A.8.5 — Secure Authentication

Eighty percent of breaches involving hacking use stolen or weak credentials. A twelve-character password with MFA stops most credential-stuffing attacks. A session that never times out lets an attacker who finds an unlocked workstation browse freely for hours. A.8.5 addresses the full spectrum of authentication — from password strength to session management.

The control requires that authentication mechanisms match the sensitivity of the systems and data they protect. The higher the risk, the stronger the authentication must be.

What does the standard require?

Match authentication strength to sensitivity. Systems processing highly sensitive data require stronger authentication (MFA) than low-sensitivity systems.
Implement multi-factor authentication. Combine at least two of: something you know (password), something you have (token, phone), something you are (biometrics).
Protect the login process. Avoid information disclosure during login (e.g., revealing whether the username or password was wrong), use CAPTCHA or rate-limiting and log all authentication attempts.
Manage sessions. Inactive sessions must time out after a defined period. Re-authentication should be required for sensitive actions.
Never transmit credentials in clear text. Passwords and tokens must be encrypted in transit and at rest.

In practice

Enable MFA for all users. Start with the most sensitive systems (email, VPN, cloud admin consoles) and expand to all applications. Prefer phishing-resistant methods (FIDO2 keys, push notifications with number matching) over SMS-based OTP.

Implement a modern password policy. Minimum 12 characters, no complexity rules that encourage predictable patterns, check against known-breached password lists, no mandatory periodic changes. Use a password manager to make long unique passwords practical.

Configure session timeouts. Define timeouts based on sensitivity: 5 minutes for admin consoles, 15 minutes for business applications, 30 minutes for low-sensitivity tools. Require re-authentication for sensitive actions regardless of session state.

Monitor authentication anomalies. Log all successful and failed authentication attempts. Alert on impossible travel (login from two countries within minutes), brute-force patterns and login from previously unseen devices or locations.

Typical audit evidence

Auditors typically expect the following evidence for A.8.5:

Authentication policy — documented rules for password strength, MFA requirements and session management (see Access Control Policy in the Starter Kit)
MFA enrollment report — percentage of users and systems with MFA enabled
Identity provider configuration — conditional access policies, session timeout settings
Authentication logs — evidence of monitoring and alerting on anomalies
Password policy configuration — technical enforcement of password requirements

KPI

Percentage of systems using multi-factor or policy-compliant authentication

Measured as a percentage: how many of your systems enforce MFA or meet the documented authentication policy? Target: 100% for internet-facing and sensitive systems, 95% overall.

Supplementary KPIs:

MFA adoption rate across all users (target: 100%)
Number of systems still using single-factor authentication
Mean time to detect and respond to brute-force attempts

BSI IT-Grundschutz

A.8.5 maps to BSI modules for identity and authentication management:

ORP.4 (Identity and Access Management) — requirements for authentication mechanisms, password policies and multi-factor authentication.
APP.2.1–APP.2.3 (Directory Services) — technical implementation of authentication in Active Directory, LDAP and comparable systems.
SYS.2.1 (General Client) — authentication requirements at the workstation level.

A.5.17 — Authentication Information: Management of passwords, tokens and other authentication credentials.
A.8.2 — Privileged Access Rights: Stronger authentication requirements for privileged accounts.
A.8.3 — Information Access Restriction: Authentication as the prerequisite for access control enforcement.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.5 — Secure authentication
ISO/IEC 27002:2022 Section 8.5 — Implementation guidance for secure authentication
BSI IT-Grundschutz, ORP.4 — Identity and Access Management

Frequently asked questions

Is multi-factor authentication mandatory under ISO 27001?

ISO 27001 requires authentication strength proportionate to the sensitivity of the information accessed. For any system processing sensitive data, MFA is the de facto expectation. Auditors will question single-factor authentication for anything beyond low-sensitivity systems.

Are biometrics sufficient as a single factor?

ISO 27002 recommends that biometric authentication be supplemented by an alternative method. Biometrics can fail (injury, sensor issues), so a fallback mechanism must be available.

Should we enforce password expiration?

Current best practice (NIST SP 800-63B, BSI ORP.4) recommends against regular password expiration. Passwords should be changed only when compromised. Focus on length (minimum 12 characters), breach-list checking and MFA.

Responsible	IT Security Officer
Accountable	Information Security Officer / (C)ISO
Consulted	IT Administrator, IT Security Officer, Legal Counsel, Software Developer / Architect
Informed	All Employees, Head of IT, IT Administrator