In this ultimate how to audit guide to ISO 27001 Annex A 5.17 Authentication Information, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Authentication Information Management Policy Verified
- 2. Secure Initial Allocation of Secrets Confirmed
- 3. Personnel Guidance on Secure Handling Validated
- 4. Technical Password Complexity Enforcement Verified
- 5. Secure Storage of Authentication Information Confirmed
- 6. Multi-Factor Authentication (MFA) Implementation Validated
- 7. Default Manufacturer Password Remediation Verified
- 8. Management of Privileged Authentication Secrets Confirmed
- 9. Authentication Revocation for Terminated Personnel Verified
- 10. Biometric Data Privacy and Protection Validated
Auditing ISO 27001 Annex A 5.17 Authentication Information involves verifying the secure allocation, management, and revocation of secret authentication data. This process validates the Primary Implementation Requirement of protecting passwords, tokens, and biometrics through a formalised lifecycle. The Business Benefit mitigates the risk of credential theft and unauthorized access by ensuring robust secrets management.
1. Authentication Information Management Policy Verified
Verification Criteria: A formalised policy exists that defines the requirements for the allocation, management, and revocation of authentication secrets, including specific rules for complex passwords and multi-factor authentication.
Required Evidence: Approved Access Control Policy or dedicated Authentication Management Standard with version history and management sign-off.
Pass/Fail Test: If the policy does not explicitly define requirements for temporary authentication information (e.g. initial setup passwords), mark as Non-Compliant.
2. Secure Initial Allocation of Secrets Confirmed
Verification Criteria: The process for issuing temporary authentication information (initial passwords) ensures that the information is sent via a secure, out-of-band channel and is forced to change upon first use.
Required Evidence: System configuration screenshots showing “User must change password at next logon” is enabled for new accounts and logs of secret delivery (e.g. encrypted SMS or secure portal).
Pass/Fail Test: If temporary passwords are sent in clear-text via email or are not forced to change immediately, mark as Non-Compliant.
3. Personnel Guidance on Secure Handling Validated
Verification Criteria: Users are formally advised on their responsibilities for keeping authentication information confidential and are prohibited from sharing secrets.
Required Evidence: Staff training records, signed Acceptable Use Policy (AUP), or periodic security awareness newsletters covering secret protection.
Pass/Fail Test: If an interviewee cannot identify the organisation’s official policy regarding password sharing or “post-it note” storage, mark as Non-Compliant.
