ISO 27001:2022 Annex A 8.5 – Secure Authentication

• See ISO 27002:2022 Control 8.5 for more information.
• See ISO 27001:2013 Annex A 9.4.2 for more information.

Purpose of ISO 27001:2022 Annex A 8.5

Secure authentication is the main way users, both human and non-human, access an organisation’s ICT resources.

In the last ten years, authentication technology has experienced a major transformation from classical username/password validation to a variety of supplementary methods involving biometric data, logical and physical access controls, external device authentications, SMS codes, and one-time passwords (OTP).

Annex A 8.5 provides organisations with a framework for controlling access to their ICT systems and assets via a secure login gateway. It outlines precisely how this should be done.

ISO 27001:2022 Annex A Control 8.5 is a preventative measure which maintains risk levels by introducing technology and instituting secure authentication procedures, which ensure that human and non-human users and identities undertake a secure authentication process when attempting to access ICT resources.

Ownership of Annex A 8.5

ISO 27001:2022 Annex A 8.5 addresses an organisation’s capacity to control access to its network (and the data and information housed therein) at key points, e.g. a login portal.

The control covers information and data security as a whole, with the operational guidance focusing mainly on technical aspects.

The Head of IT (or equivalent) should have ownership due to holding responsibility of IT administration duties on a day-to-day basis.

General Guidance on ISO 27001:2022 Annex A 8.5

Organisations should take into account the type and sensitivity of the data and network being accessed when considering authentication controls. Examples of such controls include:

• Smart access controls (smart cards).
• Biometric logins.
• Secure tokens.
• Multi-factor authentication (MFA).
• Digital certificates.

The primary aim of a company’s secure authentication measures should be to deter and reduce the possibility of unauthorised access to its safeguarded systems.

To attain this, ISO 27001:2022 Annex A 8.5 sets out twelve foremost guidelines. Enterprises should:

1. Ensure that information is only displayed after a successful authentication process.
2. Show a warning message prior to logging in that clearly states only authorised users may access the data.
3. Reduce the help given to unauthorised people trying to get into the system. For example, businesses ought not to reveal which part of the log-in has been incorrect, such as a biometric factor of a multi-factor authentication log-in – instead, only state that the log-in has not worked.
4. Verify the login attempt only when all necessary information has been supplied to the login service, to maintain safety.
5. Implement industry-standard security measures to protect against blanket access and brute force attacks on login portals. These can include:
• CAPTCHA is a security feature that requires you to enter a string of characters to verify that you are a human user.
• Enforcing a reset of a password following a definite number of unsuccessful login attempts.
• After a certain number of unsuccessful attempts, further logins are thwarted. To prevent this, set a limit.
6. For auditing and security, every failed login attempt shall be noted, including for criminal and/or regulatory proceedings.
7. In the event of any major login discrepancies, such as a suspected intrusion, a security incident must be immediately initiated. Internal personnel, notably those with systems administrator access or the ability to thwart malicious login attempts, must be notified straight away.
8. Once a successful login has been confirmed, certain data must be transmitted to another repository which details:
• The last successful logon occurred on [date] at [time].
• Record of all attempted logins since the last authenticated logon.
9. Show passwords as asterisks or other similar abstract symbols, unless there is a reason not to (e.g. user accessibility).
10. No tolerance for passwords to be shared or displayed in plain, readable text.
11. Ensure that idle login sessions are ended after a set time-frame. This is especially pertinent for sessions in high risk locations (remote work situations) or on user-owned devices, such as personal laptops or mobile phones.
12. Restrict the duration for which an authenticated session may stay open, even when active, depending on the data being accessed (e.g. vital business info, or money-related programs).

Guidance on Biometric Logins

The International Organization for Standardization urges that biometric login processes be combined with at least one other login technique, due to their comparative effectiveness and integrity when compared to traditional methods such as passwords, MFA and tokens.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.5 supersedes ISO 27001:2013 Annex A 9.4.2 (Secure log-in protocols).

ISO 27001:2022 Annex A 8.5 is a revision of the 2013 version, with slight modifications to language and the same security principles underlying it. The document still contains the 12 familiar guidance points.

In line with the increased use of multi-factor authentication and biometric login technologies over the past ten years, the ISO 27001:2022 Annex A 8.5 provides explicit instructions on how organisations should incorporate these techniques when formulating their own login controls.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

Our cloud-based platform equips you with a strong framework of information security controls to aid the ISMS process and ensure it meets the ISO 27001:2022 criteria. Utilised correctly, ISMS.online can help you attain certification with minimal time and resources.

Contact us today to arrange a demonstration.