What is ISO 27001 Annex A 5.17 Authentication Information in ISO 27001?
Annex A 5.17 is a documented process for managing credentials and secrets. It ensures that authentication information remains confidential throughout its lifecycle. Organisations must integrate these procedures into internal repositories like SharePoint. This control prevents unauthorised access by securing the primary methods of identity verification.
Auditor’s Eye: The Shortcut Trap
Many firms rely on SaaS compliance platforms for “automated” credential management. These platforms often provide generic templates that personnel never read. This creates a surface-level compliance culture. Auditors prefer seeing authentication procedures within your organisational tools. Version-controlled policies in SharePoint prove active management oversight. Jira tickets for token allocation show a real audit trail. A “green tick” in a black-box app is not evidence of security. Your internal document history is the only proof of intent.
Transition Table (2013 vs 2022)
| Feature | ISO 27001:2013 Reference | ISO 27001:2022 Reference |
|---|---|---|
| Control ID | A.9.2.4: A.9.3.1 | 5.17 |
| Primary Focus | Secret auth info management | Authentication information |
| Change Summary | Separate user/system rules. | Merged into one organisational control. |
How to Implement ISO 27001 Annex A 5.17 (Step-by-Step)
The core requirement is establishing a secure lifecycle for all secrets. You must document this process within your existing business-as-usual tools. Focus on building a culture of secrecy rather than buying software. Answer-first: implement clear allocation rules before configuring technical systems.
- Policy Creation: Draft your authentication rules in SharePoint. Include password complexity and MFA requirements.
- Workflow Integration: Build a Jira service desk for credential resets. This provides a timestamped log of all changes.
- Knowledge Base: Publish “how-to” guides on your internal Confluence wiki. Explain how users should manage their personal secrets.
- Manual Reviews: Check system settings against the policy manually. Record the findings in a SharePoint audit log.
- Incident Response: Define steps for compromised credentials in your wiki. Ensure staff know exactly where to report issues.
ISO 27001 Annex A 5.17 Audit Evidence Checklist
Auditors look for manual records and internal document versions. These items prove human oversight and intent within the organisation. Focus on internal repositories over SaaS dashboards.
- Version history of the Password Policy in SharePoint.
- Jira tickets documenting the allocation of hardware MFA tokens.
- Meeting minutes discussing the results of internal credential audits.
- Wiki pages showing guidance for secure password management.
- HR induction records proving staff received authentication training.
Relational Mapping
Annex A 5.17 relies on Clause 5.15 (Access Control) for high-level rules. It supports Clause 5.18 (Access Rights) by providing the mechanism for verification. This control also links to Clause 8.2 (Privileged Access Rights) for administrative secrets. Finally: it connects to Clause 8.5 (Secure Authentication) for technical configuration requirements.
Auditor Interview
Auditor: How do you manage the lifecycle of administrative passwords?
User: We document the rotation process in our internal Confluence wiki.
Auditor: Where is the evidence that these passwords have been reset?
User: We log every rotation task within our Jira maintenance project.
Auditor: How do staff learn about your secure handling requirements?
User: All rules are published in the SharePoint Document Management System.
Common Non-Conformities
| Failure Mode | Description of Failure |
|---|---|
| Automated Complacency | Relying on a platform’s default settings without internal procedural evidence. |
| Policy Disconnect | The SharePoint policy defines MFA: but systems are not configured accordingly. |
| Lack of Oversight | Failing to document manual reviews of service account credentials. |
Frequently Asked Questions
What is authentication information in ISO 27001?
Bottom Line Up Front: Authentication information refers to secrets used to verify a user identity. This includes passwords: cryptographic keys: and physical tokens. The organisation must manage these through a documented process. This ensures secrets remain confidential and under the user’s control.
How should an organisation allocate secrets?
Bottom Line Up Front: Secret allocation must follow a formal and secure process. Use internal ticketing systems like Jira to track the request and delivery. Ensure initial passwords are changed immediately upon first use. Records must prove that only the intended recipient received the secret.
Who is responsible for protecting authentication secrets?
Bottom Line Up Front: Users are responsible for keeping their authentication information confidential. The organisation must provide the tools and training to support this. Procedures should prohibit the sharing of credentials. Management must enforce these rules through regular internal audits.