ISO27001A.8.5voice-validated
ISO27001 A.8.5: A.8.5
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.5.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Secure authentication, as mandated by A.8.5, directly counters adversaries' use of valid accounts for initial access, persistence, and defense evasion. 2. Robust authentication procedures prevent unauthorized account usage. | 90% |
| T1133 | 1. Weak authentication on external remote services provides an initial access vector. 2. A.8.5 requires secure authentication technologies, directly mitigating this technique by protecting external access points. | 80% |
| T1003 | 1. Secure authentication procedures, per A.8.5, include protecting credentials at rest and in transit. 2. This directly impedes adversaries' ability to dump OS credentials from memory or disk. | 90% |
| T1003.001 | 1. A.8.5's requirement for secure authentication technologies necessitates protection of credential storage. 2. This includes safeguarding LSASS memory from credential dumping attacks. | 80% |
| T1003.002 | 1. Secure authentication, as per A.8.5, involves protecting critical system components holding credentials. 2. This directly mitigates attacks targeting the Security Account Manager (SAM) database. | 80% |
| T1003.003 | 1. For domain environments, A.8.5 implies secure authentication extends to directory services. 2. This prevents adversaries from dumping credentials from the NTDS.dit file. | 80% |
| T1003.005 | 1. Secure authentication procedures, as per A.8.5, reduce the risk of cached credentials being compromised. 2. This limits adversaries' ability to obtain and reuse cached domain credentials offline. | 70% |
| T1021 | 1. A.8.5 mandates secure authentication, which restricts unauthorized access to remote services. 2. This directly limits lateral movement by preventing adversaries from using compromised credentials to access other systems. | 80% |
| T1021.001 | 1. Secure authentication technologies, as required by A.8.5, protect remote access protocols like RDP. 2. This prevents unauthorized use of RDP for lateral movement within the network. | 80% |
| T1033 | 1. A.8.5's focus on secure authentication limits unauthorized access to systems. 2. This indirectly restricts adversaries' ability to perform system owner/user discovery by limiting their initial foothold. | 70% |
| T1078.002 | 1. Secure authentication procedures, as per A.8.5, protect domain accounts from compromise. 2. This prevents adversaries from using compromised domain accounts for persistence or privilege escalation. | 80% |
| T1078.003 | 1. A.8.5 requires secure authentication for all accounts, including local ones. 2. This mitigates the risk of adversaries compromising local accounts for persistence or privilege escalation. | 80% |
| T1071.001 | 1. While not directly C2, secure authentication (A.8.5) prevents initial compromise. 2. This reduces the likelihood of adversaries establishing C2 channels over standard application layer protocols using compromised credentials. | 60% |
| T1048 | 1. Secure authentication, as per A.8.5, limits unauthorized access to data. 2. This reduces the opportunity for adversaries to exfiltrate data over alternative protocols once authenticated. | 60% |
| T1078.004 | 1. A.8.5's principles extend to cloud environments, requiring secure authentication for cloud accounts. 2. This prevents adversaries from gaining initial access, persistence, or evading defenses via compromised cloud credentials. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. A.8.5 mandates secure authentication technologies. 2. Multi-factor authentication is a primary technology for enhancing authentication security, directly fulfilling this requirement. | 100% |
| M1017 | 1. A.8.5 requires secure authentication procedures based on access restrictions. 2. Effective user account management ensures accounts are provisioned, maintained, and deprovisioned securely, supporting authentication integrity. | 90% |
| M1027 | 1. A.8.5's requirement for secure authentication technologies directly implies strong password policies. 2. Implementing robust password policies is fundamental to securing password-based authentication. | 90% |
| M1032 | 1. A.8.5 links authentication to information access restrictions. 2. Using standard user accounts with limited privileges reduces the impact if an authenticated account is compromised, aligning with access control principles. | 80% |
| M1036 | 1. A.8.5 specifies authentication procedures based on topic-specific policy on access control. 2. Account use policies define how accounts and their authentication mechanisms are to be used, directly supporting this control. | 80% |
| M1047 | 1. A.8.5 requires secure authentication procedures. 2. Auditing authentication attempts and related logs helps detect and respond to unauthorized access attempts, reinforcing the security of authentication. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | 1. A.8.5 directly addresses the implementation of secure authentication technologies and procedures. 2. Improper authentication is the core weakness that this control aims to prevent. | 100% |
| CWE-306 | 1. A.8.5 mandates authentication based on access restrictions. 2. Missing authentication for critical functions directly violates this, leaving sensitive operations unprotected. | 90% |
| CWE-307 | 1. Secure authentication procedures, as per A.8.5, must include protection against brute-force attacks. 2. Improper restriction of excessive authentication attempts is a direct failure in these procedures. | 90% |
| CWE-521 | 1. A.8.5 requires secure authentication technologies. 2. Weak password requirements directly undermine the security of password-based authentication, a common technology. | 90% |
| CWE-798 | 1. A.8.5 emphasizes implementing secure authentication procedures. 2. The use of hard-coded credentials bypasses these procedures, creating a backdoor that circumvents established authentication mechanisms. | 80% |
| CWE-259 | 1. A.8.5 mandates secure authentication technologies. 2. Using hard-coded passwords is a specific instance of CWE-798, directly compromising the security of authentication mechanisms. | 80% |
| CWE-288 | 1. A.8.5 requires secure authentication procedures. 2. Authentication bypass using an alternate path indicates a flaw in the overall authentication design, allowing circumvention of the intended security. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0193 compute · voice-rubric self-validated