What the auditor wants to verify
Audit objective
Verify that authentication mechanisms and procedures are risk-based, technically secure, and aligned with access restrictions and access control policy.
Evidence to request
| Evidence | Purpose |
|---|---|
| Authentication standard | Shows authentication rules are defined |
| Authentication risk assessment | Shows mechanism strength is justified |
| MFA configuration reports | Shows strong authentication is implemented |
| Failed logon/lockout settings | Shows guessing attempts are controlled |
| Error message review | Shows logon does not leak sensitive detail |
| Authentication logs and alerts | Shows monitoring exists |
| Exception and compensating control records | Shows weak systems are risk-managed |
Strong evidence
- MFA is implemented for remote, privileged, and high-risk access where required.
- MFA uses different factor types.
- Failed logon handling includes lockout, delay, throttling, alerting, or equivalent controls.
- Logon errors do not reveal account existence or technical detail.
- Legacy limitations are documented with compensating controls.
Weak evidence
- MFA is claimed but uses repeated passwords/PINs.
- Logon errors reveal whether accounts exist.
- No failed-attempt controls exist.
- Weak recovery flow bypasses normal authentication.
- Exceptions are undocumented.
Sample interview questions
- How was the authentication method selected?
- Which systems require MFA and why?
- What happens after repeated failed logons?
- Do error messages reveal account or system details?
- How are authentication exceptions approved and monitored?
Common nonconformities
- Authentication strength not linked to risk.
- True MFA not implemented where required.
- Verbose authentication failures.
- No lockout/throttling/delay.
- Compensating controls missing for legacy systems.
Related notes
- Audit
- Evidence
- A8 5
- Iso27001
Note Metadata
Aliases: A.8.5 Evidence
Source: 04 Audit Evidence Packs/A.8.5 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.5 Secure Authentication
- A.8.5 Audit Checklist
- Authentication Exception and Compensating Control Record
- Authentication Mechanism Review Checklist
- Secure Authentication Standard
- Audit Evidence Index