ISO 27001 – Control 5.17  – Authentication Information

Control 5.17 Wording

Control 5.17 – Authentication Information states “Allocation and management of authentication information should be controlled by a management
process, including advising personnel on the appropriate handling of authentication information.”

What this means

Control 5.17 aims to ensure that your organisation has in place proper rules for creating, giving out, and looking after login details like passwords, PINs, and access codes. This matters because the organisation needs to make sure that only the right people can access the systems and this helps to prevent security breaches caused by weak or stolen login details.

How your organisation should handle login details:

When creating new accounts:

  • Any temporary passwords given to new staff should be random and unique – never use simple ones like “Password123”
  • Always check someone’s identity properly before giving them new login details or resetting their password
  • Send login details securely (never in a normal email) – use encrypted email or hand them over in person
  • Make sure people confirm they’ve received their login details
  • Change any default passwords that come with new software or equipment straight away
  • Keep records of who gets what login details, stored securely (like in an approved password manager).

What staff need to do with their login details:

Keep them secret:

  • Never share the password with anyone else
  • If you think the password has been stolen or seen by someone else, change it immediately.

Make them strong:

  • Don’t use obvious things like a name, phone number, pets name, football club or birthday
  • Avoid common passwords like “password” or “123456” or “Qwerty123”
  • Don’t reuse passwords from other accounts, especially if those accounts have been hacked
  • Make sure that passwords are not shown on screen when they are typed
  • Store passwords safely (ideally in an approved password manager).

Good to know:

  • Passwords are just one way to prove who you are – you might also use things like security tokens, smart cards, or fingerprint scanners
  • Making people change passwords too often can actually make security worse because they might write them down or choose weaker ones or a version of a previous password. Good practice is currently to change passwords annually
  • Using single sign-on (where one password gets you into multiple systems) or password managers can help, but if someone gets hold of that main password, they could access everything, so multi-factor authentication (MFA) can be a useful tool.

The Bottom Line

The key message: treat login details like you would your house keys – keep them safe, don’t give them to others, and tell someone immediately if they go missing.

If you want to talk about information security in your organisation then please book a free call here or email us here