ISO 27001:2022 Annex A Control 5.17

Annex A 5.17 Guidance on Allocation of Authentication Information

Organisations should adhere to these six requirements for the allotment and administration of authentication information:

• Upon enrolment of new users, automatically generated personal passwords and personal identification numbers must be non-guessable. Additionally, each user must have a unique password and it is obligatory to change passwords after initial use.
• Organisations should have solid processes to check a user’s identity before they are given new or replacement authentication info, or are provided with temporary info.
• Organisations should guarantee the secure transmission of authentication details to individuals via secure pathways, and must not send such information over unsecure electronic messages (e.g. plain text).
• Users must ensure they have received the authentication details.
• Organisations should act quickly after installing new IT systems and software, altering the default authentication details straight away.
• Organisations ought to set up and persistently keep records of all significant events in relation to the management and allocation of authentication information. These records must be kept private and methods of record-keeping should be authorised, e.g. with the use of an authorised password tool.

Annex A 5.17 Guidance on User Responsibilities

Users with access to authentication information should be instructed to adhere to the following:

• Users must keep secret authentication information such as passwords confidential and must not share it with anyone else. When multiple users are involved in the use of authentication information or the information is linked to non-personal entities, they must not disclose it to unauthorised individuals.
• Users must switch their passwords straight away if the secrecy of their passwords has been breached.
• Users should select hard-to-guess, strong passwords in compliance with industry standards. For example:
• Passwords should not be based on personal information that can be easily obtained, such as names or birthdates.
• Passwords should not be founded on information that can be readily guessed.
• Passwords must not comprise of words or sequences of words that are common.
• Use alphanumerics and special characters in your password.
• Passwords should have a minimum length requirement.
• Users must not employ the same password for various services.
• Organisations should have their employees accept the responsibility for creating and using passwords in their employment contracts.

Annex A 5.17 Guidance on Password Management Systems

Organisations should observe the following when setting up a password management system:

• Users should have the ability to create and modify their passwords, with a verification procedure in place to detect and rectify any mistakes when entering data.
• Organisations should abide by industry best practices when developing a robust password selection process.
• Users must change their default passwords upon first accessing a system.
• It’s essential to change passwords when appropriate. For instance, after a security incident or when an employee leaves their job, and had access to passwords, a password change is necessary.
• Previous passwords should not be recycled.
• The use of passwords that are widely known, or have been accessed in a breach of security, should not be permitted for accessing any hacked systems.
• When passwords are inputted, they should be displayed on the screen in clear text.
• Passwords must be transmitted and stored through secure channels in a secure format.

Organisations should also implement hashing and encryption procedures in line with the approved cryptographic methods for passwords stated in Annex A Control 8.24 of ISO 27001:2022.

Supplementary Guidance on Annex A Control 5.17

In addition to passwords, other forms of authentication, such as cryptographic keys, smart cards, and biometric data like fingerprints.

Organisations should look to the ISO/IEC 24760 series for further advice on authentication data.

Considering the hassle and annoyance of regularly changing passwords, organisations may consider alternatives such as single sign-on or password vaults. It should be noted, however, that these options increase the risk of confidential authentication information being exposed to unauthorised parties.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 5.17 is the replacement for ISO 27001:2013 Annex A 9.2.4, 9.3.1 and 9.4.3.

ISO 27001:2022 Contains a New Requirement for Allocation and Management of Authentication Information

In 2013, the requirements for allocating and managing authentication information were very similar. However, ISO 27001:2022 Annex A Control 5.17 introduced a requirement that was not present in 2013.

Organisations must create and maintain records for all significant events associated with the management and distribution of authentication info. These records should be kept confidential, with authorised record-keeping techniques, for example, the use of an accepted password tool.

The 2022 Version Contains an Additional Requirement for Use of Authentication Information

ISO 27001:2022 Annex A Control 5.17 introduces a requirement for user responsibilities that wasn’t specified in Control 9.3.1 of the 2013 version.

Organisations should include password requirements in their contracts with employees and staff. Such requirements should cover the creation and use of passwords.

ISO 27001:2013 Contained an Additional Requirements for User Responsibilities That Was Not Included in the 2022 Version

In comparison to the 2022 Version, Control 9.3.1 contained the following mandate for the employment of authentication data:

Users ought not to employ the same authentication details, for example a password, for both work and non-work purposes.

ISO 27001:2013 Contained an Additional Requirement for Password Management Systems That Was Not Included in the 2022 Version

Control 9.4.3 of the 2013 Version requires that password management systems must:

Ensure files with passwords should be held on a different system to the one hosting application data.

ISO 27001:2022 Annex A Control 5.17 does not require this.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.Online enables organisations and businesses to comply with ISO 27001:2022 necessities by providing them with a platform that facilitates managing, updating, testing and monitoring the effectiveness of their confidentiality or non-disclosure policies and procedures.

We offer a cloud-based platform for administering Confidentiality and Information Security Management Systems, featuring non-disclosure clauses, risk management, policies, plans, and procedures, all in one convenient location. It is straightforward to use, with an intuitive interface that makes it simple to learn.

Get in touch with us today to arrange a demonstration.