Authentication

Implementing robust authentication is a cornerstone of ISO 27001 compliance, ensuring that only verified identities access your organisation’s sensitive data. As a Lead Auditor, I recommend following this technical roadmap to align your identity verification processes with Annex A controls and the broader Information Security Management System (ISMS) requirements.

1. Formalise the Authentication Policy

Establish a comprehensive policy that defines the rules for identity verification across the organisation. This document serves as your Rules of Engagement, specifying requirements for password complexity, multi-factor authentication, and biometric usage to ensure a standardised approach to security.

• Define minimum password length and character diversity.
• Specify which systems require Multi-Factor Authentication (MFA).
• Document the “Rules of Engagement” for third-party access.

2. Update the Asset Register for Access Control

Identify and categorise all hardware, software, and cloud applications that require authentication. By linking authentication requirements to your Asset Register, you can prioritise high-risk assets for enhanced security measures like hardware-based security keys.

• Map every software asset to a specific authentication level.
• Identify legacy systems that may require compensating controls.
• Record the owner for each authenticated system.

3. Deploy Multi-Factor Authentication (MFA)

Provision MFA across all external-facing services and privileged accounts. Implementing a combination of something the user knows, has, or is significantly reduces the risk of account takeover from stolen credentials.

• Mandate MFA for all cloud-based applications (SaaS).
• Use authenticator apps or hardware tokens rather than SMS where possible.
• Enforce MFA for all remote access via VPN or ZTNA.

4. Enforce Technical Password Standards

Configure system settings to automate the enforcement of your password policy. Technical controls prevent users from choosing weak passwords and reduce the likelihood of successful brute-force or dictionary attacks.

• Disable the use of “common” or previously breached passwords.
• Implement account lockout thresholds after repeated failed attempts.
• Remove mandatory periodic password changes in favour of risk-based triggers.

5. Establish Identity and Access Management (IAM) Roles

Formalise user roles and permissions based on the principle of least privilege. By defining IAM roles, you ensure that users are granted only the minimum level of access required to perform their specific job functions.

• Create Role-Based Access Control (RBAC) templates.
• Document the permissions associated with each organisational role.
• Verify that administrative privileges are strictly segregated.

6. Formalise User Access Provisioning and Revocation

Implement a documented process for the creation, modification, and deletion of user accounts. Promptly revoking access during employee offboarding is critical to prevent unauthorised access by former staff or “privilege creep.”

• Link the HR offboarding process to the IT revocation workflow.
• Maintain a log of all access requests and approvals.
• Use “Joiner, Mover, Leaver” (JML) templates for consistency.

7. Configure Secure Session Management

Apply automated controls to manage the duration and security of active user sessions. Secure session management prevents unauthorised access via unattended devices or hijacked session tokens.

• Set automated inactivity timeouts for all sensitive applications.
• Limit concurrent sessions for administrative accounts.
• Ensure secure logout functionality is visible and functional.

8. Deploy Centralised Authentication Logging

Enable detailed event logging for all successful and failed login attempts. Centralising these logs allows for real-time monitoring and the identification of anomalous patterns, such as credential stuffing or geographic anomalies.

• Send authentication logs to a central SIEM or log management tool.
• Monitor for multiple failed attempts across different accounts.
• Review logs regularly as part of your incident detection strategy.
• Ensure logs include timestamps, source IP, and device ID.

9. Conduct Regular Access Audits

Perform periodic reviews of all user access rights and authentication configurations. These audits ensure that permissions remain appropriate over time and identify any rogue accounts that may have bypassed standard provisioning.

• Schedule quarterly access reviews with department heads.
• Verify that “orphaned” accounts for former staff have been deleted.
• Audit the use of shared or service accounts.

10. Execute Security Awareness Training

Train all staff on the importance of secure authentication and the risks of social engineering. Educated users are your best defence against phishing, MFA fatigue, and credential harvesting attacks.

• Deliver targeted training on identifying phishing attempts.
• Educate users on the risks of password reuse across personal and work accounts.
• Simulate MFA fatigue attacks to test organisational resilience.