A.5.17 — Authentication Information

A penetration test reveals that 40% of employee passwords can be cracked within two hours using a standard dictionary attack. The default admin password on three network devices was never changed after installation. A.5.17 addresses the entire lifecycle of authentication information — from secure allocation to responsible user behaviour.

Authentication information includes passwords, PINs, cryptographic keys, certificates and biometric templates. Weaknesses in any of these undermine every access control the organisation has built.

What does the standard require?

Control the allocation process. Initial authentication information (temporary passwords, activation codes) must be distributed through a secure channel. Recipients must be verified before allocation.
Enforce secure handling by users. Users must keep authentication information confidential, avoid sharing it and change it if compromise is suspected. Temporary credentials must be changed upon first use.
Set technical quality standards. Systems must enforce minimum password complexity, length and expiry rules where applicable. Default credentials must be changed immediately after installation.
Protect stored credentials. Passwords and other authentication secrets must be stored using strong hashing algorithms with salting. Plaintext storage is unacceptable.
Provide user guidance. The organisation must publish clear rules on creating, managing and protecting authentication information. Training reinforces these rules.

In practice

Define authentication tiers. Different systems need different authentication strengths. Tier the requirements: standard corporate applications may accept a strong password; systems with access to sensitive data or administrative functions should require multi-factor authentication (MFA).

Enforce MFA for high-risk access. Remote access, privileged administration, cloud management consoles and systems processing personal data are prime candidates for mandatory MFA. Push-notification or hardware-token MFA is more resistant to phishing than SMS-based codes.

Eliminate default credentials. Maintain a checklist for system commissioning that includes changing all default passwords and disabling default accounts. Vulnerability scanners can detect unchanged defaults during routine scans.

Deploy a password manager. Provide a centrally managed password manager to all employees. This removes the incentive to reuse passwords across systems and enables truly random, unique credentials per service.

Monitor for compromised credentials. Services such as Have I Been Pwned or commercial credential-monitoring tools can alert the organisation when employee credentials appear in public breach databases. Force a password reset for affected accounts immediately.

Typical audit evidence

Auditors typically expect the following evidence for A.5.17:

Authentication policy — rules for password complexity, MFA requirements and credential handling
System configuration — technical enforcement of password policies (GPO settings, IAM configuration)
MFA deployment records — evidence of MFA activation for relevant user groups and systems
Default credential checklist — evidence that default passwords are changed during system commissioning
Credential storage standards — documentation of hashing algorithms used for stored passwords
Awareness training records — evidence that users have been trained on authentication practices

KPI

% of accounts compliant with authentication information policy

This KPI measures adherence to the organisation’s authentication requirements across all managed accounts. Non-compliant accounts include those with passwords below minimum length, accounts without required MFA or service accounts with unchanged default credentials.

Supplementary KPIs:

Percentage of privileged accounts with MFA enabled
Number of systems still using default credentials (target: zero)
Number of credential-breach alerts triggered per quarter and average remediation time

BSI IT-Grundschutz

A.5.17 maps primarily to BSI’s identity and access management module:

ORP.4 (Identity and access management) — covers password policies, initial credential distribution, user responsibilities for credential protection and technical enforcement of authentication standards. The module includes specific requirements for password complexity, change intervals and secure storage.

A.5.17 secures the credentials that make identity and access control enforceable:

A.5.15 — Access control: Defines the access rules that authentication protects.
A.5.16 — Identity management: Provides the identity to which authentication information is bound.
A.5.18 — Access rights: Manages the permissions that become effective only after successful authentication.
A.5.19 — Information security in supplier relationships: Extends authentication requirements to external parties accessing organisational systems.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.17 — Authentication information
ISO/IEC 27002:2022 Section 5.17 — Implementation guidance
BSI IT-Grundschutz, ORP.4 — Identity and access management

Frequently asked questions

Does A.5.17 require multi-factor authentication?

The standard does not mandate MFA explicitly, but ISO 27002 recommends it wherever feasible, especially for remote access, privileged accounts and systems handling sensitive data. In practice, auditors increasingly expect MFA for these scenarios.

Are password managers acceptable?

Yes. Password managers help users maintain unique, complex passwords for every system. The organisation should approve a specific tool, provide it centrally and ensure the master password or passphrase itself meets high complexity requirements.

What about biometric authentication?

Biometrics (fingerprint, facial recognition) are a valid authentication factor under A.5.17. The organisation must address the privacy implications of storing biometric data and ensure a fallback mechanism exists in case the biometric reader fails.

Responsible	IT Administrator
Accountable	IT Security Officer
Consulted	Data Protection Officer, Department Head, HR Manager, IT Administrator, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel, Software Development Lead, Supply Chain Manager
Informed	All Employees, Department Head, IT Administrator, Information Security Officer / (C)ISO, Internal Auditor, Top Management