ISO 27001 A.5.17: Authentication information
What This Control Requires
Allocation and management of authentication information shall be controlled by a management process including advising personnel of appropriate handling of authentication information.
In Plain Language
Passwords, tokens, certificates, API keys - these are the keys to your kingdom. If they are compromised, every access control you have built on top of them becomes worthless. This control is about managing authentication credentials properly across their entire lifecycle: how they are issued, how they are changed or reset, and how users are expected to protect them. It applies to everything from user passwords to service account tokens. You need both process and technology working together. On the process side, that means defined procedures for issuing credentials, verifying identity before resets, and training people not to share them. On the technical side, systems need to enforce sensible password policies, prevent reuse, protect credentials in storage and transit, and support multi-factor authentication.
How to Implement
Write an authentication management policy covering all credential types in use: passwords, MFA tokens, certificates, API keys, and anything else. For passwords, set sensible minimums: 12+ characters, block commonly breached passwords (use a breach database check), require change on first use, and prohibit reuse across systems. Store passwords with proper salted hashing (bcrypt, scrypt, or Argon2). Skip overly complex character requirements in favour of length and passphrase support. Roll out MFA for all remote access, privileged access, and anything touching sensitive data. Authenticator apps or FIDO2 hardware keys are preferred - avoid SMS-based codes where possible due to SIM-swapping risks. Be explicit about which systems require MFA. Lock down the credential issuance process. Initial passwords must be temporary and force a change on first login. Verify identity before performing resets, using out-of-band verification. Never email passwords in plain text. Use secure, time-limited delivery mechanisms. Deploy supporting technical controls. Push password managers to help people maintain unique credentials. Run credential monitoring to detect passwords that have appeared in breach databases. Implement lockout or throttling to stop brute-force attacks. Use certificate or token-based auth for service-to-service communication. Train everyone on credential hygiene: do not share credentials, recognise phishing, use a password manager, and report suspected compromise immediately.
Evidence Your Auditor Will Request
- Documented authentication management policy with defined standards
- Technical configuration showing password policy enforcement in key systems
- MFA deployment records showing coverage of required systems
- Identity verification procedures for credential resets
- Training records covering authentication security awareness
Common Mistakes
- Weak password policies that do not meet current best practices
- MFA is not implemented for remote access or privileged accounts
- Shared credentials are used for convenience without individual accountability
- Password reset processes do not verify identity adequately
- Default credentials on systems and applications are not changed after deployment
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Related |
| SOC 2 | CC6.6 | Related |
| GDPR | Art.32 | Partial overlap |
| NIS2 | Art.21(2)(j) | Related |
Frequently Asked Questions
Should we require regular password changes?
What is the recommended minimum password length?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment