Authentication Information

It is an organizational control that mandates a formal management process for the allocation and management of authentication information (passwords, tokens, keys) and requires advising personnel on how to handle them securely.

A.5.17 replaces A.9.2.4 ('Management of secret authentication information of users'); the scope is slightly broader, referring to 'authentication information' rather than just 'secret' information, but the core requirement to control allocation remains similar.

A.5.17 requires a process for managing the *information* (credentials); while it doesn't explicitly mandate MFA, modern interpretation of 'appropriate handling' and A.8.5 (Secure Authentication) typically necessitates MFA for compliance.

It covers all forms of credentials used to verify identity, including passwords, cryptographic keys, hard/soft tokens, smart cards, and biometric data.

Organizations should verify user identity before issuance, send temporary credentials via secure/separate channels (not cleartext email), and force a password change upon first use.

Policies generally require complexity (length/characters), prohibition of common passwords, secure storage (hashing), and rules against sharing or writing down passwords.

Procedures should require positive identification (e.g., manager approval, video call verification) before resetting passwords or re-issuing tokens to prevent social engineering attacks.

Auditors look for the Access Control Policy, onboarding checklists showing users were advised on security, and records of access requests and approvals. WatchDog Security's Compliance Center can help track these artifacts against A.5.17, flag missing evidence, and keep audit-ready proof of policy acknowledgement and credential-handling guidance.

A.5.16 manages the *identity* lifecycle (creation/deletion), A.5.17 manages the *credentials* (passwords/keys) assigned to that identity, and A.8.5 governs the *technical implementation* of the login process.

Organizations should keep records of credential allocation (e.g., access request tickets), user acknowledgement of policies (e.g., signed acceptable use policies), and revocation logs upon termination.

A.5.17 is not only about setting password rules; it also expects management to actively advise personnel on safe handling (no sharing, no insecure storage) and be able to prove it. WatchDog Security's Policy Management helps by maintaining version-controlled credential-handling policies and tracking employee acknowledgements, creating an auditable record that guidance was issued and accepted.

Credential risk often comes from scattered visibility: teams may not know which systems still use basic authentication, weak settings, or long-lived tokens. WatchDog Security's Posture Management helps by identifying misconfigurations and weak authentication-related settings across supported environments and providing remediation guidance, which supports the management process required by A.5.17.