ISO 27002 - 5.17 : The MFA rule most of cloud teams still fail

If you are the CISO working on ISO recertification, listen up. If you are the IT lead concerned about PCI audits, this is for you. If you are a business owner who cannot afford another breach or damaging data breach, pay attention too. If cloud-security compliance is on your task list, remember this control: ISO/IEC 27002 - 5.17 (MFA on privileged accounts).
‍
Our Half-Yearly Cloud-Compliance Report is coming soon. It reveals that almost 70% of the organizations we examined still face issues with this cloud compliance control. That single lapse opens the door to credential-theft attacks, audit exceptions, and eye-watering fines. All of these could be stopped with real-time identity security monitoring. The details that follow could save you weeks of remediation and mountains of audit stress.

How did we find this?

Between 1 January and 30 June 2025, 169 organizations ran our free risk assessment. We drew a stratified random sample of 50 firms: balanced across industry, geography, and primary cloud provider.

Every failed check was mapped to ISO 27001/27002, PCI DSS v4 and SOC 2 clauses. Out of 1,993 failures, 304, or about 15%, had the same problem. They used an admin-level account without multi-factor authentication (MFA). That made ISO/IEC 27002 : 2022 Control 5.17 the most-violated norm in our half-year dataset.

What ISO 27002 - 5.17 actually requires

ISO/IEC 27002 is an international standard that helps organizations that want to create, use, and improve an Information Security Management System (ISMS), according to the official definition.

Control 5.17 tells organizations to assign, store, and manage authentication credentials properly. This helps reduce authentication failures and protects against misuse of login credentials. It also reduces exposure from weak passwords still in use on privileged accounts, protecting against security threats from compromised sensitive information and login data.

In short: every “Admin,” “Owner” or project-wide role must use MFA (token, biometric, trusted device) every time it logs in.

Origins: From BS 7799 to today’s MFA expectation

Here is a brief timeline about the origins of this requirement.

• 1999 – BS 7799 first warned about “credential replay.”
• 2005 – ISO 27001 inherited the guidance; A.9.4.2 (“Secure log-on”) required two factors “where appropriate.”
• The 2022 update renamed the feature as "Authentication Information." It made multi-factor authentication (MFA) required for privileged accounts. This change was a response to password-spray, phishing attacks, and token-theft campaigns that were common in the last decade.

The business, security, and regulatory impact of non-compliance

Is MFA mandatory?

The 2022 update to ISO/IEC 27002 did indeed strengthen requirements around authentication. However, the standard does not make MFA mandatory for all privileged accounts in every scenario. Instead, it significantly raises expectations for the use of MFA, especially for privileged access, in response to modern threats.

Key points from the 2022 update

• Control 5.17 ("Authentication information"): The revised control requires organizations to use strong authentication methods such as MFA, particularly for privileged accounts and access to sensitive systems. The guidance prefers privileged accounts (like admins) to use MFA, reflecting industry best practice and the heightened risk associated with these accounts.
• The language in ISO/IEC 27002:2022 is more prescriptive than previous versions, stating that "authentication information for privileged access should be managed with additional controls, such as the use of multi-factor authentication" (paraphrased for clarity). This raises MFA from a suggestion to a strong expectation for privileged accounts. However, it does not use the word "mandatory" in every case.
• The update came after the increase in attacks like phishing, password spraying, and token theft. These attacks have increased risks of identity theft, especially through social engineering attacks, token theft and password spraying. Single-factor authentication is not enough to protect privileged access. The rise of phishing attacks has shown that relying on passwords alone leaves privileged access highly vulnerable.

Industry and regulatory interpretation

• Regulatory bodies, auditors, and frameworks (including ISO 27001 audits, SOC 2, PCI DSS v4, and EU regulations) now generally interpret the 2022 update as requiring MFA for privileged accounts to achieve compliance, unless a strong, documented risk-based justification is provided for any exceptions.
• It is best to use multi-factor authentication (MFA) for all admin and privileged roles. If they do not, auditors may note this as a problem.

Four fast wins to close the MFA gap

1. Blocks the fastest breach vector: MFA kills more than 90% of password-only attacks.
2. Buys audit peace: The same fix satisfies ISO, SOC 2, PCI and most regional laws.
3. Protects revenue & brand: One compromised admin can halt production, expose personal information belonging to employees or customers, or trigger large-scale data breaches that damage brand trust..
4. Quick, low-cost win: MFA roll-out is usually a license toggle plus a short comms plan.

Typical fix:

• Replace weak passwords with enforced MFA, session timeouts, and credential rotation.
• Enforce IdP-based or FIDO2 hardware-token MFA on every privileged role.
• Retire legacy “break-glass” accounts or convert them to just-in-time elevation.
• Track a single KPI - “Admin accounts without MFA” - until it reads 0.

By enabling MFA and reducing some admin roles, organizations can remove the top ISO 27001/27002 violation. This also helps stop the main breach method that attackers use. If your privileged users still sign in with just a password, this is the fastest, cheapest risk-reduction move you’ll make all year.

The numbers above are from the core findings of our Half-Yearly Cloud-Compliance Report (Jan–Jun 2025). In the full release, we will explain the most violated control family by cloud provider. We will link each gap to ISO, SOC 2, PCI DSS v4, and new EU regulations. We will also show how early adopters reduced their high-severity findings.

‍