ISO 27002 – 5.17 and the MFA Gap in Cloud Teams

Read full article here: https://www.unosecur.com/blog/iso-27002---5-17-the-mfa-rule-68-of-cloud-teams-still-fail/?source=nhimg

Our Half-Yearly Cloud-Compliance Report (Jan–Jun 2025) highlights one of the most consistent and costly failures across enterprises: privileged accounts without Multi-Factor Authentication (MFA).

Out of 1,993 compliance failures recorded across a stratified sample of 50 organizations, 304 failures (15%) were directly tied to ISO/IEC 27002:2022 Control 5.17 — making it the single most violated control. Nearly 70% of the organizations assessed still allow admin-level access with only a password.

Why It Matters

• Audit risk - This lapse creates findings under ISO 27001/27002, PCI DSS v4, and SOC 2, exposing firms to exceptions, failed certifications, and financial penalties.

• Security exposure - Privileged accounts without MFA are the top target for phishing, credential-stuffing, and token theft attacks.

• Business impact - A single compromised admin account can trigger a breach with severe revenue, reputational, and regulatory consequences.

What ISO 27002 – 5.17 Requires

Control 5.17 (“Authentication Information”) calls for strong authentication for privileged access. The 2022 update elevated MFA from a “where appropriate” suggestion to a prescriptive expectation, requiring additional controls (MFA, FIDO2, passwordless methods) for high-risk accounts.

Four Fast Wins to Close the Gap

1. Enforce MFA everywhere – Apply FIDO2 or IdP-based MFA on all privileged roles.

2. Retire legacy admin accounts – Replace “break-glass” accounts with just-in-time elevation.

3. Automate monitoring – Track “admin accounts without MFA” as a KPI until it reaches zero.

4. Align across frameworks – One MFA rollout satisfies ISO, PCI DSS, SOC 2, and most EU regulatory obligations.

Bottom Line

Control 5.17 is the MFA rule most cloud teams still fail. Fixing it is the fastest, cheapest, and most impactful risk-reduction move an organization can make this year. Beyond compliance, MFA protects against the most common attack vector: stolen credentials.

The full Half-Yearly Cloud-Compliance Report will detail provider-specific findings, regulatory mappings, and lessons learned from early adopters who have already closed this gap.