Framework - ISO 27001 (Cyber)

Authentication information and access rights form the operational core of digital trust. While prior controls established who users are and how their identities are managed, these two clauses define how those identities prove themselves and how their privileges evolve across time. The intent is to ensure that authentication factors—passwords, tokens, keys, and biometrics—remain both secure and proportionate to the risks they protect against. Every control decision should align with business impact, system criticality, and the sensitivity of underlying data. A compromise in authentication can cascade quickly, allowing fraud, data theft, or operational disruption. Thus, A.5.17 and A.5.18 position strong identity assurance as a strategic defense rather than a technical afterthought, embedding access discipline into every phase of the information lifecycle.

Organizations face a growing spectrum of threats that target credentials and tokens directly. Attackers exploit phishing, credential stuffing, social engineering, and malware to bypass traditional password defenses. When successful, these takeovers can cause severe business impact—from financial fraud and data breaches to ransomware deployment and regulatory fines. To mitigate such risks, authentication controls must scale with the organization’s classification model: the more sensitive the system, the stronger and more layered the proof of identity must be. Proportionality is essential—a developer accessing a code repository may require multi-factor authentication, while an executive approving financial transfers might need hardware tokens or biometric verification. This alignment ensures that security investments match exposure rather than treating all access as equal.

The scope of A.5.17 extends beyond user passwords. It includes all authentication factors used by both human and non-human entities—passphrases, cryptographic keys, physical tokens, and biometric identifiers. Recovery codes and backup mechanisms are equally within scope because they often provide backdoors to reset or bypass standard authentication. Each of these must be governed through a defined lifecycle that covers generation, storage, distribution, use, and eventual destruction. By managing secrets as formal assets rather than convenience tools, organizations achieve accountability for every credential they issue. This scope acknowledges that in modern environments, authentication is not a one-time event but a continuous relationship between identity, assurance, and access.

Generating secrets requires rigor that reflects the evolving threat landscape. Length and entropy standards should scale with risk tier—simple accounts might require twelve-character passwords, while privileged or external-facing systems may demand stronger, passwordless authentication entirely. Unique-per-service rules eliminate cross-system reuse, a major vector for compromise in credential stuffing attacks. Generation processes must rely on verifiable randomness rather than human creativity, ensuring that patterns cannot be guessed or brute-forced. Preference should be given to passwordless authentication—such as public key cryptography or hardware-based authenticators—that removes static secrets from the equation altogether. Each issuance should produce an audit record, establishing traceability and accountability for how authentication material was created.

Once generated, authentication data must be stored and protected using hardened methods. Passwords should never be stored in plain text, nor with outdated hashing algorithms. Instead, salted hashes combined with modern key-derivation functions like Argon2 or bcrypt provide resistance against brute-force recovery. Cryptographic keys and tokens should be kept in hardware-backed storage such as Trusted Platform Modules or Hardware Security Modules, isolating them from user access. Vaulting systems, segmented by role or environment, prevent administrators from viewing or extracting secrets without approval. Encryption at rest and in transit is non-negotiable, ensuring protection against interception or storage compromise. This layered approach converts credential storage into a controlled, evidence-backed process rather than a trust-based assumption.

Secure distribution and exchange of credentials demand the same discipline as storage. Credentials should never travel through unencrypted channels like email or chat, where interception or mishandling is common. Instead, time-bound delivery mechanisms—such as secure portals or ephemeral tokens—allow one-time retrieval. For temporary access, just-in-time issuance ensures that credentials exist only as long as needed. Before any secret is handed off, the recipient’s identity must be verified using an independent channel. These precautions may seem procedural, but they close one of the most frequently exploited gaps: insecure credential handoff. By embedding verification and expiration directly into issuance processes, organizations dramatically reduce opportunities for impersonation and leakage.

Recovery and reset mechanisms often receive less scrutiny than login processes, yet they represent prime targets for attackers. A password reset that relies only on email verification or security questions undermines even the strongest login policies. Strong identity proofing must be required before any credential change, ideally using previously enrolled factors or direct administrator verification. Step-up authentication—requiring additional proof during sensitive operations—adds an extra layer of defense. Recovery events should produce tamper-evident logs, capturing initiator identity, time, and method used. Cooldown periods and automatic notifications to account owners allow early detection of fraudulent resets. These safeguards transform recovery from a vulnerability into a controlled, auditable function.

Biometric authentication introduces powerful convenience and assurance but also new obligations under privacy and data protection laws. Systems should never store raw biometric images or signals, only mathematical templates that cannot reconstruct the original trait. Templates must reside in secure enclaves, isolated from general processing. Legal bases for collection—such as consent or legitimate interest—must be documented, especially when processing employee or customer data. Fallback mechanisms are essential for accessibility, ensuring continuity when sensors fail or environmental conditions prevent accurate readings. Finally, retention and deletion rules for biometric templates must align with policy and law, preventing indefinite storage. Treating biometrics as sensitive personal data ensures compliance and sustains user trust.

Keys and tokens follow a lifecycle similar to user credentials but often operate at higher privilege levels. Rotation schedules should reflect exposure: short intervals for internet-facing systems, longer ones for internal or low-risk assets. Revocation lists must be actively maintained, with immediate kill-switch capability for compromised credentials. Compromise response runbooks define steps for containment, reissuance, and stakeholder notification. Every key or token must have a designated owner, visible in an active inventory that distinguishes between operational and deprecated items. Managing this lifecycle turns key-based access from an opaque technical process into an accountable governance practice. Through rotation, tracking, and revocation, organizations maintain control over trust anchors that form the foundation of digital assurance.

For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.

Access rights governance, as defined in A.5.18, ensures that the permissions tied to those authenticated identities remain precise, justified, and reversible. While A.5.17 protects the front door of authentication, A.5.18 manages what happens once users are inside. The control requires that rights to systems, applications, and data be granted, modified, and revoked with full traceability. Least privilege remains the foundation—users receive only what they need, for as long as they need it. Access should be context-aware, adjusting automatically to factors such as device type, network location, and time of day. The process also enforces clear segregation among requesters, approvers, and implementers to prevent abuse or conflict of interest. Together, these principles create a closed-loop model where entitlements are never assumed but always validated.

A disciplined joiner–mover–leaver process anchors the lifecycle of access rights. When new personnel or partners join, pre-provisioned templates assign role-based entitlements that match their job function. Movers—employees shifting departments or roles—trigger differential reviews, ensuring access aligns with their new responsibilities rather than carrying forward old privileges. For leavers, instant deprovisioning is critical; any delay can leave systems vulnerable to unauthorized access or sabotage. Dependency checks confirm that shared or service accounts linked to the user are not disrupted accidentally. Finally, a post-change audit confirms that no residual access remains. This structured process ensures that every identity change results in an accurate reflection of current business need and risk exposure.

High-risk access pathways, particularly those involving administrative or privileged roles, demand stricter oversight. Just-in-time elevation models grant temporary privileged access only when required, automatically revoking it afterward. Sessions should be recorded in full, with command-level restrictions preventing dangerous or destructive actions. Some operations warrant peer approval or multi-party authorization, ensuring that no single person can act unilaterally in sensitive environments. Business owners must periodically attest to the necessity of these elevated entitlements, verifying that they remain justified and proportionate. This combination of procedural and technical controls keeps the organization resilient against insider misuse, configuration errors, and external exploitation of privileged accounts.

Changes to access rights require more than administrative execution—they demand validation and context. Every change should answer the questions “Why now?” and “Why this access?” Mandatory justification prevents unnecessary expansions of privilege. Automated conflict checks identify segregation-of-duties violations, such as combining approval and payment capabilities in financial systems. Systems should detect shadow access arising from nested or inherited groups, ensuring visibility into the true scope of permissions. If new entitlements cause disruptions or security issues, rollback plans must exist to revert changes safely and quickly. By treating rights modification as a controlled change process, organizations maintain consistency and prevent drift from principle into permissiveness.

Evidence underpins both A.5.17 and A.5.18, converting good intentions into auditable proof. Credential policies define password complexity, vault configurations, and approved key-derivation functions, forming the baseline for compliance validation. Issuance and reset logs record who authorized credentials, how they were generated, and when they were distributed. For access governance, detailed records of grants, modifications, and revocations—including timestamps and responsible parties—demonstrate control. Recertification results and exception registers document how deviations were discovered and resolved. These artifacts form the evidence backbone during audits, investigations, or certifications, proving that access and authentication are managed through structured, repeatable, and defensible processes.

Monitoring and detection mechanisms extend protection beyond setup and policy, providing real-time assurance. Systems must identify anomalies such as impossible travel logins, brute-force spikes, or unusual token replays. Behavioral analytics tools assign risk scores to detect compromised accounts or automation misuse. Correlation with change management and incident response systems allows analysts to see when unusual access coincides with configuration changes or policy exceptions. When high-risk signals emerge, automated suspension workflows can temporarily lock accounts pending investigation. This rapid containment capability ensures that even if authentication or authorization controls are bypassed, detection and response close the gap before damage occurs.

Cloud and supplier ecosystems add new complexity to access governance. Federated access across SaaS platforms must use scoped claims that enforce least privilege rather than replicating entire directory entitlements. Deprovisioning through SCIM or API integration ensures that leaver events propagate instantly to external tenants. Contracts with vendors should require MFA enforcement, access logging, and incident reporting standards equivalent to internal expectations. Emergency offboarding playbooks define how to terminate partner access quickly if a breach or contractual dispute arises. Regular sampling of access rights across connected tenants validates compliance and uncovers deviations. Managing supplier access with the same rigor as internal users maintains a unified defense perimeter across organizational boundaries.

Despite decades of guidance, familiar pitfalls continue to erode the effectiveness of authentication and access programs. Secrets stored in source code or configuration files expose critical systems to trivial compromise. Legacy groups granting blanket administrative rights persist long after they are needed. Reset processes are often weaker than primary login flows, allowing attackers to bypass strong controls through social engineering. Delayed revocation after role changes or vendor terminations leaves dormant accounts vulnerable to abuse. Addressing these issues requires equal emphasis on cultural awareness, automation, and governance enforcement. Preventing mistakes must be as embedded in daily operations as technical compliance itself.

Metrics provide insight into the maturity and health of authentication and access governance. Key indicators include the median time to revoke access after leaver events, the percentage of accounts protected by phishing-resistant MFA, and the frequency of segregation-of-duties conflicts detected before approval. Tracking the number of credential compromise incidents and observing quarter-over-quarter reductions demonstrate whether controls are achieving their intended outcomes. Trend analysis identifies departments or systems lagging in compliance and highlights best performers for knowledge sharing. Metrics transform what could be a static compliance exercise into an ongoing performance management function, aligning technical execution with business accountability.

Authentication and access rights controls are inherently dynamic; they must evolve alongside the threat landscape and organizational complexity. Regular reviews, continuous automation, and strong governance partnerships ensure they remain relevant and effective. When implemented together, A.5.17 and A.5.18 secure both the keys and the doors—protecting credentials while ensuring that access itself is disciplined, justified, and reversible. Lifecycle management, technical enforcement, and evidence-based oversight prevent privilege drift and reduce the window of opportunity for attackers. With these foundations in place, the organization is ready to extend its governance outward into supplier and service relationships, the focus of A.5.19 and A.5.20, where trust and accountability must span across organizational boundaries.