Annex A 8.5 verified ISO/IEC 27001:2022
Secure authentication technologies and procedures
Use secure methods to confirm identities and control access to systems and data.
record_voice_over
Plain language
This control is about making sure that only the right people can access your important systems and data. If you don't secure how people log in, you might let in someone who shouldn't be there, which could lead to sensitive information being stolen or damaged.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
verified ISO/IEC 27001:2022 Annex A 8.5
priority_high
Why it matters
Weak or poorly implemented authentication (e.g., no MFA) enables account takeover and unauthorised access to restricted information, causing breaches, fraud and financial loss.
settings
Operational notes
Quarterly verify MFA, password/SSO settings and admin access meet access restrictions; test login controls, monitor failed logins and remediate weaknesses.
02 — Implement
build
Implementation tips
- The IT manager should review current authentication methods. They need to ensure strong security measures like using digital certificates or biometrics rather than relying on passwords alone. This improves security according to ISO 27002:2022 guidance by matching authentication strength to information sensitivity.
- Human Resources should update policies to require multi-factor authentication for critical systems. This involves using more than one type of proof, such as a password and a code on your phone, especially for accessing vital information systems. It aligns with the Australian Privacy Act 1988, which stresses protecting personal information.
- Procurement should ensure that any new systems purchased support various secure authentication methods. They need to include digital tokens or smart cards in procurement specifications, ensuring systems are adaptable to future security requirements under CPS 234.
- The Board should mandate regular audits of authentication procedures. This requires appointing an internal or external auditor to check that the procedures meet current standards and best practices, ensuring organisational compliance and risk management align with ISO 27001.
- The IT Security Team should implement log-on procedures that protect against unauthorized access, as recommended in ISO 27002:2022. This involves using CAPTCHA to prevent automated access, setting up alerts for failed login attempts, and ensuring systems log these attempts for review.
03 — Audit
fact_check
Audit / evidence tips
-
Askto see the organization's authentication policy
Gooda policy that includes multiple layers of authentication for high-risk areas
-
Aska demonstration of the logon process for critical systems
Gooda system that locks out users after multiple failed attempts and alerts administrators
-
Asklogs of login attempts for the past 3 months
Gooddetailed logs showing systems alert appropriate personnel of repeated failed attempts
-
Askuser feedback on the authentication process
Goodfeedback showing employees can complete secure logins without unnecessary complications
-
Askto see records of system access reviews
Goodregular, documented reviews with actions taken to improve security posture
04 — Mappings
link
Cross-framework mappings
How Annex A 8.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (10) expand_less | ||
| link Related (3) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (48) expand_less | ||
| ISM-0417 | ISM-0417 specifies a particular authentication fallback: if MFA is not supported, use passwords for single-factor authentication | |
| ISM-0421 | ISM-0421 mandates a minimum 15-character password length for single-factor authentication on non-classified, OFFICIAL: Sensitive and PROT... | |
| ISM-0484 | ISM-0484 outlines SSH daemon settings to secure authentication and remote sessions, specifying measures like LoginGraceTime and disabling... | |
| ISM-0485 | ISM-0485 requires the use of public key authentication specifically for SSH access to harden remote administration and system access paths | |
| ISM-0488 | ISM-0488 addresses secure use of SSH authentication without passwords by constraining authorised SSH key usage to a forced command and ch... | |
| ISM-0551 | ISM-0551 requires IP telephony to enforce secure device registration by having IP phones authenticate to the call controller, disabling a... | |
| ISM-0554 | ISM-0554 requires an encrypted and non-replayable two-way authentication scheme specifically for video call authentication and authorisation | |
| ISM-0590 | ISM-0590 requires that authentication measures on multi-function devices (MFDs) are as strong as those used for workstations on the conne... | |
| ISM-0622 | ISM-0622 requires IT equipment to authenticate when accessing other networks via gateways, addressing authentication at network boundaries | |
| ISM-0974 | ISM-0974 requires MFA for unprivileged users accessing systems as a specific authentication mechanism | |
| ISM-1014 | ISM-1014 requires individual logins for secure use of IP phones for SECRET or TOP SECRET conversations, implying a need for robust user a... | |
| ISM-1034 | ISM-1034 requires organisations to disable legacy authentication methods on networks to prevent access via insecure paths | |
| ISM-1055 | ISM-1055 requires organisations to disable insecure legacy authentication protocols (LAN Manager and NTLM variants) to reduce credential ... | |
| ISM-1151 | ISM-1151 requires organisations to verify the authenticity of incoming emails using SPF to reduce spoofing and impersonation risk | |
| ISM-1173 | ISM-1173 requires MFA specifically for privileged users of systems | |
| ISM-1321 | ISM-1321 requires 802.1X authentication using EAP-TLS with X.509 certificates for mutual authentication on wireless networks, and disabli... | |
| ISM-1322 | ISM-1322 requires organisations to use evaluated 802.1X components (supplicants, authenticators, wireless access points and authenticatio... | |
| ISM-1330 | ISM-1330 mandates a concrete control on wireless authentication by limiting PMK caching to 24 hours to constrain reuse of derived keying ... | |
| ISM-1504 | ISM-1504 requires MFA for authenticating users to the organisation’s online services that process, store or communicate sensitive data | |
| ISM-1505 | ISM-1505 requires MFA to be used to authenticate users of data repositories | |
| ISM-1546 | ISM-1546 requires users to be authenticated before they are granted access to a system and its resources | |
| ISM-1558 | ISM-1558 requires secure construction of passwords for single-factor authentication, including bans on predictable phrases and minimum ra... | |
| ISM-1559 | ISM-1559 mandates a specific minimum password length (at least 6 characters) when passwords are used as part of multi-factor authenticati... | |
| ISM-1560 | ISM-1560 sets a concrete authentication-strength requirement by mandating a minimum password length (8 characters) when passwords are use... | |
| ISM-1603 | ISM-1603 requires authentication methods that are susceptible to replay attacks to be disabled | |
| ISM-1679 | ISM-1679 specifically requires MFA for users authenticating to third-party online services that process, store, or communicate the organi... | |
| ISM-1680 | ISM-1680 requires the specific use of multi-factor authentication (where available) for users accessing third-party online services handl... | |
| ISM-1681 | ISM-1681 requires MFA for customers authenticating to online customer services that handle sensitive customer data | |
| ISM-1682 | ISM-1682 requires a specific secure authentication outcome: MFA used for system authentication is phishing-resistant | |
| ISM-1711 | ISM-1711 requires that user identity confidentiality features are used where available in EAP-TLS implementations to prevent exposure of ... | |
| ISM-1817 | ISM-1817 requires authentication and authorisation of clients when they call internet-accessible APIs that provide access to non-public data | |
| ISM-1818 | ISM-1818 requires authentication and authorisation of clients when they call internet-accessible network APIs that can modify data | |
| ISM-1836 | ISM-1836 requires Kerberos pre-authentication to be enforced for user accounts to strengthen authentication and prevent certain Kerberos-... | |
| ISM-1854 | ISM-1854 requires users to authenticate to multifunction devices (MFDs) before they can print, scan or copy documents | |
| ISM-1874 | ISM-1874 requires a specific secure authentication outcome: phishing-resistant MFA for customers of online customer services | |
| ISM-1893 | ISM-1893 requires MFA for a specific authentication scenario: users accessing third-party online customer services handling the organisat... | |
| ISM-1894 | ISM-1894 requires a specific outcome: MFA used for authenticating users of data repositories must be phishing-resistant | |
| ISM-1919 | ISM-1919 requires a specific secure-authentication configuration outcome: disabling all authentication protocols that do not support MFA ... | |
| ISM-1920 | ISM-1920 requires that users are prevented from self-enrolling MFA from untrustworthy devices when authenticating to online services, sys... | |
| ISM-1929 | ISM-1929 requires enabling LDAP signing on AD DS domain controllers to ensure integrity of authentication-related directory communications | |
| ISM-1943 | ISM-1943 requires strong, enforced mapping between X.509 certificates and user identities within Active Directory services so certificate... | |
| ISM-1947 | ISM-1947 requires organisations to remove Extended Key Usages (EKUs) in certificates that enable user authentication, ensuring certificat... | |
| ISM-2009 | ISM-2009 requires that any client invoking a network API that can change data is authenticated and authorised at the API boundary, includ... | |
| ISM-2011 | ISM-2011 requires that when phishing-resistant MFA is used by user accounts, other non-phishing-resistant MFA options are disabled for th... | |
| ISM-2014 | ISM-2014 requires authentication and authorisation of clients when they call internal (non-internet) network APIs that provide access to ... | |
| ISM-2076 | ISM-2076 requires that security questions are not used for authentication purposes | |
| ISM-2077 | ISM-2077 requires that email is not used for out-of-band authentication purposes | |
| ISM-2081 | ISM-2081 requires systems to accept all ASCII printable characters in passwords to avoid reducing entropy through unnecessary constraints | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0418 | ISM-0418 requires physical credentials to be stored separately from the systems they authenticate to reduce the chance of immediate compr... | |
| ISM-1200 | ISM-1200 requires Bluetooth pairing on sensitive mobile devices to use Secure Connections and preferably Numeric Comparison to ensure the... | |
| ISM-1327 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| ISM-2012 | ISM-2012 requires re-authentication using all authentication factors to unlock a locked screen and prevents users disabling the locking m... | |
| ISM-2049 | ISM-2049 requires software to invalidate existing authentication state and force re-authentication after permission or credential changes | |
| handshake Supports (4) expand_less | ||
| ISM-0428 | ISM-0428 requires re-authentication using all authentication factors to unlock a locked session, and prevents users from disabling the lo... | |
| ISM-0520 | ISM-0520 requires preventing unauthorised network device connections using network access controls | |
| ISM-1324 | ISM-1324 requires certificates to be generated using an evaluated certificate authority or hardware security module to support secure, tr... | |
| ISM-2092 | ISM-2092 requires enforcing fine-grained permissions for AI applications, which relies on the ability to correctly identify and authentic... | |
| link Related (4) expand_less | ||
| ISM-0619 | ISM-0619 requires users to authenticate to other networks accessed via gateways | |
| ISM-1872 | Annex A 8.5 requires organisations to implement secure authentication technologies and procedures consistent with access restrictions and... | |
| ISM-2013 | Annex A 8.5 mandates secure authentication mechanisms to enforce access control | |
| ISM-2047 | Annex A 8.5 requires secure authentication procedures, including protecting credential lifecycle events like resets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.