When you think about information security, “Authentication Information” is often the first line of defence that comes to mind. It is the secret handshake, the passwords, tokens, and biometrics, that proves you are who you say you are. In the transition from ISO 27001:2013 to the 2022 version, this area saw a significant structural facelift. Annex A 5.17 now stands as the go-to organisational control for managing these vital keys to your digital kingdom.
If you are trying to map your old 2013 controls to the new framework, you might feel like you’re putting together a puzzle. Let’s look at exactly what changed, what was merged, and what the “new” expectations are for your ISMS.
Table of contents
Consolidation: Three Controls Become One
One of the most noticeable changes in the 2022 update is the reduction in the total number of controls. This wasn’t achieved by deleting requirements, but by merging similar ones. Annex A 5.17 is a perfect example of this consolidation. In the 2013 version, the rules for authentication were scattered across three different controls:
- A.9.2.4: Management of secret authentication information of users.
- A.9.3.1: Use of secret authentication information.
- A.9.4.3: Password management system.
By pulling these into a single control—Annex A 5.17—the 2022 standard provides a much more streamlined approach. It creates a “full lifecycle” view of authentication data, from the moment it is allocated to how it is used and, eventually, retired.
A Shift in Language: From “Secret” to “Authentication Information”
Terminology matters in ISO standards. You’ll notice that the 2013 version frequently used the phrase “secret authentication information.” The 2022 version has dropped the word “secret” in the title, opting for the broader “Authentication Information.”
This shift acknowledges that modern authentication isn’t always just a “secret” password. It includes biometric data, cryptographic keys, and physical tokens. The 2022 update is designed to be more technology-neutral, making it easier for your organization to apply the same high standards to a fingerprint scan as you would to a traditional password.
New Requirements for Record Keeping
While much of the guidance in Annex A 5.17 will feel familiar, there is a distinct increase in the need for formal evidence. According to the compliance experts at Hightable.io, the 2022 version introduces a clearer requirement for organizations to maintain records of significant events associated with the management of authentication information.
This means that simply having a process isn’t enough; you need to be able to show an auditor that you are tracking how credentials are distributed and managed. For example, if you issue a temporary password to a new starter, you need an audit trail showing that the identity was verified before the credentials were sent.
User Responsibilities and Employment Contracts
Another subtle but important shift involves how user responsibilities are enforced. In the 2013 version, user requirements for handling passwords were often tucked away in an Acceptable Use Policy. The 2022 update for Annex A 5.17 places a stronger emphasis on ensuring these requirements are legally binding and clearly communicated.
As highlighted by Hightable.io, many organizations are now updating their employment contracts or formal agreements to include specific clauses about the secure handling of authentication information. This ensures that security isn’t just an “IT thing,” but a fundamental part of the professional relationship between the employee and the business.
Modernizing Password Management
The 2022 version also modernizes the guidance on how we actually handle passwords. While the 2013 version focused heavily on technical password management systems, Annex A 5.17 takes a more risk-based approach. It explicitly advocates for practices that we now consider “industry standard” but were less formal in 2013, such as:
- Enforcing the change of default passwords upon first use.
- Prohibiting the reuse of previous passwords.
- Ensuring passwords are not displayed in clear text on-screen during entry.
- Using secure channels (not plain-text email) for transmitting credentials.
Interestingly, the 2022 guidance also acknowledges modern thinking on password rotation—suggesting that forced periodic changes might actually be counterproductive if they lead to users choosing weaker, predictable passwords.
Practical Impact on Your Transition
If you are moving from the 2013 to the 2022 version, Annex A 5.17 requires you to look at your documentation through a wider lens. You should consolidate your old password and access management policies into a single, cohesive “Authentication Information Policy.”
The 2022 standard expects a more joined-up approach. It’s not just about the technology that stores the passwords, but the organizational processes that manage them. For those looking for a clear path forward, using the mapping guides and documentation templates provided by Hightable.io can help ensure that you don’t miss these new record-keeping and contractual nuances during your transition audit.
Why the Change is Better for Security
Ultimately, the move to Annex A 5.17 reflects a more mature understanding of identity security. By treating authentication as a unified organisational control rather than a series of technical tasks, ISO 27001:2022 helps businesses build a stronger culture of security. It moves us away from “ticking a box” for a password policy and toward a truly managed system that protects the identities that drive your business.