Authentication Information
I read an exciting story on the recovery of a painfully lost pin:
The related ISO 27001 standard requirement sounds like this: “Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.” (A5.17)
This is another example, where several controls of the previous edition of the standard were contracted into one. The 2013 edition of ISO 27001 covered three topics related to authentication information:
The first requirement was fully embedded in the current control, but the two others seem to be gone. ?Compared to the fact, that the 2022 edition of the standard still contains five event/incident-related controls, this doesn’t seem to be much. The current standard looks at authentication information handling only from the allocation side, not from the end user side. A password management system was not required by the previous standard either, but if it was used, there were requirements related to it.
Does this mean, that users shall not be held responsible for their handling of personal authentication information, or quality passwords suddenly lost their importance? Well, formally yes, but don’t look at it that way. Although huge password databases are stolen from service providers, they are relatively few, and users are many. The overall risk of password compromise remains significant (and with the improvement of deception techniques even increases) on the users' side. Organizations shall still expect secure authentication information handling practices and strong passwords. Failing to do so, auditors are still able to document nonconformities based on general requirements, like acceptable use of information (A5.10) or access control (A5.15).