Requirement
Requirement lens
This control asks whether authentication technology and procedures are secure enough for the access restrictions and access control policy.
“Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.”
Plain-language meaning
Authentication is the point where a system tests whether the person, service, or device claiming an identity should be accepted. Secure authentication means the logon process does not leak unnecessary information, resists guessing and brute-force attempts, uses appropriate factors, and matches the risk of the information being accessed.
This control is related to A.5.17 Authentication Information, but it is not the same. A.5.17 focuses on handling secrets such as passwords and tokens. A.8.5 focuses on the actual authentication mechanism and procedure.
Why this matters
Weak authentication lets attackers turn guessed, stolen, reused, or phished credentials into system access. Poor error messages, no lockout, no delay, visible passwords, weak recovery flows, or repeated single-factor steps can all make unauthorized access easier.
High-risk systems usually need multi-factor authentication. Repeating the same type of factor, such as password plus PIN, is not true multi-factor authentication.
Implementation guidance
Implementer focus
Select authentication strength from risk. Sensitive information, privileged access, remote access, and high-impact systems normally need stronger authentication than low-risk internal systems.
1. Define authentication requirements by risk
Authentication requirements should consider:
- classification and sensitivity of information;
- access method, such as remote, local, API, privileged, or third party;
- user role and privilege level;
- business impact of unauthorized access;
- regulatory or contractual requirements;
- compensating controls where system features are limited.
2. Avoid information leakage during logon
Authentication screens and error messages should not reveal unnecessary details such as:
- whether a user account exists;
- operating system, service, or application version;
- database or infrastructure details;
- overly specific failure reasons useful to attackers.
3. Use proper multi-factor authentication where needed
Multi-factor authentication should combine different factor types:
| Factor type | Example |
|---|---|
| Something you know | Password or passphrase |
| Something you have | Hardware token, authenticator app, certificate |
| Something you are | Biometric factor where appropriate |
Two passwords, or a password plus another memorized PIN, are repeated single-factor authentication, not true MFA.
4. Configure secure authentication behavior
Secure authentication should include appropriate controls such as hidden password entry, lockout or throttling after failed attempts, recovery controls, logging, alerting, and session handling.
5. Use compensating controls where systems are limited
Some systems cannot provide strong authentication features. In those cases, the organization should document the limitation, assess the risk, and apply compensating controls such as network restriction, physical restriction, monitoring, delay controls, or additional gateway authentication.
Audit guidance
Auditor focus
Test whether authentication methods match risk, avoid unnecessary information disclosure, resist guessing, and use true multi-factor authentication where required.
Auditors should verify:
- risk assessment for authentication methods;
- authentication policy or standard;
- MFA requirements and implementation;
- failed logon handling;
- lockout, delay, throttling, and recovery procedures;
- password masking and secure input behavior;
- error message content;
- authentication logs and alerts;
- compensating controls for systems with weak native authentication;
- coverage across operating systems, applications, remote access, privileged access, and third-party access.
Evidence examples
Evidence quality
Strong evidence proves authentication strength is risk-based, technically configured, tested, and monitored.
| Evidence | What it proves |
|---|---|
| Authentication standard | Rules are defined |
| Risk assessment | Authentication strength is justified |
| MFA configuration report | Different-factor MFA is implemented |
| Failed logon settings | Guessing attempts are controlled |
| Error message review | Logon process does not leak sensitive information |
| Authentication logs | Activity is monitored |
| Exception/compensating control records | Weak systems are risk-managed |
Strong evidence
- MFA is enabled for remote, privileged, and high-risk access where required.
- Factors are genuinely different.
- Failed attempts trigger delay, throttling, lockout, alerting, or other controls.
- Error messages do not confirm account existence or reveal system detail.
- Authentication limitations are documented with compensating controls.
Weak evidence
- MFA is claimed but only repeats passwords/PINs.
- Systems reveal whether usernames exist.
- No lockout, throttling, or alerting exists for repeated failures.
- Passwords are displayed or recoverable.
- Legacy authentication weaknesses are accepted without documented risk treatment.
Common failures
Implementation watchouts
A.8.5 fails when authentication strength is chosen by default system capability instead of risk.
| Failure | Why it matters |
|---|---|
| Password-only access for high-risk systems | Stolen credentials become full access |
| Repeated single-factor authentication | Gives false assurance of MFA |
| Verbose logon errors | Helps attackers enumerate accounts and systems |
| No failed-attempt controls | Enables brute-force and guessing |
| Weak recovery flow | Attackers bypass the main authentication path |
| No compensating controls for legacy systems | Known weakness remains untreated |
Exam traps
Exam focus
A.8.5 is about authentication technologies and procedures, not only passwords.
| Trap | Correct interpretation |
|---|---|
| Password plus PIN is MFA | It is usually repeated single-factor authentication |
| Authentication errors should help users as much as possible | They should not reveal unnecessary system or account information |
| MFA is required everywhere in the same way | Authentication strength should be risk-based |
| If a system cannot support lockout, nothing can be done | Compensating controls should be assessed and applied |
| A.8.5 is the same as A.5.17 | A.5.17 handles authentication information; A.8.5 tests the authentication mechanism |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.1 User End Point Devices
- A.8.2 Privileged Access Rights
- A.8.3 Information Access Restriction
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
- Authentication Information Handling Standard
- Secure Authentication Standard
- Authentication Mechanism Review Checklist
- Authentication Exception and Compensating Control Record
- A.8.5 Audit Evidence Pack
- A.8.5 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.5 makes authentication strong enough for the access risk. Good evidence shows risk-based authentication, real MFA where needed, controlled failures, safe error messages, and compensating controls for weak systems.
- Select authentication mechanisms based on risk and access restrictions.
- Avoid logon messages that leak system or account information.
- Use true MFA where risk requires it.
- Control repeated failed attempts and recovery paths.
- Document compensating controls for systems that cannot meet the standard.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Authentication
- Access control
- Audit
Note Metadata
Aliases: A.8.5, Secure Authentication
Source: 05 Annex A Technological Controls/A.8.5 Secure Authentication.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- A.8.5 Audit Evidence Pack
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.7 - Protection Against Malware
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.5 Secure Authentication
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-028 - Source Code, Authentication, and Capacity
- EXAM-037 - Use of Cryptography
- ISO 27002 Annex A Control Interpretation Map
- A.8.5 Audit Checklist
- Authentication Exception and Compensating Control Record
- Authentication Information Handling Standard
- Authentication Mechanism Review Checklist
- Secure Authentication Standard
- Annex A Controls MOC