When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to define how passwords, PINs, recovery answers, MFA tokens, biometric authentication data, privileged credentials, and service secrets are issued, handled, reset, and protected.
Standard rules
| Area | Requirement | Evidence |
|---|---|---|
| Identity verification | Verify user before issuing or resetting credentials | Verification record |
| Initial credentials | Use temporary credentials and force change on first use | System setting/log |
| Default credentials | Change vendor/default credentials before production use | Build checklist |
| User responsibilities | Users must keep authentication information confidential | Acknowledgement/training |
| Password quality | Enforce length, blocked common passwords, and policy requirements where possible | Technical settings |
| MFA | Apply MFA where risk or policy requires it | MFA configuration |
| Reset process | Verify identity and log reset activity | Service desk log |
| Urgent reset | Apply additional follow-up review | Reset review record |
| Privileged credentials | Store in approved vault or equivalent control | Vault logs |
| Service secrets | Store, rotate, and restrict access | Secrets register/log |
User acknowledgement checklist
- I will not share passwords, PINs, MFA codes, tokens, recovery answers, or other secret authentication information.
- I will not write or store authentication information where unauthorized people can access it.
- I will report suspected compromise immediately.
- I understand activity performed with my credentials may be attributable to me.
- I will follow approved reset and recovery procedures.
Related notes
- Template
- Iso27001
- A5 17
- Authentication
Note Metadata
Aliases: Credential Handling Standard, Password Handling Standard
Source: 90 Templates/Authentication Information Handling Standard.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- A.5.17 Audit Evidence Pack
- ISO 27001 A.8.5 - Secure Authentication
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.17 Audit Checklist
- Templates MOC