The basics
ISO 27001 control A.5.17 Authentication information requires companies to manage passwords and other authentication information, so that they are properly allocated to users, and that users know how to handle them.
Documentation
ISO 27001 control A.5.17 Authentication information can be documented:
- For smaller companies – by writing an Access Control Policy
- For mid-size and larger companies – by writing a Password Policy
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.5.17 Authentication information you might implement the following:
- Technology — the technology that enables the use of authentication information (including passwords) may involve software (e.g., password vaults, digital certificates, access management systems, etc.) and hardware (e.g., tokens). Companies may use authentication features available on their local computers to restrict what they can and cannot do regarding their local authentication information, and may use networked systems to allow centralized and remote authentication management.
- Organization/processes — you should set up a process for defining allowed authentication methods (e.g., passwords, two-factor authentication, biometrics, etc.), how authentication information must be delivered to the user, and what users can and can’t do with authentication information. You can document those processes through an Access Control Policy or a Password Policy.
- People — make employees aware of the risks of compromised authentication information, and train them on what they can and cannot do with authentication information.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.17 Authentication information: if passwords and other authentication information are being managed.
