the safest method. You use two or more of the ways listed above together.
Authentication Based on Risk
You will create a system for classifying your data. Then, you will check your risks and decide what level of identity check is right for you. You usually use the strongest kind of identity check for your most secret data.
The Authentication Process
There are general rules for how you check identity. Here are some things you should think about.
It is a simple rule: you do not allow people to see information until their identity check is complete.
You must stop “brute force” attacks, where someone tries many times to guess a password. You must also report failed sign-in tries. You set limits that will cause an alert or message. You manage these security issues when those limits are passed.
If you use passwords, you must not show them as clear text when people type them. You must also not send or save them as clear text.
You should also think about signing people out by itself after they have not moved for a set time.
Starting with ISO 27001
Your first step for this rule is to create a special policy just on access control. You should include your plan for access within that policy.
