ISO 27002:2022 – Control 8.5 – Secure Authentication

Purpose of Control 8.5

Secure authentication is the primary method which human and non-human users engage with when attempting to utilise an organisation’s ICT assets.

Over the past decade, authentication technology has undergone a fundamental shift from traditional username/password-based validations into a variety of complementing techniques involving biometric information, logical and physical access controls, external device authentications, SMS codes and one time passwords (OTP).

27002:2022-8.5 puts all of this into context and advises organisations on precisely how they should be controlling access to their ICT systems and assets via a secure login gateway.

Control 8.5 is a preventative control that maintains risk by implementing technology and establishing topic-specific secure authentication procedures that ensure human and non-human users and identities undergo a robust and secure authentication procedure when attempting to access ICT resources.

Attributes Table of Control 8.5

Ownership of Control 8.5

Control 8.5 deals with an organisation’s ability to control access to its network (and the information and data contained within) at critical junctions, such as a login gateway.

Whilst the control does deal with information and data security as a broader concept, the operational guidance is primarily of a technical nature.

As such, ownership should reside with the Head of IT (or organisational equivalent), who holds responsibility for the organisation’s day-to-day IT administration functions.

General Guidance on Control 8.5

Control 8.5 asks organisations to consider authentication controls that are relevant to the type and sensitivity of the data and network that’s being accessed, including:

• Multi-factor authentication (MFA)
• Digital certificates
• Smart access controls (smart cards)
• Biometric logins
• Secure tokens

The overriding goal of an organisation’s secure authentication controls should be to prevent and/or minimise the risk of unauthorised access to its protected systems.

To achieve this, Control 8.5 outlines 12 main guidance points. Organisations should:

1. Restrict the display of information until after a successful authentication attempt.
2. Display a warning pre-logon which clearly states that information should only be accessed by authorised users.
3. Minimise the assistance it provides to unauthenticated users who are attempting to access the system e.g. organisations should not divulge which specific part of a login attempt is incorrect, such as a biometric aspect of an MFA login, and instead simply state that the login attempt has failed.
4. Validate the login attempt only when all required information has been provided to the login service, to maintain security.
5. Implement industry-standard security measures that protect against blanket access and/or brute force attacks on login portals. These measures can include:
• CAPTCHA controls
• Enforcing a password reset after a set amount of failed login attempts
• Preventing further login attempts following a predefined number of failed attempts
6. Recording all failed login attempts for auditing and security purposes, including their use in criminal and/or regulatory proceedings.
7. Initiating a security incident whenever a major login discrepancy is detected, such as a perceived intrusion. In these cases, all relevant internal personnel should be notified, particularly those with systems administrator access or any ability to combat malicious login attempts.
8. Upon validating a login, relay certain pieces of information to a separate data source that list:
• The date and time of the previous successful logon
• A list of all login attempts since the last validated logon
9. Display passwords as asterisk’s (or similarly abstract symbols), where there is no pressing need not to do so (e.g. user accessibility).
10. Strictly prohibit the sharing of or display of passwords as clear, legible text.
11. Maintain a policy of terminating dormant login sessions after a specific period of time. This is particularly relevant for sessions that are active in high risk locations (remote working environments) or on user-supplied assets such as personal laptops or mobile phones.
12. Limiting the amount of time that an authenticated session can remain open – even when active – relative to the information that’s being accessed (i.e. business critical information or financially sensitive applications).

Guidance – Biometric Logins

ISO recommends that due to a number of factors related to the effectiveness and integrity of biometric login processes over traditional measures (passwords, MFA, tokens etc.), biometric authentication methods should not be used in isolation, and accompanied by at least one other login technique.

Changes and Differences from ISO 27002:2013

27002:2022-8.5 replaces 27002:2014-9.4.2 (Secure log-on procedures).

27002:2022-8.5 contains the same 12 guidance points as its 2013 counterpart, with minor adjustments to the wording, and follows the same set of underlying security principles.

In-line with the rise of MFA and biometric login technologies over the past decade, 27002:2022-8.5 contains explicit guidance on the use of both techniques that organisations should consider when formulating their own set of login controls.

New ISO 27002 Controls

How ISMS.online Helps

Our cloud-based platform provides you with a robust framework of information security controls so that you can checklist your ISMS process as you go to ensure that it meets the requirements for ISO 27000k. Used properly, ISMS. online can assist you in achieving certification with the bare minimum of time and resources.

Get in touch today to book a demo.