Secure authentication is the primary method which human and non-human users engage with when attempting to utilise an organisation’s ICT assets.
Over the past decade, authentication technology has undergone a fundamental shift from traditional username/password-based validations into a variety of complementing techniques involving biometric information, logical and physical access controls, external device authentications, SMS codes and one time passwords (OTP).
27002:2022-8.5 puts all of this into context and advises organisations on precisely how they should be controlling access to their ICT systems and assets via a secure login gateway.
Control 8.5 is a preventative control that maintains risk by implementing technology and establishing topic-specific secure authentication procedures that ensure human and non-human users and identities undergo a robust and secure authentication procedure when attempting to access ICT resources.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity and Access Management | #Protection |
Control 8.5 deals with an organisation’s ability to control access to its network (and the information and data contained within) at critical junctions, such as a login gateway.
Whilst the control does deal with information and data security as a broader concept, the operational guidance is primarily of a technical nature.
As such, ownership should reside with the Head of IT (or organisational equivalent), who holds responsibility for the organisation’s day-to-day IT administration functions.
Control 8.5 asks organisations to consider authentication controls that are relevant to the type and sensitivity of the data and network that’s being accessed, including:
The overriding goal of an organisation’s secure authentication controls should be to prevent and/or minimise the risk of unauthorised access to its protected systems.
To achieve this, Control 8.5 outlines 12 main guidance points. Organisations should:
Book a tailored hands-on session
based on your needs and goals
Book your demo
ISO recommends that due to a number of factors related to the effectiveness and integrity of biometric login processes over traditional measures (passwords, MFA, tokens etc.), biometric authentication methods should not be used in isolation, and accompanied by at least one other login technique.
27002:2022-8.5 replaces 27002:2014-9.4.2 (Secure log-on procedures).
27002:2022-8.5 contains the same 12 guidance points as its 2013 counterpart, with minor adjustments to the wording, and follows the same set of underlying security principles.
In-line with the rise of MFA and biometric login technologies over the past decade, 27002:2022-8.5 contains explicit guidance on the use of both techniques that organisations should consider when formulating their own set of login controls.
Our cloud-based platform provides you with a robust framework of information security controls so that you can checklist your ISMS process as you go to ensure that it meets the requirements for ISO 27000k. Used properly, ISMS. online can assist you in achieving certification with the bare minimum of time and resources.
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |