ISO 27001 Control 5.17: Authentication Information Management
Authentication credentials are among the most targeted assets in a security breach. ISO 27001 5.17 requires you to establish a defined process for managing authentication information—from issuance through revocation—and train personnel on secure handling practices. This control is fundamental to preventing unauthorized access across your organization.
What this means
Control 5.17 mandates that your organization implement a structured approach to managing all forms of authentication information, including passwords, tokens, biometric data, and certificates. The process must cover the complete lifecycle: creation, distribution, storage, usage, and destruction. Critically, you must provide personnel with clear guidance on proper handling, including rules against sharing credentials, secure storage practices, and incident reporting procedures.
How to comply
- 1.Document a formal authentication management process covering creation, issuance, renewal, and revocation of all authentication credentials
- 2.Establish minimum password or passphrase requirements aligned with NIST or equivalent standards
- 3.Implement mechanisms to prevent credential reuse and enforce periodic changes for high-risk accounts
- 4.Define and communicate clear personnel guidelines prohibiting credential sharing, writing down passwords, or storing them insecurely
- 5.Restrict authentication information storage to secure vaults or key management systems with access logging
- 6.Train all personnel on proper authentication handling, including recognition of phishing and social engineering
- 7.Monitor and audit authentication credential usage for anomalies or policy violations
- 8.Establish a process for immediate revocation when personnel depart or roles change
Evidence auditors look for
- Authentication management policy document approved by management
- Documented password/passphrase requirements and complexity rules
- Personnel security awareness training records specific to credential handling
- System logs showing authentication credential creation, renewal, and revocation events
- Access logs for credential storage systems demonstrating restricted access
- Incident reports showing response to suspected credential compromise
- Role-based access control matrices limiting who can create or manage credentials
- Configuration screenshots from password managers or key management systems
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates credential lifecycle tracking and enforces authentication policies across your tools, automatically logging issuance, renewal, and revocation events to streamline 5.17 audit evidence collection.
See how GRCWatch handles this control automatically
Start free trial