The ISO 27001:2022 control that addresses the risks associated with authenticating to systems and applications is '5.17 Authentication information'. Authentication is the mechanism of providing an information that allows a system to verify the identity of the person attempting to use the system or the application try to access the system on behalf of the individual.

There are generally three different types of information that are used as authentication methods:
1- Something your know: Which is something that a person of an application know such as a password or a PIN number.
2- Something you are: Which is related to the physical characteristics of the individual such as the fingerprint, the iris, the gait, the facial characteristics, the voice, amongst other traits specific to the individual.
3- Something you have: That are things that entities possess that allow them to authenticate such as smartcards, security tokens and generally private keys.

The ISO 27002 version 2022 control regarding Authentication information is divided into three parts:
1- Creation and Allocation of Credentials and Authentication information: This includes the creation and transmission of passwords, PIN numbers, smartcards, security tokens and any other authentication information. The creation should be performed in a secure manner taking into account bruteforce and dictionary attacks.
2- Responsibilities: The users should be aware of the security best practises in regards to authentication information that they know, posses or that is attached to their physicality and are responsibilities to keep the confidentiality of the authentication information.
3- Management system: The organization should consider using tools in order to generate, store, transmit, rotate and audit usage of authentication information such as password management tools.

Do you know that: Privileged accounts such as root and Administrator should be have a password that is rotated in a frequent manner and access to these accounts should be monitored and recorded. Users should not access or elevate to these accounts directly but use a Privileged Access Management system to request access. Do you want to protect your organisation about Phishing and Bruteforce and enforce security to be more than ISO 27001:2022 compliant? Do you want to improve your security posture in the world of AI TA (Artifically Intelligent Threat Actors) that have more capabilities than an HTA (Human Threat Actor) in terms of impact? Contact your information security expert at contact@certifymyisms.com