The basics
ISO 27001 control A.8.5 Secure authentication requires companies to implement technologies for passwords and other authentication methods to prevent unauthorized disclosure of information.
Documentation
ISO 27001 control A.8.5 Secure authentication can be documented:
- For smaller and mid-size companies – by writing an Information Classification Policy to define which information is sensitive and the required authentication level, and an Access Control Policy to define the rules for authentication
- For larger companies – by writing a Secure Authentication Procedure
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.8.5 Secure authentication you might implement the following:
- Technology — the technology to enable secure authentication may include software (e.g., passwords, 2-factor authentication, etc.), and hardware (e.g., tokens for storing digital certificates). Companies may use secure authentication features available on their local servers, or may use authentication features in cloud solutions.
- Organization/processes — you should set up a process for defining criteria for selecting authentication methods, based on the sensitivity of the information accessed, and who is responsible for implementing them. You can document those processes through an Access Control Policy or a Secure Authentication Procedure.
- People — make employees aware of why protecting authentication systems is needed, and train IT staff on how to properly implement and protect them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.5 Secure authentication: if technologies for passwords and authentication methods are implemented.
