Implementing ISO 27001 Annex A 8.5 is the technical enforcement of Secure Authentication protocols to verify user identity before granting system access. This control mandates the configuration of Multi-Factor Authentication (MFA), strict password complexity policies, and the removal of legacy protocols to mitigate credential theft and ensure data integrity.
ISO 27001 Annex A Secure Authentication Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.5 by focusing on rigorous, manual configuration rather than superficial dashboard toggles. True authentication security requires hardening the underlying directory services, server configurations, and physical access protocols before any software overlay is applied.
1. Establish the Authentication Topic-Specific Policy
Control Requirement: A defined policy must govern the management of authentication information and parameters. Required Implementation Step: Open your Information Security Policy repository. Draft a standalone “Access Control & Authentication Policy” document. Explicitly define the organisational ban on shared accounts, the minimum encryption standards for credential transmission (e.g., TLS 1.3), and the mandatory use of Multi-Factor Authentication (MFA) for all administrative and remote access.Minimum Requirement: A signed PDF document referenced in employee induction packs, not just a tick-box in a GRC portal.
2. Configure Active Directory Password Length Policies
Control Requirement: Passwords must meet strength requirements proportionate to the sensitivity of the data. Required Implementation Step: Open the Group Policy Management Console (GPMC) on your domain controller. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Set “Minimum password length” to at least 14 characters.Minimum Requirement: Enforcing length over complexity to mitigate brute-force attacks effectively.
3. Abolish Arbitrary Password Rotation
Control Requirement: Authentication parameters should not be changed without a valid security reason. Required Implementation Step: In the same GPMC path, set “Maximum password age” to 0 (or a very high value like 365 days) to disable forced rotation. Forced rotation leads to weak, predictable patterns (e.g., Summer2025!).Minimum Requirement: Removal of the 90-day reset rule to prevent “password fatigue” and post-it note storage.
4. Enforce MFA at the Identity Provider Level
Control Requirement: Strong authentication mechanisms, such as MFA, must be validated. Required Implementation Step: Access your primary Identity Provider (IdP) configuration (e.g., Azure AD, Okta, or local LDAP MFA plugin). Create a “Conditional Access Policy” that strictly blocks any login attempt from an Administrator role that does not satisfy a strong authentication claim (TOTP or FIDO2).Minimum Requirement: MFA enabled for 100% of privileged accounts, with no “skip for now” options allowed.
5. Harden Service Account Configurations
Control Requirement: Non-human authentication must be managed and secured. Required Implementation Step: Audit your server fleet for accounts running scheduled tasks or services. Open `lusrmgr.msc` or `/etc/passwd`. Set these accounts to “User cannot change password” and “Password never expires” (monitored). Crucially, assign the “Deny log on locally” and “Deny log on through Remote Desktop Services” rights in the Local Security Policy.Minimum Requirement: Service accounts must technically be incapable of interactive login sessions.
6. Sanitise Login Error Messages
Control Requirement: Authentication feedback must not reveal which part of the credential was incorrect. Required Implementation Step: Review the source code or configuration files of your web applications and login portals. Replace specific errors like “User not found” or “Incorrect Password” with a generic “Invalid Login Credentials” message.Minimum Requirement: Prevents “User Enumeration” attacks where attackers verify email addresses before guessing passwords.
7. Implement Rate Limiting and Lockouts
Control Requirement: Protection against brute-force login attempts is required. Required Implementation Step: Configure `fail2ban` on Linux servers or “Account Lockout Policy” in Windows AD. Set the threshold to 10 invalid attempts within 15 minutes. Ensure the lockout duration is at least 30 minutes to break automated attack scripts.Minimum Requirement: Automated blocking of IP addresses or accounts under active dictionary attack.
8. Deploy Physical “Break Glass” Emergency Access
Control Requirement: Emergency access mechanisms must be available and controlled. Required Implementation Step: Create one Global Admin account excluded from MFA policies (to prevent lockout during IdP outages). Generate a complex 30+ character password. Print this password, seal it in a tamper-evident envelope, and lock it in a physical fireproof safe.Minimum Requirement: A physical, offline recovery key that leaves a forensic trace (broken seal) if used.
9. Eliminate Legacy Authentication Protocols
Control Requirement: Obsolete and insecure authentication protocols must be disabled. Required Implementation Step: Run a protocol audit on your network. block legacy protocols like POP3, IMAP, and SMTP (Basic Auth) at the firewall or Exchange/Tenant level. Force all connections to use Modern Authentication (OAuth 2.0).Minimum Requirement: Absolute blocking of clear-text authentication attempts across the network perimeter.
10. Mask Credential Input Fields
Control Requirement: Passwords must not be displayed in clear text during entry. Required Implementation Step: Verify that all internal and external login forms use `input type=”password”`. Inspect endpoint configurations to ensure “Reveal Password” buttons are disabled via browser management policies where high-security data is accessed.Minimum Requirement: Visual obfuscation of credentials to prevent shoulder-surfing in physical environments.
ISO 27001 Annex A 8.5 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Secure Password Management | GRC tool asks: “Do you have a password policy?” (Yes/No toggle). | Compliance fails if the Domain Controller still allows “Password123”. Auditors check the GPO settings, not the GRC dashboard. |
| Multi-Factor Authentication | SaaS platform marks control as “Passed” because you bought an MFA license. | Fails if the “break glass” account is not documented or if MFA is disabled for the CEO because “it’s annoying”. |
| Service Accounts | Tool ignores non-human accounts entirely. | Real risk lies in a hard-coded API key in a script on a forgotten developer server. This requires code reviews, not checkboxes. |
| Login Feedback | Platform checks if you have a WAF (Web Application Firewall). | Fails if your internal bespoke app returns “User Valid, Password Invalid”, handing attackers a user list. |
| Password Rotation | Tool flags “Critical Risk” because passwords aren’t changed every 90 days. | This is outdated advice. The reality check is that forced rotation lowers security. You must defy the tool to meet modern ISO standards. |
| Legacy Protocols | Dashboard shows “Identity Score: 95%”. | Fails if a single legacy printer is sending credentials in clear text over port 25, exposing the entire network. |
| Physical Security of Creds | Not covered by software. | The “Break Glass” password must be in a physical safe. No SaaS tool can verify the existence of a physical envelope. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
