ISO 27001:2022 Annex A 5.17 – Authentication Information Explained

Authentication information is often the last line of defence between an attacker and sensitive systems.

Annex A 5.17 exists to ensure that authentication information is protected throughout its lifecycle, reducing the risk of unauthorised access caused by poor credential handling rather than technical failure.

This control applies to passwords, cryptographic keys, tokens, smart cards, and other authentication mechanisms.

ISO 27001

Quick Guide: Annex A 5.17 at a Glance

Annex A 5.17 of ISO 27001:2022 focuses on the allocation, use, and management of authentication information.

At a practical level, this means:

  • Protecting authentication information from unauthorised access
  • Ensuring secure allocation and distribution
  • Defining responsibilities for users and administrators
  • Supporting secure reset and recovery processes
  • Maintaining appropriate records of significant events

The control does not mandate specific authentication technologies or password rules. It expects organisations to apply appropriate safeguards based on risk and system criticality.

In-Depth Guide to Annex A 5.17

What Is Annex A 5.17 and Why Does It Matter?

Authentication information enables access.

If it is poorly protected:

  • Accounts are easily compromised
  • Privileged access is abused
  • Security incidents escalate quickly
  • Attribution becomes difficult

Many breaches occur not because systems are insecure, but because authentication information is exposed, reused, or mishandled.

Annex A 5.17 ensures that authentication information is treated as a high-value security asset.

How to Implement Annex A 5.17 Effectively

A pragmatic approach to Annex A 5.17 typically includes the following elements.

1. Secure Allocation of Authentication Information

When authentication information is issued or reset, organisations typically ensure that:

  • Identities are verified before allocation
  • Default or temporary credentials are changed promptly
  • Credentials are unique to the individual or entity

This reduces the risk of unauthorised access at creation.

2. Protect Authentication Information in Transit and Storage

Authentication information should be protected from exposure.

Common practices include:

  • Avoiding transmission via insecure channels
  • Using secure storage and approved management tools
  • Applying cryptographic protection where appropriate

Plain text handling introduces unnecessary risk.

3. Define User Responsibilities Clearly

Users play a critical role in protecting authentication information.

Organisations often define expectations such as:

  • Keeping credentials confidential
  • Reporting suspected compromise promptly
  • Changing credentials when exposure is suspected

Clear expectations support consistent behaviour.

4. Manage Authentication Information Across the Lifecycle

Authentication information requires ongoing management.

This includes:

  • Secure reset processes
  • Timely revocation when access is no longer required
  • Avoiding reuse of compromised credentials

Lifecycle management prevents residual access.

5. Maintain Records of Significant Events

Maintaining records of significant authentication-related events supports:

  • Audit and assurance
  • Incident investigation
  • Accountability

Records should be protected and accessible only to authorised personnel.

In-Depth Guide to Annex A 5.1

What is Annex A 5.1 and Why Does It Matter?

  • What the organisation values
  • How security decisions are approached
  • Where accountability sits
  • Aligns security with business objectives
  • Supports proportionate, risk-based decisions
  • Provides a reference point during incidents and disputes
  • Creates consistency without bureaucracy

How to Implement Annex A 5.1 Effectively

1. Define a Comprehensive Information Security Policy
  • Scope: What the policy applies to (systems, data, people).
  • Objectives: Why security is important for the business.
  • Roles & Responsibilities: Who is accountable for security.
  • Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
  • Review and approve policies.
  • Ensure resources are allocated for implementation.
  • Lead by example in enforcing security policies.
3. Communicate and Train Employees
  • Include security policies in onboarding and ongoing training.
  • Ensure policies are easily accessible to all employees.
  • Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
  • Set a schedule for periodic policy reviews (at least annually).
  • Update policies based on business changes, new threats, or regulatory updates.
  • Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
  • Use it to develop more detailed security procedures.
  • Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
AspectISO 27001:2013ISO 27001:2022
Control StructureTwo separate controls: 5.1.1 & 5.1.2Merged into one control (5.1)
Implementation GuidanceLess prescriptiveMore detailed guidance for policy creation and alignment
Awareness & TrainingNot explicitly mentionedExplicitly requires policies to be part of training programmes
Attributes TableNot includedew attributes table for mapping policies to industry terms
Common Challenges & How to Overcome Them
  • Challenge: Employees don’t follow security policies.
  • Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
  • Challenge: Policies are outdated or too generic.
  • Solution: Schedule annual reviews and update policies based on real threats and business changes.
  • Challenge: Policies are written in technical jargon.
  • Solution: Use plain language that all employees can understand.
  • Challenge: Lack of leadership buy-in.
  • Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
  • Make security policies living documents—review, refine, and update regularly.
  • Use policy training and awareness to create a security-conscious workforce.
  • Ensure policies are accessible, relevant, and easy to understand.
  • Keep policies aligned with business strategy and regulatory requirements.
  • Engage leadership in driving security culture from the top down.

Common Challenges and How to Overcome Them

  • Insecure distribution of credentials
  • Use controlled, secure allocation methods
  • Weak user understanding of responsibilities
  • Reinforce expectations through policy and awareness
  • Reusing credentials across systems
  • Enforce uniqueness and separation where possible
  • Poor visibility of authentication changes
  • Maintain records of significant events

Authentication risk grows when credential handling is informal.

In-Depth Guide to Annex A 5.1

What is Annex A 5.1 and Why Does It Matter?

  • What the organisation values
  • How security decisions are approached
  • Where accountability sits
  • Aligns security with business objectives
  • Supports proportionate, risk-based decisions
  • Provides a reference point during incidents and disputes
  • Creates consistency without bureaucracy

How to Implement Annex A 5.1 Effectively

1. Define a Comprehensive Information Security Policy
  • Scope: What the policy applies to (systems, data, people).
  • Objectives: Why security is important for the business.
  • Roles & Responsibilities: Who is accountable for security.
  • Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
  • Review and approve policies.
  • Ensure resources are allocated for implementation.
  • Lead by example in enforcing security policies.
3. Communicate and Train Employees
  • Include security policies in onboarding and ongoing training.
  • Ensure policies are easily accessible to all employees.
  • Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
  • Set a schedule for periodic policy reviews (at least annually).
  • Update policies based on business changes, new threats, or regulatory updates.
  • Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
  • Use it to develop more detailed security procedures.
  • Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
AspectISO 27001:2013ISO 27001:2022
Control StructureTwo separate controls: 5.1.1 & 5.1.2Merged into one control (5.1)
Implementation GuidanceLess prescriptiveMore detailed guidance for policy creation and alignment
Awareness & TrainingNot explicitly mentionedExplicitly requires policies to be part of training programmes
Attributes TableNot includedew attributes table for mapping policies to industry terms
Common Challenges & How to Overcome Them
  • Challenge: Employees don’t follow security policies.
  • Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
  • Challenge: Policies are outdated or too generic.
  • Solution: Schedule annual reviews and update policies based on real threats and business changes.
  • Challenge: Policies are written in technical jargon.
  • Solution: Use plain language that all employees can understand.
  • Challenge: Lack of leadership buy-in.
  • Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
  • Make security policies living documents—review, refine, and update regularly.
  • Use policy training and awareness to create a security-conscious workforce.
  • Ensure policies are accessible, relevant, and easy to understand.
  • Keep policies aligned with business strategy and regulatory requirements.
  • Engage leadership in driving security culture from the top down.

Final Recommendations

Annex A 5.17 is about protecting the keys to the environment.

When authentication information is managed effectively:

  • Unauthorised access is harder to achieve
  • Security incidents are easier to contain
  • Accountability improves
  • Other access controls become more reliable

Authentication information does not need complex rules. It needs to be handled deliberately, securely, and consistently.

That is the outcome Annex A 5.17 is designed to achieve.

In-Depth Guide to Annex A 5.1

What is Annex A 5.1 and Why Does It Matter?

  • What the organisation values
  • How security decisions are approached
  • Where accountability sits
  • Aligns security with business objectives
  • Supports proportionate, risk-based decisions
  • Provides a reference point during incidents and disputes
  • Creates consistency without bureaucracy

How to Implement Annex A 5.1 Effectively

1. Define a Comprehensive Information Security Policy
  • Scope: What the policy applies to (systems, data, people).
  • Objectives: Why security is important for the business.
  • Roles & Responsibilities: Who is accountable for security.
  • Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
  • Review and approve policies.
  • Ensure resources are allocated for implementation.
  • Lead by example in enforcing security policies.
3. Communicate and Train Employees
  • Include security policies in onboarding and ongoing training.
  • Ensure policies are easily accessible to all employees.
  • Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
  • Set a schedule for periodic policy reviews (at least annually).
  • Update policies based on business changes, new threats, or regulatory updates.
  • Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
  • Use it to develop more detailed security procedures.
  • Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
AspectISO 27001:2013ISO 27001:2022
Control StructureTwo separate controls: 5.1.1 & 5.1.2Merged into one control (5.1)
Implementation GuidanceLess prescriptiveMore detailed guidance for policy creation and alignment
Awareness & TrainingNot explicitly mentionedExplicitly requires policies to be part of training programmes
Attributes TableNot includedew attributes table for mapping policies to industry terms
Common Challenges & How to Overcome Them
  • Challenge: Employees don’t follow security policies.
  • Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
  • Challenge: Policies are outdated or too generic.
  • Solution: Schedule annual reviews and update policies based on real threats and business changes.
  • Challenge: Policies are written in technical jargon.
  • Solution: Use plain language that all employees can understand.
  • Challenge: Lack of leadership buy-in.
  • Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
  • Make security policies living documents—review, refine, and update regularly.
  • Use policy training and awareness to create a security-conscious workforce.
  • Ensure policies are accessible, relevant, and easy to understand.
  • Keep policies aligned with business strategy and regulatory requirements.
  • Engage leadership in driving security culture from the top down.

The Annex Control Table

ISO 27001:2022 Organisational Controls
ISO 27001:2022 Technological Controls