What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 8.5

ISO 27001 Annex A 8.5 - what changed in the 2022 update

If you have been managing an Information Security Management System (ISMS) based on the 2013 standard, you likely remember Control 9.4.2, which focused heavily on “Secure log-on procedures.” As we transition into the ISO 27001:2022 era, this has been refined and renamed to Annex A 8.5: Secure Authentication.

The update reflects a major shift in the cybersecurity landscape. In 2013, a strong password was often considered “enough.” In 2022 and beyond, the standard acknowledges that passwords alone are a primary point of failure. Annex A 8.5 moves away from basic checklists and toward a sophisticated, risk-based approach to verifying identities.

Table of contents

The Structural Shift: From 9.4.2 to 8.5

The first change is organisational. In the 2013 version, log-on security was part of the “Access Control” domain. In the 2022 revision, the 114 controls were consolidated into 93 and grouped into four themes: Organisational, People, Physical, and Technological.

Annex A 8.5 now lives in the Technological theme. This highlights that while policies are important, the standard now expects technical controls to do the heavy lifting. According to Hightable.io, this move is part of a broader trend in the 2022 update to focus on active technical enforcement rather than just “paper-based” compliance.

What Exactly is Annex A 8.5?

The objective of Annex A 8.5 is to ensure that any user or system attempting to access your information is exactly who they claim to be. It covers the technologies and procedures used to verify identities before access is granted.

The 2022 version specifically focuses on:

  • Matching the strength of authentication to the sensitivity of the data.
  • Implementing Multi-Factor Authentication (MFA) as a baseline for sensitive access.
  • Securing the entire “log-on journey” to prevent information leakage.
  • Managing non-human identities, such as service accounts and bots.

Key Changes and New Requirements

While the old standard was somewhat prescriptive about passwords, the 2022 update is more outcome-focused. Here are the most significant changes:

  • Risk-Based Authentication: Instead of applying the same rules to everyone, you are now expected to assess the risk. High-risk actions (like accessing financial data or admin consoles) require much stronger authentication than low-risk tasks.
  • MFA is the New Standard: The guidance for A 8.5 heavily implies that single-factor authentication (just a password) is rarely sufficient for sensitive systems. MFA is now the expected default for remote access and privileged accounts.
  • Goodbye to Forced Rotation: Modern best practice (aligned with NIST) is reflected here. The standard no longer encourages making users change passwords every 90 days, as this often leads to weaker passwords. Instead, it focuses on length, complexity, and monitoring for compromise.
  • Secure Log-On Procedures: The 2022 version is more specific about the log-on experience. It requires masking passwords, limiting the information shown on the log-on screen, and implementing “anti-brute force” measures like account lockouts or throttling.

The Role of Attributes in Annex A 8.5

One of the most helpful additions to the 2022 version is “Attributes.” These are metadata tags that help you categorize your controls. For Annex A 8.5, the attributes are:

  • Control Type: Preventative (it stops the “wrong” person from getting in).
  • Information Security Properties: Confidentiality, Integrity, Availability.
  • Cybersecurity Concepts: Protect.
  • Operational Capabilities: Identity and Access Management.

Practical Steps for Your Transition

Moving your ISMS to the 2022 standard requires more than just renumbering your documents. Hightable.io suggests that auditors will be looking for technical evidence of these “Secure Authentication” practices in action.

  1. Rename and Update Your Policy: Your “Password Policy” should likely become a “Secure Authentication Policy” to reflect the broader scope.
  2. Audit Your MFA Coverage: Identify every system where MFA is not yet enabled and create a risk-based plan to roll it out.
  3. Fix Your Password Rules: Update your systems to prioritize password length over frequent changes. Ban common or compromised passwords.
  4. Monitor Authentication Events: Ensure you are logging failed log-on attempts. A 8.5 isn’t just about the “door”; it’s about knowing when someone is trying to kick it in.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

Why the Change Matters

In the modern world of cloud computing and remote work, identity is the new perimeter. Most major data breaches start with a credential-based attack (like phishing or brute force). By strengthening Annex A 8.5, the ISO 27001:2022 standard addresses the most common way hackers enter a network today.

As Hightable.io points out, getting A 8.5 right is one of the highest-value activities in your entire security program. If an attacker cannot bypass your authentication, they cannot reach your data, regardless of how many other vulnerabilities your systems might have.

Final Thoughts

The transition from 9.4.2 to 8.5 is a welcome modernisation. It allows organisations to move away from frustrating, outdated password rules and toward more secure, user-friendly technologies like MFA and biometrics. By focusing on the “Secure Authentication” of all entities, both human and machine, you are building a much more resilient organisation.