Auditing ISO 27001 Annex A 8.5 Secure Authentication Information is the technical verification of how authentication secrets like passwords and tokens are managed. The Primary Implementation Requirement is the enforcement of cryptographic hashing and vaulting, providing the Business Benefit of protecting accounts against credential-based attacks and unauthorised access.
ISO 27001 Annex A 8.5 Secure Authentication Information Audit Checklist
This technical verification tool is designed for lead auditors to confirm the robust management and protection of secrets used for system access. Use this checklist to validate compliance with ISO 27001 Annex A 8.5.
1. Secure Authentication Policy Formalisation Verified
Verification Criteria: A documented policy exists defining the requirements for the creation, distribution, storage, and change of authentication information (passwords, keys, tokens).
Required Evidence: Approved “Access Control Policy” or “Password Standard” with explicit complexity and lifecycle requirements.
Pass/Fail Test: If the organisation cannot produce a formal policy mandating how authentication secrets must be managed, mark as Non-Compliant.
2. Default Credential Neutralisation Confirmed
Verification Criteria: Factory-default passwords for all systems, hardware appliances, and software packages are changed immediately upon installation.
Required Evidence: System hardening logs or configuration checklists showing the modification of “admin/password” or “root” defaults.
Pass/Fail Test: If any active network device or server is found to be accessible via factory-default credentials, mark as Non-Compliant.
3. Temporary Password Lifecycle Enforcement Validated
Verification Criteria: Temporary authentication information issued for password resets or initial onboarding is unique to the user and expires after first use.
Required Evidence: Identity Provider (IdP) settings showing “Force Password Change on Next Login” is enabled for new or reset accounts.
Pass/Fail Test: If temporary passwords do not expire upon first use or are sent via unencrypted channels (e.g. plain-text email), mark as Non-Compliant.
4. Secret Storage Masking and Hashing Verified
Verification Criteria: Authentication information is never stored in plain text and is protected using strong cryptographic hashing (e.g. Argon2, bcrypt) with unique salts.
Required Evidence: Database schema definitions or security architecture diagrams confirming salted one-way hashing of passwords.
Pass/Fail Test: If any application database is found storing user passwords in plain text or using reversible encryption, mark as Non-Compliant.
5. Corporate Password Manager Deployment Confirmed
Verification Criteria: A centralised, enterprise-grade secret management tool or password vault is provided to personnel to prevent insecure storage of secrets.
Required Evidence: Admin console report from a Password Manager (e.g. 1Password, Bitwarden, KeePassXC) showing active user seats.
Pass/Fail Test: If personnel are found storing secrets on sticky notes, unencrypted spreadsheets, or within browser caches without a formal vault, mark as Non-Compliant.
6. Multi-Factor Authentication (MFA) Integration Validated
Verification Criteria: Authentication secrets are supplemented by a second factor (TOTP, FIDO2, Push) for all critical systems and remote access.
Required Evidence: MFA enforcement reports from the IdP showing 100% activation across high-risk accounts.
Pass/Fail Test: If critical administrative accounts rely solely on a single authentication secret for access, mark as Non-Compliant.
7. Secure Secret Distribution Mechanism Verified
Verification Criteria: Authentication information is distributed through secure, out-of-band channels that ensure only the intended recipient can access the secret.
Required Evidence: Service Desk procedure logs for password resets using secure portals or encrypted one-time-link generators.
Pass/Fail Test: If helpdesk staff communicate new passwords over the telephone or via unencrypted chat without identity verification, mark as Non-Compliant.
8. Automated Password Complexity Enforcement Confirmed
Verification Criteria: Technical controls (GPO, MDM, or IdP policies) prevent the selection of weak or common passwords through enforced complexity rules.
Required Evidence: Configuration screenshots of the “Default Domain Policy” or IAM password policy settings.
Pass/Fail Test: If a user can successfully change their password to “Password123” or “Company2026”, mark as Non-Compliant.
9. Authentication Information Disposal Validated
Verification Criteria: When accounts are decommissioned or tokens revoked, associated authentication information is securely purged from the system.
Required Evidence: IAM logs showing “Account Purged” or “Secret Revoked” events following HR termination triggers.
Pass/Fail Test: If inactive accounts retain valid, unrevoked secrets/tokens for more than 24 hours post-termination, mark as Non-Compliant.
10. Periodic Credential Compromise Monitoring Verified
Verification Criteria: The organisation monitors for leaked or compromised corporate credentials appearing on external breach databases.
Required Evidence: Reports from Dark Web monitoring tools or “Have I Been Pwned” enterprise alerts integrated into the SOC workflow.
Pass/Fail Test: If the organisation has no mechanism to detect if a staff member’s corporate secret has been leaked in a third-party breach, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Policy Alignment | Tool identifies “Password Policy” exists and is signed. | Verify Technical Enforcement. A signed policy doesn’t stop a user from picking “123456” if the GPO isn’t set. |
| MFA Coverage | Platform identifies “MFA: Enabled” for the tenant. | Check the Exclusions. GRC tools miss “Bypass Groups” or legacy protocols (POP/IMAP) that don’t support MFA. |
| Storage Security | Tool verifies “Database encrypted at rest.” | Encryption at rest is not Hashing. Verify that the actual field content is a salted hash, not reversible ciphertext. |
| Default Credentials | Tool checks for “Admin” account names in the directory. | Verify Hardware Appliances. GRC tools cannot “see” the web interface of an on-prem printer or IoT device. |
| Secret Distribution | SaaS tool assumes “Email” is the delivery method. | Audit the Slack/Teams history. Personnel often DM passwords in plain text, bypassing all GRC monitoring. |
| Password Vaulting | Tool records that “LastPass/1Password” is an active subscription. | Verify Utilisation. If 50% of staff have never logged into the vault, secrets are likely being stored in the browser. |
| Compromise Monitoring | Platform says “Breach scanning is active.” | Review the Remediation. A “Green” dashboard is useless if it hasn’t flagged a leaver’s password appearing in a dump. |
About the author
