When to use this
Use this standard to define minimum authentication expectations for applications, operating systems, remote access, privileged access, and third-party access.
Related controls
- A.8.5 Secure Authentication
- A.5.17 Authentication Information
- A.8.2 Privileged Access Rights
- A.8.3 Information Access Restriction
Authentication requirements
| Access type | Minimum authentication | MFA required? | Failed-attempt control | Logging/alerting | Exception allowed? |
|---|---|---|---|---|---|
| Remote access | TBD | Yes/No | TBD | TBD | Yes/No |
| Privileged access | TBD | Yes/No | TBD | TBD | Yes/No |
| Standard application access | TBD | Yes/No | TBD | TBD | Yes/No |
| Third-party access | TBD | Yes/No | TBD | TBD | Yes/No |
Minimum checks
- Authentication strength is risk-based.
- MFA uses different factor types where required.
- Logon errors do not reveal sensitive detail.
- Failed attempts are controlled.
- Recovery/reset flows are protected.
- Exceptions have compensating controls.
- Template
- Iso27001
- Technological controls
- Authentication
Note Metadata
Aliases: Authentication Security Standard
Source: 90 Templates/Secure Authentication Standard.md
Related Notes
- ISO 27001 A.5.17 - Authentication Information
- A.8.5 Audit Evidence Pack
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.8.5 Audit Checklist
- Authentication Mechanism Review Checklist
- Templates MOC