It's not in the manual, because .htpasswd or directory access control is not a feature of ISPConfig.
If your client has FTP access to their website (i.e. your server) then they already have all they need to set up their own directory security.
This is done in two portions;
1- they add a .htaccess file into the directory in question.
2- they add a .htpasswd file into a directory which is *not* served (i.e. it resides in a separate directory at the same level as the "web" directory)
(Your client creates the latter directory themselves. It is not served by the web server.)
Check out here for more info on actually creating the .htaccess and .htpasswd files: