ISO 27001 A.5.17 Authentication Information Checklist

A.5.17 Authentication Information is a crucial control within the ISO 27001:2022 standard that emphasises the proper management and protection of authentication information used to verify the identity of users, systems, and processes.

This control ensures that authentication information, such as passwords, cryptographic keys, and tokens, is protected from unauthorised access and misuse, thereby maintaining the integrity and security of the information systems.

Purpose of Annex A.5.17

The main goal of A.5.17 is to secure authentication information, ensuring it is properly managed and protected to prevent unauthorised access, misuse, and potential data breaches. This involves implementing strong authentication mechanisms, ensuring secure storage and transmission, restricting access to authorised personnel, and maintaining a robust incident response plan.

Key Elements of A.5.17 Authentication Information

  1. Authentication Policy: Establish and document a clear policy for managing authentication information, defining requirements for creating, storing, and handling authentication data.
  2. Strong Authentication Mechanisms: Implement robust authentication mechanisms, including complex passwords, multi-factor authentication (MFA), and secure token management, to make bypassing authentication controls difficult.
  3. Secure Storage: Ensure authentication information is stored securely using encryption or other appropriate methods to prevent unauthorised access.
  4. Transmission Security: Protect authentication information during transmission across networks using secure communication protocols like HTTPS, TLS, and VPNs.
  5. Access Control: Restrict access to authentication information to authorised personnel only, employing role-based access control (RBAC) to manage access rights.
  6. Regular Updates and Review: Regularly update and review authentication information to ensure continued effectiveness, including periodic password changes, updating security keys, and reviewing access permissions.
  7. Incident Response: Develop and implement procedures for responding to incidents involving compromised authentication information, including identifying breaches, notifying affected parties, and taking corrective actions.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.5.17? Key Aspects and Common Challenges

Authentication Policy

Challenge: Ensuring comprehensive coverage and user understanding.

Solution: Leverage ISMS.online Policy Management features to create clear, accessible, and regularly updated policies.

Associated Clause: Create, review, and communicate information security policies. Ensure that documented information is controlled and maintained.

Strong Authentication Mechanisms

Challenge: Balancing security and user convenience.

Solution: Use MFA and secure token management facilitated by ISMS.online’s Access Control features to implement robust yet user-friendly authentication methods.

Associated Clause: Establish and implement processes for information security risk assessment and treatment, including measures for access control and user authentication.

Secure Storage

Challenge: Protecting stored authentication information against sophisticated attacks.

Solution: Utilise ISMS.online’s Document Access and Encryption features to ensure secure storage of sensitive information.

Associated Clause: Ensure the protection of documented information and maintain the confidentiality, integrity, and availability of information.

Transmission Security

Challenge: Securing data in transit, especially across complex network architectures.

Solution: Implement secure communication protocols and monitor them using ISMS.online’s Monitoring and Reporting tools.

Associated Clause: Implement security measures for information security in networks, ensuring data in transit is protected against unauthorised access and manipulation.

Access Control

Challenge: Maintaining strict access controls without hindering operational efficiency.

Solution: Employ Role-Based Access Control (RBAC) and Identity Management features in ISMS.online to enforce precise access controls.

Associated Clause: Define and manage access rights, ensuring that users are provided with access based on their roles and responsibilities.

Regular Updates and Review

Challenge: Keeping authentication information up-to-date in a dynamic threat landscape.

Solution: Schedule regular updates and reviews using ISMS.online’s Monitoring and Audit Management features.

Associated Clause: Regularly review and update security measures, ensuring that controls remain effective and up-to-date with evolving threats.

Incident Response

Challenge: Rapidly responding to and mitigating incidents involving authentication information.

Solution: Utilise ISMS.online’s Incident Tracker, Workflow Automation, and Notifications to ensure a swift and coordinated response.

Associated Clause: Establish procedures for responding to information security incidents, including the identification, reporting, and management of incidents.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Implementation Steps for A.5.17

Policy Development

Challenge: Ensuring comprehensive policy creation and adoption.

Solution: Create a comprehensive authentication policy using ISMS.online Policy Templates and ensure continuous policy review with Version Control features.

Associated Clause: Develop, review, and communicate information security policies, ensuring they are maintained and accessible.

Technology Implementation

Challenge: Integrating new technologies with existing systems.

Solution: Deploy technologies supporting strong authentication, leveraging ISMS.online’s Access Control and Secure Storage capabilities.

Associated Clause: Implement information security risk treatment plans, ensuring appropriate controls for technology integration and access management.

User Training

Challenge: Achieving user engagement and understanding.

Solution: Use ISMS.online’s Training Modules to educate users on the importance of secure authentication practices and track their participation.

Associated Clause: Provide information security awareness and training programmes, ensuring users understand their roles and responsibilities.

Monitoring and Auditing

Challenge: Ensuring continuous compliance and identifying potential weaknesses.

Solution: Continuously monitor authentication information using ISMS.online’s Monitoring and Reporting tools and conduct regular audits with Audit Templates and Plans.

Associated Clause: Monitor, measure, analyse, and evaluate information security performance, ensuring continuous improvement through audits and reviews.

Benefits of Implementing A.5.17

  • Enhanced Security: Protecting authentication information reduces the risk of unauthorised access and potential data breaches.
  • Compliance: Adhering to this control helps organisations comply with regulatory requirements and industry standards.
  • Trust and Integrity: Ensures the integrity of authentication processes, thereby building trust with stakeholders and customers.

ISMS.online Features for Demonstrating Compliance with A.5.17

ISMS.online provides several features that are useful for demonstrating compliance with A.5.17 Authentication Information:

  • Policy Management:
    • Policy Templates: Utilise pre-built policy templates to create comprehensive authentication policies.
    • Policy Pack: Ensure all related policies are bundled together for easy access and management.
    • Version Control: Track changes to policies and ensure the latest versions are implemented.
  • Access Control:
    • Role-Based Access Control (RBAC): Define and manage access rights to authentication information based on user roles.
    • Identity Management: Manage and synchronise user identities across systems to ensure consistent access controls.
  • Secure Storage:
    • Document Access: Securely store authentication information and control access to these documents.
    • Encryption: Implement encryption for sensitive documents and data within the platform.
  • Incident Management:
    • Incident Tracker: Record and track incidents involving authentication information.
    • Workflow Automation: Automate response procedures to ensure quick and effective action.
    • Notifications: Alert relevant personnel immediately when an incident is detected.
  • Training and Awareness:
    • Training Modules: Deploy training programmes to educate users on the importance of secure authentication practices.
    • Training Tracking: Monitor and document user participation and understanding of security training.
  • Audit and Compliance:
    • Audit Templates: Use predefined templates to conduct regular audits of authentication information management.
    • Audit Plan: Schedule and manage audit activities to ensure continuous compliance.
    • Corrective Actions: Document and track corrective actions arising from audits to ensure timely resolution.
  • Monitoring and Reporting:
    • KPI Tracking: Measure and report on key performance indicators related to authentication information security.
    • Compliance Reporting: Generate reports to demonstrate compliance with A.5.17 requirements.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Detailed Annex A.5.17 Compliance Checklist

  • Policy Development:

    Create a comprehensive authentication policy using ISMS.online Policy Templates.

    Regularly review and update the policy using Version Control features.

    Ensure policy communication to all relevant stakeholders.
  • Technology Implementation:

    Implement strong authentication mechanisms like MFA and secure tokens.

    Use ISMS.online’s Access Control features to manage authentication mechanisms.

    Encrypt stored authentication information using ISMS.online’s Encryption tools.
  • User Training:

    Deploy training programmes on secure authentication practices using Training Modules.

    Track user participation and understanding with Training Tracking.

    Regularly update training content to reflect current best practices.
  • Monitoring and Auditing:

    Continuously monitor authentication information with ISMS.online’s Monitoring tools.

    Conduct regular audits using Audit Templates and Plans.

    Document and track corrective actions from audit findings.
  • Access Control:

    Implement Role-Based Access Control (RBAC) for managing access to authentication information.

    Ensure identity management and synchronisation across systems.

    Regularly review and update access permissions.
  • Secure Storage:

    Store authentication information securely with Document Access controls.

    Use encryption for sensitive documents and data.

    Regularly review storage security measures.
  • Transmission Security:

    Implement secure communication protocols like HTTPS, TLS, and VPNs.

    Monitor and audit data transmission security.

    Regularly update protocols to address new threats.
  • Incident Response:

    Develop incident response procedures for compromised authentication information.

    Utilise Incident Tracker for recording and tracking incidents.

    Automate response workflows and send notifications for quick action.
  • Regular Updates and Review:

    Schedule periodic updates and reviews of authentication information.

    Update passwords and security keys regularly.

    Conduct regular access reviews and adjust permissions as necessary.

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.5.17

Ready to enhance your information security posture and ensure compliance with ISO 27001:2022 A.5.17?

Contact ISMS.online today to book a demo and see how our comprehensive platform can help you manage and protect authentication information effectively.

Our experts are here to guide you through every step of the process, ensuring your organisation meets and exceeds industry standards.


Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

Streamline your workflow with our new Jira integration! Learn more here.