Annex A 5.17 verified ISO/IEC 27001:2022
Management of Authentication Information
Ensure secure and proper handling of passwords and authentication details.
record_voice_over
Plain language
This control is about making sure passwords and login information are handled safely. If these details get into the wrong hands, it could lead to unauthorised access to important parts of your business, causing data breaches or financial loss.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.
verified ISO/IEC 27001:2022 Annex A 5.17
priority_high
Why it matters
Poorly managed authentication details can enable unauthorised access, leading to breaches, data theft and financial loss.
settings
Operational notes
Implement a process to issue, reset and revoke credentials; educate staff on secure handling and require MFA where feasible.
02 — Implement
build
Implementation tips
- The IT manager should set up a system to create strong, temporary passwords that are hard to guess. Use automatic tools to generate these passwords and ensure each user is given a unique one. Make sure users are prompted to change their passwords after first logging in.
- The HR department should instruct new employees on how to manage their passwords safely. This includes advising them to never share their passwords and to change them if they believe they've been compromised. Provide clear guidelines as part of the onboarding process.
- IT staff should implement secure channels for sharing password information. Use encrypted messages or secure apps to transmit passwords, avoiding plain text emails. This aligns with privacy standards like the OAIC regulations.
- Systems administrators are responsible for changing default passwords on newly installed software or devices. Make this a part of the standard installation checklist to protect against common vulnerabilities.
- IT support should maintain a secure log of any changes or events related to passwords. Use a recognised password management tool, ensuring the log is kept confidential and accessible only to authorised personnel.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest a demonstration of the password generation tool.
GoodThe tool consistently generates complex passwords that users must change after the first login.
-
AskObtain the training materials provided to new employees.
GoodMaterials clearly explain password safety and are part of the new hire training programme.
-
AskSee the communication method used for sending temporary passwords.
GoodPasswords are sent through secure, encrypted channels and not through unprotected email.
-
AskRequest access to the installation checklist for new systems.
GoodDefault passwords are consistently replaced with strong alternatives immediately after installation.
-
AskReview the log of password changes and management events.
GoodLogs are comprehensive, securely maintained, and demonstrate a clear record of access and changes.
04 — Mappings
link
Cross-framework mappings
How Annex A 5.17 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (3) expand_less | ||
| handshake Supports (5) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (11) expand_less | ||
| ISM-0417 | ISM-0417 requires that where systems cannot support multi-factor authentication, organisations implement single-factor authentication usi... | |
| ISM-0485 | ISM-0485 requires that SSH connections use public key-based authentication rather than weaker authentication methods | |
| ISM-1014 | ISM-1014 requires individual (unique) logins to be implemented for IP phones used for SECRET or TOP SECRET conversations | |
| ISM-1595 | ISM-1595 requires users to change initial credentials on first use so that shared, vendor-issued, or administrator-set passwords do not r... | |
| ISM-1614 | ISM-1614 entails changing break glass credentials after emergency access by another party | |
| ISM-1837 | ISM-1837 requires user accounts to be configured so that passwords are required and do not use the 'password never expires' setting | |
| ISM-1840 | ISM-1840 requires that user account passwords are not stored using reversible encryption | |
| ISM-1930 | ISM-1930 requires organisations to prevent passwords being stored in Group Policy Preferences (GPP), removing a known mechanism for expos... | |
| ISM-1953 | ISM-1953 mandates that credentials for the built-in Administrator account in each domain are long, unique, unpredictable and managed | |
| ISM-2044 | ISM-2044 requires software installations to avoid default credentials and to create credentials on first install by the installing organi... | |
| ISM-2076 | ISM-2076 prohibits using security questions as an authentication mechanism | |
| sync_alt Partially overlaps (20) expand_less | ||
| ISM-0383 | Annex A 5.17 requires a controlled process for allocating and managing authentication information, including secure handling expectations... | |
| ISM-0421 | Annex A 5.17 requires controlled allocation and management of authentication information and guidance to personnel on secure handling | |
| ISM-0422 | Annex A 5.17 requires controlled management of authentication information, including ensuring personnel know how to handle passwords secu... | |
| ISM-0553 | Annex A 5.17 requires organisations to control the allocation and management of authentication information (e.g., credentials) via a defi... | |
| ISM-0555 | ISM-0555 requires authentication and authorisation for all actions on an IP telephony network, including device registration and voicemai... | |
| ISM-1327 | Annex A 5.17 requires management processes for authentication information and guiding personnel on correct handling | |
| ISM-1402 | ISM-1402 requires organisations to protect stored credentials using password managers, HSMs, or secure hashing methods before storage | |
| ISM-1449 | ISM-1449 requires SSH private keys to be protected with a password or encryption so that possession of the key file alone is insufficient... | |
| ISM-1557 | Annex A 5.17 requires organisations to manage authentication information via controlled processes and provide guidance on secure handling | |
| ISM-1558 | Annex A 5.17 requires controlled processes and user guidance for the secure handling and management of authentication information such as... | |
| ISM-1559 | Annex A 5.17 requires organisations to control the allocation and management of authentication information and to advise personnel on sec... | |
| ISM-1561 | Annex A 5.17 requires a managed process to allocate, manage and guide personnel in the secure handling of authentication information | |
| ISM-1596 | Annex A 5.17 requires a controlled management process for allocating and handling authentication information, including user guidance on ... | |
| ISM-1597 | Annex A 5.17 requires organisations to manage authentication information securely and to advise personnel on appropriate handling | |
| ISM-1685 | Annex A 5.17 requires a managed process for allocating and controlling authentication information and advising personnel on secure handling | |
| ISM-1955 | Annex A 5.17 requires organisations to control the allocation and management of authentication information through a defined process, inc... | |
| ISM-2047 | Annex A 5.17 requires a managed process for authentication information, including secure handling and communication practices around cred... | |
| ISM-2078 | Annex A 5.17 requires controlled management of authentication information and user guidance on appropriate handling of passwords and simi... | |
| ISM-2079 | Annex A 5.17 requires a management process to control authentication information, including communicating appropriate handling requiremen... | |
| ISM-2080 | ISM-2080 specifies that organisations do not enforce password complexity requirements | |
| handshake Supports (17) expand_less | ||
| ISM-0554 | ISM-0554 requires secure two-way (mutual) authentication for video calls that is encrypted and non-replayable to ensure call authenticati... | |
| ISM-1321 | ISM-1321 requires EAP-TLS using X.509 certificates for mutual authentication and disabling weaker EAP methods for wireless access | |
| ISM-1324 | ISM-1324 requires certificates to be generated using an evaluated certificate authority or hardware security module to ensure authenticat... | |
| ISM-1505 | ISM-1505 requires MFA for authenticating users of data repositories | |
| ISM-1546 | ISM-1546 requires users to be authenticated before they are granted access to a system and its resources | |
| ISM-1560 | ISM-1560 requires passwords used for MFA on SECRET systems to be at least 8 characters, establishing a baseline for authentication inform... | |
| ISM-1603 | ISM-1603 requires disabling authentication methods that are susceptible to replay attacks | |
| ISM-1611 | ISM-1611 reserves break glass accounts for emergency use only, reducing exposure from powerful credentials | |
| ISM-1615 | ISM-1615 requires organisations to test break glass accounts after changing their credentials to verify the updated authentication inform... | |
| ISM-1817 | ISM-1817 requires authenticating and authorising API clients for internet-accessible APIs that expose non-public data | |
| ISM-1818 | ISM-1818 requires that API clients are authenticated and authorised before they can perform internet-accessible API calls that modify data | |
| ISM-1854 | ISM-1854 requires users to authenticate to MFDs before they can use print/scan/copy functions | |
| ISM-1893 | ISM-1893 requires MFA to be used for user authentication to third-party online customer services handling sensitive customer data | |
| ISM-1894 | ISM-1894 requires phishing-resistant MFA for authenticating users of data repositories | |
| ISM-1929 | ISM-1929 requires LDAP signing on domain controllers so directory traffic cannot be altered in transit, reducing the likelihood of creden... | |
| ISM-1943 | ISM-1943 requires enforcing strong mapping between certificates and users in Active Directory to prevent misuse of certificate credential... | |
| ISM-2013 | ISM-2013 requires authentication and authorisation for internal APIs, while Annex A 5.17 supports it by ensuring the secure management of... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.