UnixTime

Research Note

ISO 27001 A.5.17 - Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.”

Plain-language meaning

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

Authentication information includes passwords, PINs, passphrases, recovery answers, biometric templates or biometric data where used, temporary passwords, default credentials, tokens or secrets, and other information used to prove identity. User IDs and email addresses are identifiers, not secret authentication information.

Why this matters

Weak credential handling leads directly to unauthorized access. A strong access control model still fails if passwords are guessed, shared, written on notes, reset insecurely, or left as vendor defaults.

Authentication information connects tightly to A.5.15 Access Control and A.5.16 Identity Management. Identity says who the user is. Access control says what they can access. Authentication information helps prove the user is really the claimed identity.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Define a management process

The organization should document how authentication information is:

  • issued;
  • delivered;
  • acknowledged;
  • changed on first use;
  • reset;
  • stored;
  • protected;
  • revoked;
  • reviewed where relevant.

The process should apply to normal users, administrators, contractors, third-party users, and service or system credentials where relevant.

2. Positively identify the user before issuing credentials

Credential allocation should be based on verified identity and approved business need.

Examples:

Scenario Good control
New employee receives initial password Identity verified through HR onboarding and secure delivery method
Remote password reset User identity verified through approved reset process
Admin credential issued Owner approval, MFA, secure vault, and logging
Contractor credential created Contract and sponsor approval confirmed

Do not issue or reset credentials based only on an informal email or chat message.

3. Force change of temporary or default credentials

Initial temporary passwords and vendor defaults should be changed immediately or on first use.

Default credentials are not a minor hygiene issue. They are a common compromise route.

4. Advise personnel on handling responsibilities

Users should be told clearly that authentication information is secret and that they may be accountable for activity performed using their credentials.

User responsibilities should include:

  • do not share credentials;
  • do not write credentials where others can see them;
  • do not reuse organizational passwords in personal systems;
  • protect recovery answers;
  • use approved password managers where allowed;
  • report suspected credential compromise;
  • follow reset procedures;
  • protect MFA devices and tokens.

5. Enforce technical credential controls where possible

Where systems can enforce credential rules, use them.

Controls may include:

  • minimum length;
  • complexity or passphrase requirements where appropriate;
  • blocked common passwords;
  • MFA;
  • password history;
  • lockout or throttling;
  • secure reset;
  • no default passwords;
  • secure storage through hashing or vaulting;
  • credential rotation for service secrets where appropriate.

Do not blindly apply old password-change rules. Frequency should be risk-based and consistent with the organization’s policy, system capability, and threat model.

6. Use compensating controls where systems cannot enforce rules

Legacy systems may not enforce modern credential controls.

Compensating controls can include:

  • increased monitoring;
  • restricted network access;
  • vaulting;
  • manual review;
  • additional approval;
  • MFA through a gateway;
  • documented risk acceptance;
  • planned replacement.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that authentication information is managed through a controlled process and that users understand their responsibilities.

Audit tests:

  • review password/authentication policy;
  • check technical settings against policy;
  • sample initial credential allocation records;
  • check user identity verification records;
  • verify temporary/default credentials are changed;
  • test password reset process design;
  • review urgent reset process and follow-up;
  • interview users at different levels;
  • inspect whether credentials are written down or exposed;
  • review password quality testing, if performed with approval.

Auditors should obtain proper management authority before testing or investigating sensitive authentication information.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Authentication/password policy Rules are documented
Credential issuance procedure Allocation is controlled
Identity verification records Users are positively identified before issue/reset
User acknowledgement records Users accept confidentiality responsibilities
Technical password/MFA configuration Systems enforce policy
Password reset logs Reset process is controlled and logged
Default password change evidence Vendor/temporary credentials are changed
Privileged credential vault logs High-risk secrets are protected
Awareness training records Users are advised on handling
Password quality assessment records Weak credentials are detected where authorized

Strong evidence

  • Credential allocation requires identity verification and authorization.
  • Initial temporary credentials are changed on first use.
  • Default vendor passwords are removed promptly.
  • Technical settings match documented policy.
  • Users acknowledge credential confidentiality responsibilities.
  • Reset procedures verify identity and are logged.
  • Urgent resets have follow-up review.
  • Privileged credentials and secrets are vaulted or tightly controlled.
  • Password quality checks are authorized and acted on.

Weak evidence

  • Passwords sent in plain text without forced change.
  • Default passwords remain in use.
  • Users share accounts or credentials.
  • Reset process relies only on informal manager email.
  • Recovery questions use guessable public information.
  • Technical settings do not match policy.
  • Users do not know how to report suspected compromise.
  • Passwords are visible on notes, spreadsheets, or chat history.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Default credentials not changed Attackers try defaults first
Shared authentication information Accountability is lost
Weak reset process Attackers bypass strong login controls
Recovery answers treated as harmless They are secret authentication information
Policy not technically enforced Control depends only on user memory
No user acknowledgement Confidentiality responsibility is weakly evidenced
Service secrets unmanaged System-to-system compromise risk increases

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • User IDs and email addresses are not secret authentication information.
  • Passwords are common, but authentication information also includes PINs, recovery answers, biometric data/templates, tokens, and secrets.
  • Authentication information management is not the same as identity management, but it supports identity management.
  • Temporary and default credentials must be controlled and changed.
  • Users should be advised that they are accountable for activity performed with their credentials.
  • Shared credentials weaken accountability and should be avoided or tightly controlled.
  • Password cracking or credential testing needs proper authorization.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.17 requires authentication information to be allocated and managed through a controlled process. Users must be identified before credentials are issued or reset, temporary and default credentials must be changed, users must be advised to protect secret authentication information, and technical controls should enforce policy where possible.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Authentication
  • Credentials
  • Password management
  • Audit

Note Metadata

Aliases: A.5.17, Authentication Information

Source: 02 Annex A Organizational Controls/A.5.17 Authentication Information.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.