ISO 27001 – Annex A.10: Cryptography

What is the objective of Annex A.10.1 of ISO 27001:2013?

Annex A.10.1 is about Cryptographic controls. The objective in this Annex A control is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.

See how we’ll get you to ISO 27001
Book your demo

A.10.1.1 Policy on the use of Cryptographic Controls

Encryption and cryptographic controls are often seen as one of the key weapons in the security arsenal, however, on its own it is not the “silver bullet” that solves every problem. Incorrect selection of cryptographic technologies and techniques or the poor management of cryptographic material (e.g. keys and certificates) can create vulnerabilities themselves.

Encryption can slow processing and transmission of information down so it is important to understand all of the risks and balance out the controls to an adequate level whilst also still meeting performance goals. A policy on the use of encryption can be a good place to identify the business requirements for when encryption must be used and the standards that are to be implemented. Consideration must also be given to the legal requirements around encryption.

A.10.1.2 Key Management

A good control describes how a policy on the use and protection of Cryptographic Keys should be developed and implemented through their whole lifecycle. One of the most important aspects is around the creation, distribution, changes, back up and storage of cryptographic key material through to its end of life and destruction.

Management of key material is often the weakest point for encryption and attackers may seek to attack this rather than the encryption itself. It is therefore important to have robust and secure processes around it.  Dealing with compromised keys is also important and where appropriate should be tied into Annex A.16 Security Incident Management too.

Applying Encryption

ISMS.online offers some guidance and tips towards a good policy for encryption however this is one of the few areas where it is unique to your business and the operational activities where you’d use encryption.  We do have a list of partners who provide specialist advice and products around encryption so if this is an area you need help with during your implementation let us know and we can put you in touch with trusted experts too.

We’ll give you a 77% head start on your ISO 27001 certification
Speak with an ISMS expert

How to easily demonstrate A.10 Cryptography

The ISMS.online platform makes it easy for you to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence controls A.10.1.1-A.10.1.2 within our platform and easily adapt it to your organisation’s needs.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. A.10 is part of the second section that ARM will guide you on, where you’ll begin to describe your current information security policies and controls in line with Annex A controls.
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it

ISO 27001 requirements

ISO 27001 Annex A Controls

About ISO 27001

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

Policies & Controls Management

Easily collaborate, create and show you are on top of your documentation at all times

Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Audits, Actions & Reviews

Reduce the effort and make light work of corrective actions, improvements, audits and management reviews

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Documented Procedures

Simply document, easily control and publish your procedures to ensure stakeholders follow them

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more for less

Staff Awareness & Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

User Management & Permissions

Practical permissions with low cost plans for more regular and occasional users

Privacy & Security

Strong privacy by design and security controls to match your needs & expectations
See ISMS.online in action

Simple and easy to use | Comprehensive in scope | Affordable and lower cost than alternatives

Book your free demo today