Authentication Information

Managing authentication information effectively is a critical requirement of ISO 27001 Annex A 5.17, ensuring that passwords, cryptographic keys, and biometric data are handled with the highest level of security. As a Lead Auditor, I recommend following this 10 step technical roadmap to formalise your secret management lifecycle and mitigate the risk of credential compromise within your Information Security Management System (ISMS).

1. Formalise the Authentication Information Policy

Establish a documented policy that defines the specific requirements for creating, storing, and disposing of authentication secrets. This serves as your primary control document to ensure all staff and contractors understand their obligations regarding secret management.

• Define minimum complexity requirements for passwords and passphrases.
• Specify the approved methods for generating cryptographic keys.
• Document the “Rules of Engagement” for handling shared credentials in emergency scenarios.

2. Define Roles and Responsibilities via IAM

Implement Identity and Access Management (IAM) roles to ensure that the management of authentication information follows the principle of least privilege. Assigning clear ownership prevents the unauthorized modification or exposure of sensitive verification data.

• Assign “Secret Managers” for the oversight of administrative credentials.
• Document responsibilities for the distribution of initial authentication information.
• Review IAM role permissions quarterly to prevent privilege creep.

3. Establish Rules of Engagement for User Secrets

Create a formal Rules of Engagement (ROE) document that mandates how users must protect their own authentication information. Clear instructions reduce the likelihood of “social engineering” attacks and insecure local storage of passwords.

• Prohibit the writing down or digital storage of secrets in unencrypted formats.
• Mandate the immediate reporting of suspected credential compromises.
• Enforce a strict “no-sharing” policy for individual user accounts.

4. Update the Asset Register for Secret Storage

Identify and record all systems and applications that store authentication information within your Asset Register. Knowing exactly where your secrets reside is essential for applying technical encryption controls and conducting risk assessments.

• Log all hardware security modules (HSMs) used for key storage.
• Categorise software-based “Secret Managers” as critical information assets.
• Map the data flow of authentication information across cloud and on-premise environments.

5. Provision Multi-Factor Authentication (MFA) Protocols

Deploy MFA across all systems that manage or store sensitive authentication information. MFA acts as a vital compensating control, ensuring that a single compromised secret does not lead to a total system breach.

• Enforce hardware-based MFA tokens for privileged administrative roles.
• Implement time-based one-time passwords (TOTP) for standard user access.
• Verify that MFA is enabled for all remote access and VPN endpoints.

6. Enforce Secure Storage and Encryption Standards

Configure technical systems to ensure that authentication information is never stored in plaintext. Using non-reversible hashing and strong encryption protects credentials even if the underlying database is compromised.

• Use salted, non-reversible hashing algorithms like Argon2 or Bcrypt for password storage.
• Apply AES-256 encryption for secrets held in transit and at rest.
• Verify that default vendor passwords are changed immediately upon system deployment.

7. Implement Secure Lifecycle Management for Secrets

Develop a formal process for the secure distribution and revocation of authentication information. Controlling the lifecycle prevents “orphan accounts” and ensures that secrets are decommissioned securely when no longer required.

• Use secure, out-of-band channels for the initial delivery of temporary credentials.
• Force a password change upon the first login for all new users.
• Automate the revocation of secrets during the employee offboarding process.

8. Automate Credential Rotation and Renewal

Deploy automated tools to manage the regular rotation of service account passwords and cryptographic keys. Automation removes human error and ensures that long-lived credentials do not become easy targets for brute-force attacks.

• Set mandatory rotation periods for API keys and service tokens.
• Configure “Just-In-Time” (JIT) access for high-privilege administrative tasks.
• Monitor for expired certificates and keys to prevent service interruptions.

9. Audit Authentication Access Logs and Event Trails

Enable detailed logging for every event involving the modification or access of authentication information. Regular monitoring allows your security team to identify anomalous patterns that may indicate a credential-harvesting attempt.

• Centralise logs in a secure SIEM (Security Information and Event Management) platform.
• Alert on multiple failed attempts to access secret management tools.
• Retain audit trails for a minimum of 12 months to satisfy ISO 27001 requirements.

10. Conduct Periodic Technical Compliance Reviews

Perform regular technical audits to verify that all authentication controls are functioning as intended. Continuous verification ensures that your organisation remains compliant with ISO 27001 standards as the threat landscape evolves.

• Execute annual penetration tests specifically targeting authentication mechanisms.
• Review the configuration of the Asset Register against actual network deployments.
• Verify that all biometrics templates are stored as mathematical hashes rather than raw images.