ISO 27001:2022 Annex A Control 5.17 – Authentication Information

Protecting authentication information is a critical aspect of an organisation's cybersecurity framework. ISO 27001:2022 Annex A Control 5.17 sets out guidelines for keeping authentication information—such as passwords, encryption keys, and security tokens—secure. This control helps organisations ensure that user credentials are protected from unauthorised access and that the systems where authentication information is stored or transmitted are adequately secured.

What Is ISO 27001:2022 Annex A Control 5.17?

Annex A Control 5.17 focuses on the management and protection of authentication information, which refers to data that grants access to systems and sensitive resources. This includes passwords, cryptographic keys, card chips, and other methods of authentication.

The purpose of this control is to prevent unauthorised access to sensitive systems by ensuring that authentication data is securely created, managed, and transmitted. It aims to prevent the loss of confidentiality, integrity, and availability of information due to improper handling of user credentials.

What Does Annex A Control 5.17 Do?

This control helps organisations manage and protect authentication information effectively by:

1. Preventing Unauthorised Access: Ensuring that user credentials are kept secure and are not accessible by unauthorised parties.
2. Ensuring Secure Credential Creation and Transmission: Establishing secure methods for creating and transmitting authentication information, such as passwords and encryption keys, to prevent them from being compromised.
3. Maintaining Accountability: Establishing a clear record of how authentication information is managed, who has access to it, and how it is stored.

Why Is Authentication Information Important?

Authentication details are the keys to sensitive systems and data. If poorly managed, they can lead to significant security risks, such as unauthorised access to critical systems or data breaches. Protecting these details ensures that only authorised users can access an organisation’s resources, maintaining the security and integrity of the organisation’s information systems.

Key reasons why secure authentication is essential:

• Protects Sensitive Data: Ensures that sensitive information is only accessible by those who are authorised.
• Reduces the Risk of Data Breaches: Proper management of authentication data significantly lowers the chances of credentials being stolen and misused by attackers.
• Supports Regulatory Compliance: Many regulations, such as GDPR, require secure handling of user credentials to protect personal data and ensure privacy.

Key Steps to Implement ISO 27001:2022 Annex A Control 5.17

Organisations must take several steps to ensure compliance with Annex A Control 5.17. Here’s how to implement this control effectively:

1. Create Strong, Non-Guessable Passwords: When new users are enrolled, ensure that initial passwords are automatically generated and non-guessable. Require users to change these passwords after their first use.
2. Verify User Identity Before Issuing Credentials: Before issuing new or replacement authentication information, verify the user's identity through secure processes to prevent unauthorised individuals from gaining access.
3. Transmit Credentials Securely: Never send authentication information (such as passwords) through insecure channels like plain text emails. Use secure methods for transmitting authentication data to users.
4. Regularly Change Default Authentication Information: When installing new systems or software, replace the default authentication credentials immediately to avoid security risks.
5. Keep Records of Authentication Events: Record all significant events related to the management and allocation of authentication information. Ensure that these records are kept confidential and use secure, authorised methods for record-keeping.
6. Enforce Secure Storage and Transmission: Use encryption, hashing, or other secure methods to store and transmit authentication information, ensuring that passwords and other credentials are not vulnerable to unauthorised access.

Best Practices for User Responsibilities in Managing Authentication Information

Users play a critical role in maintaining the security of their authentication information. To ensure compliance with Annex A Control 5.17, users should follow these guidelines:

1. Keep Credentials Confidential: Users must not share their authentication information, such as passwords, with others. This is especially important when multiple users are involved in accessing shared systems.
2. Change Passwords After a Breach: If a user suspects that their authentication information has been compromised, they should change their password immediately.
3. Use Strong Passwords: Encourage users to create strong passwords that are difficult to guess. Passwords should:
   • Not be based on easily obtainable personal information (like names or birthdates).
   • Use alphanumeric characters and special symbols.
   • Meet a minimum length requirement.
   • Not be reused across different services.
4. Avoid Password Reuse: Users should not use the same password for multiple systems or services to prevent cascading security risks if one account is compromised.

Setting Up a Secure Password Management System

Organisations should implement a robust password management system to ensure the secure creation, modification, and management of passwords. Key aspects include:

1. User Control: Users should have the ability to create and change their passwords, with verification procedures in place to ensure the accuracy of inputted data.
2. Change Default Passwords: Upon first access to a system, users must change any default passwords to ensure security.
3. Password Change Requirements: Organisations should enforce periodic password changes, especially after security incidents or when an employee with access to sensitive information leaves the company.
4. Prohibit Password Recycling: Prevent users from reusing old passwords, and ensure that passwords known to be compromised are not used.
5. Secure Transmission and Storage: Passwords must be transmitted and stored using secure methods, including hashing and encryption, as outlined in ISO 27001:2022 Annex A Control 8.24, which deals with cryptographic controls.

Supplementary Authentication Methods

While passwords are the most common form of authentication, organisations can enhance security by incorporating additional authentication methods, such as:

• Cryptographic Keys
• Smart Cards
• Biometric Data (e.g., fingerprints)

These methods provide an extra layer of security, helping to mitigate the risks associated with passwords.

Changes from ISO 27001:2013

The 2022 version of Annex A Control 5.17 replaces ISO 27001:2013 Annex A 9.2.4, 9.3.1, and 9.4.3. While many principles remain the same, there are a few key differences:

1. New Requirements for Record-Keeping: The 2022 version introduces the requirement for organisations to keep detailed records of all significant events related to the management and distribution of authentication information. This was not explicitly required in the 2013 version.
2. Additional User Responsibilities: The new version emphasises that employees should have their password-related responsibilities outlined in their contracts. This formalises the requirement for secure password creation and usage.
3. Removed Password Management Requirement: The 2013 version required that files containing passwords be stored on a different system than application data. This requirement has been removed in the 2022 version.

How Harpe Can Help Implement ISO 27001:2022 Annex A Control 5.17

Managing authentication information effectively is vital to maintaining security and ensuring compliance with ISO 27001:2022 Annex A Control 5.17. Harpe offers tools that simplify this process, ensuring your organisation can meet the requirements of this control.

• Secure Password Management: Harpe supports the secure creation, modification, and storage of passwords, ensuring that credentials are managed in line with ISO standards.
• Record-Keeping and Audits: Harpe helps organisations maintain detailed records of all authentication events, providing an easy way to meet the record-keeping requirements introduced in Annex A Control 5.17.
• User Training and Awareness: Harpe offers training resources to ensure employees understand their responsibilities for managing passwords and authentication information securely.

ISO 27001:2022 Annex A Control 5.17 is crucial for ensuring the secure management and protection of authentication information, such as passwords and encryption keys. By following the guidelines outlined in this control, organisations can protect sensitive data, prevent unauthorised access, and maintain compliance with ISO standards.

With Harpe, your organisation can streamline the process of managing authentication information, ensuring compliance with Annex A Control 5.17 while enhancing overall cybersecurity. Ready to improve how you manage and protect authentication information? Get started with Harpe today!