ISO 27001 - Annex A.10: Cryptography
What is the objective of Annex A.10.1 of ISO 27001:2013?
Annex A.10.1 is about Cryptographic controls. The objective in this Annex A control is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.10.1.1 Policy on the use of Cryptographic Controls
Encryption and cryptographic controls are often seen as one of the key weapons in the security arsenal, however, on its own it is not the “silver bullet” that solves every problem. Incorrect selection of cryptographic technologies and techniques or the poor management of cryptographic material (e.g. keys and certificates) can create vulnerabilities themselves. Encryption can slow processing and transmission of information down so it is important to understand all of the risks and balance out the controls to an adequate level whilst also still meeting performance goals. A policy on the use of encryption can be a good place to identify the business requirements for when encryption must be used and the standards that are to be implemented. Consideration must also be given to the legal requirements around encryption.
A.10.1.2 Key Management
A good control describes how a policy on the use and protection of Cryptographic Keys should be developed and implemented through their whole lifecycle. One of the most important aspects is around the creation, distribution, changes, back up and storage of cryptographic key material through to its end of life and destruction. Management of key material is often the weakest point for encryption and attackers may seek to attack this rather than the encryption itself. It is therefore important to have robust and secure processes around it. Dealing with compromised keys is also important and where appropriate should be tied into Annex A.16 Security Incident Management too.
Applying Encryption
ISMS.online offers some guidance and tips towards a good policy for encryption however this is one of the few areas where it is unique to your business and the operational activities where you’d use encryption. We do have a list of partners who provide specialist advice and products around encryption so if this is an area you need help with during your implementation let us know and we can put you in touch with trusted experts too.
More help on the ISO 27001 requirements and Annex A Controls can be found in the ISMS.online Virtual Coach which complements our frameworks, tools and policy content.
Accelerate your ISO 27001 implementation
Benefit from ISO 27001 policy & control content
combined with software tools to get the job done well
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance