Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Analyzing authentication processes of critical systems


The system or application login procedure should be designed to minimize the potential for unauthorized access.

The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:

  • logging in does not reveal the associated application until the connection is established
  • the login does not display help or error messages that would assist an unauthorized user
  • logging in will only validate the data once all the data has been entered
  • login is prevented from using fatigue attacks
  • login logs failed and successful login attempts
  • suspicious login attempts are reported to the user
  • passwords are not sent as plain text online
  • the session does not continue forever after logging in
Connected other frameworks and requirements:
9.4.2: Secure log-on procedures
ISO 27001
9.4: System and application access management
ISO 27017
9.4.2: Secure log-on procedures
ISO 27017
9.4.2: Secure log-on procedures
ISO 27018
9.4.4: Use of privileged utility programs
ISO 27017
No items found.