Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.”
Plain-language meaning
The organization must control how secret authentication information is issued, changed, protected, reset, and handled.
Authentication information includes passwords, PINs, passphrases, recovery answers, biometric templates or biometric data where used, temporary passwords, default credentials, tokens or secrets, and other information used to prove identity. User IDs and email addresses are identifiers, not secret authentication information.
Why this matters
Weak credential handling leads directly to unauthorized access. A strong access control model still fails if passwords are guessed, shared, written on notes, reset insecurely, or left as vendor defaults.
Authentication information connects tightly to A.5.15 Access Control and A.5.16 Identity Management. Identity says who the user is. Access control says what they can access. Authentication information helps prove the user is really the claimed identity.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define a management process
The organization should document how authentication information is:
- issued;
- delivered;
- acknowledged;
- changed on first use;
- reset;
- stored;
- protected;
- revoked;
- reviewed where relevant.
The process should apply to normal users, administrators, contractors, third-party users, and service or system credentials where relevant.
2. Positively identify the user before issuing credentials
Credential allocation should be based on verified identity and approved business need.
Examples:
| Scenario | Good control |
|---|---|
| New employee receives initial password | Identity verified through HR onboarding and secure delivery method |
| Remote password reset | User identity verified through approved reset process |
| Admin credential issued | Owner approval, MFA, secure vault, and logging |
| Contractor credential created | Contract and sponsor approval confirmed |
Do not issue or reset credentials based only on an informal email or chat message.
3. Force change of temporary or default credentials
Initial temporary passwords and vendor defaults should be changed immediately or on first use.
Default credentials are not a minor hygiene issue. They are a common compromise route.
4. Advise personnel on handling responsibilities
Users should be told clearly that authentication information is secret and that they may be accountable for activity performed using their credentials.
User responsibilities should include:
- do not share credentials;
- do not write credentials where others can see them;
- do not reuse organizational passwords in personal systems;
- protect recovery answers;
- use approved password managers where allowed;
- report suspected credential compromise;
- follow reset procedures;
- protect MFA devices and tokens.
5. Enforce technical credential controls where possible
Where systems can enforce credential rules, use them.
Controls may include:
- minimum length;
- complexity or passphrase requirements where appropriate;
- blocked common passwords;
- MFA;
- password history;
- lockout or throttling;
- secure reset;
- no default passwords;
- secure storage through hashing or vaulting;
- credential rotation for service secrets where appropriate.
Do not blindly apply old password-change rules. Frequency should be risk-based and consistent with the organization’s policy, system capability, and threat model.
6. Use compensating controls where systems cannot enforce rules
Legacy systems may not enforce modern credential controls.
Compensating controls can include:
- increased monitoring;
- restricted network access;
- vaulting;
- manual review;
- additional approval;
- MFA through a gateway;
- documented risk acceptance;
- planned replacement.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that authentication information is managed through a controlled process and that users understand their responsibilities.
Audit tests:
- review password/authentication policy;
- check technical settings against policy;
- sample initial credential allocation records;
- check user identity verification records;
- verify temporary/default credentials are changed;
- test password reset process design;
- review urgent reset process and follow-up;
- interview users at different levels;
- inspect whether credentials are written down or exposed;
- review password quality testing, if performed with approval.
Auditors should obtain proper management authority before testing or investigating sensitive authentication information.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Authentication/password policy | Rules are documented |
| Credential issuance procedure | Allocation is controlled |
| Identity verification records | Users are positively identified before issue/reset |
| User acknowledgement records | Users accept confidentiality responsibilities |
| Technical password/MFA configuration | Systems enforce policy |
| Password reset logs | Reset process is controlled and logged |
| Default password change evidence | Vendor/temporary credentials are changed |
| Privileged credential vault logs | High-risk secrets are protected |
| Awareness training records | Users are advised on handling |
| Password quality assessment records | Weak credentials are detected where authorized |
Strong evidence
- Credential allocation requires identity verification and authorization.
- Initial temporary credentials are changed on first use.
- Default vendor passwords are removed promptly.
- Technical settings match documented policy.
- Users acknowledge credential confidentiality responsibilities.
- Reset procedures verify identity and are logged.
- Urgent resets have follow-up review.
- Privileged credentials and secrets are vaulted or tightly controlled.
- Password quality checks are authorized and acted on.
Weak evidence
- Passwords sent in plain text without forced change.
- Default passwords remain in use.
- Users share accounts or credentials.
- Reset process relies only on informal manager email.
- Recovery questions use guessable public information.
- Technical settings do not match policy.
- Users do not know how to report suspected compromise.
- Passwords are visible on notes, spreadsheets, or chat history.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Default credentials not changed | Attackers try defaults first |
| Shared authentication information | Accountability is lost |
| Weak reset process | Attackers bypass strong login controls |
| Recovery answers treated as harmless | They are secret authentication information |
| Policy not technically enforced | Control depends only on user memory |
| No user acknowledgement | Confidentiality responsibility is weakly evidenced |
| Service secrets unmanaged | System-to-system compromise risk increases |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- User IDs and email addresses are not secret authentication information.
- Passwords are common, but authentication information also includes PINs, recovery answers, biometric data/templates, tokens, and secrets.
- Authentication information management is not the same as identity management, but it supports identity management.
- Temporary and default credentials must be controlled and changed.
- Users should be advised that they are accountable for activity performed with their credentials.
- Shared credentials weaken accountability and should be avoided or tightly controlled.
- Password cracking or credential testing needs proper authorization.
Related controls and concepts
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.2 Information Security Roles and Responsibilities
- A.5.10 Acceptable Use of Information and Other Associated Assets
- Access Control Matrix
- Identity Lifecycle Register
- Internal Audit
- Risk Assessment
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.17 requires authentication information to be allocated and managed through a controlled process. Users must be identified before credentials are issued or reset, temporary and default credentials must be changed, users must be advised to protect secret authentication information, and technical controls should enforce policy where possible.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Authentication
- Credentials
- Password management
- Audit
Note Metadata
Aliases: A.5.17, Authentication Information
Source: 02 Annex A Organizational Controls/A.5.17 Authentication Information.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Access Control
- Internal Audit
- Risk Assessment
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- A.5 Organizational Controls MOC
- A.5.17 Audit Evidence Pack
- AQ-ISO27001-A.5.17 Authentication Information
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.17 Authentication Information
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-009 - Access, Identity, Authentication, and Rights
- EXAM-028 - Source Code, Authentication, and Capacity
- ISO 27002 Annex A Control Interpretation Map
- A.5.17 Audit Checklist
- Access Control Matrix
- Access Review Checklist
- Authentication Information Handling Standard
- Identity Lifecycle Register
- Secure Authentication Standard
- Annex A Controls MOC