What does control A.3.26 require?
Rules for the effective use of cryptography related to PII processing, including cryptographic key management, shall be defined and implemented.
This control sits within the Shared security controls annex (A.3) and requires organisations to take a structured, policy-driven approach to cryptography. It is not sufficient to simply encrypt data — the organisation must define rules that specify when cryptography is required, which algorithms and key lengths are acceptable, how keys are managed throughout their life cycle and how cryptographic capabilities are communicated to customers.
What does the Annex B implementation guidance say?
Annex B (section B.3.26) provides the following guidance:
- Jurisdictional requirements — Some jurisdictions can require the use of cryptography to protect particular kinds of PII, such as health data, resident registration numbers, passport numbers and driver’s licence numbers
- Customer transparency — The organisation should provide information to the customer about the circumstances in which it uses cryptography to protect the PII it processes
- Customer self-service encryption — The organisation should also provide information about any capabilities it offers that can assist the customer in applying their own cryptographic protection
- See also A.3.22: User Endpoint Devices for related requirements
- See also A.3.25: Logging for related requirements
The guidance highlights two important dimensions: mandatory encryption imposed by law (which varies by jurisdiction and PII type) and transparency to customers about what encryption is applied and what options are available. Processors in particular must be prepared to explain their encryption architecture to controllers.
How does this map to GDPR?
Control A.3.26 maps to the following GDPR article:
- Article 32(1)(a) — The requirement to implement appropriate technical and organisational measures including the pseudonymisation and encryption of personal data
Article 32(1)(a) explicitly names encryption as an appropriate technical measure, making cryptography one of the few specific technologies directly referenced in the GDPR. Encryption also features in GDPR recital 83 and can reduce breach notification obligations under Article 34(3)(a) where data is rendered unintelligible to unauthorised persons.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clauses 6.7.1.1 (policy on the use of cryptographic controls) and 6.7.1.2 (key management). The 2025 edition consolidates both into A.3.26 with unified implementation guidance in B.3.26. The guidance now places greater emphasis on communicating cryptographic capabilities to customers and supporting customer-applied encryption. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.3.26, auditors will typically look for:
- Cryptography policy — A documented policy specifying when encryption is required, approved algorithms and key lengths, key management procedures and roles responsible for cryptographic controls
- Encryption at rest — Evidence that PII is encrypted at rest using approved algorithms, including database encryption, disk encryption and backup encryption
- Encryption in transit — Evidence that PII is encrypted in transit using TLS 1.2 or higher for all data transmission channels
- Key management procedures — Documented key generation, distribution, storage, rotation, revocation and destruction procedures
- Jurisdictional compliance — Evidence that encryption requirements imposed by applicable jurisdictions are being met for the relevant PII categories
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.20 Storage media | Removable media containing PII should use encryption wherever feasible |
| A.3.7 Information transfer | PII transfers should be protected by encryption in transit |
| A.3.24 Information backup | Backup data containing PII should be encrypted |
| A.3.28 Application security requirements | Application-level encryption requirements are informed by the cryptography policy |
| A.1.4.10 PII transmission controls | Controller transmission controls rely on cryptographic protection |
Who does this control apply to?
A.3.26 is a shared control that applies to both PII controllers and PII processors. Controllers must define and implement cryptography rules for their own PII processing. Processors have additional obligations to communicate their use of cryptography to customers and to provide capabilities that allow customers to apply their own encryption where appropriate.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for cryptography management?
ISMS.online provides practical tools for managing your cryptography programme:
- Cryptography policy templates — Pre-built policy templates covering approved algorithms, key lengths, use cases and key management requirements, customisable to your organisation
- Key management register — Track cryptographic keys across your systems with lifecycle management: generation, distribution, rotation, expiry and destruction
- Compliance mapping — Map your cryptographic controls to jurisdictional requirements, GDPR Article 32 and ISO 27701 control A.3.26 in one view
- Evidence management — Store encryption configuration evidence, key management records and policy acknowledgements in a structured, audit-ready format
- Review scheduling — Schedule periodic reviews of your cryptography policy and key management practices with automated reminders
FAQs
What encryption algorithms are recommended?
The standard does not prescribe specific algorithms, but industry best practice currently recommends AES-256 for symmetric encryption at rest, TLS 1.2 or 1.3 for encryption in transit and RSA-2048 (or higher) or elliptic curve equivalents for asymmetric encryption. Organisations should reference guidance from national cryptographic authorities (such as NCSC in the UK or NIST in the US) and review their approved algorithms periodically as cryptographic standards evolve.
Does encryption reduce GDPR breach notification obligations?
GDPR Article 34(3)(a) provides that communication to data subjects is not required if the organisation has implemented appropriate technical protection measures that render personal data unintelligible to any person who is not authorised to access it, such as encryption. However, this does not remove the obligation to notify the supervisory authority under Article 33. Encryption can therefore reduce the scope and impact of breach notification but does not eliminate it entirely.
What does key management involve?
Key management covers the full lifecycle of cryptographic keys: generation (using secure random number generators), distribution (secure channels only), storage (in hardware security modules or equivalent secure stores), rotation (replacing keys at defined intervals or after suspected compromise), revocation (disabling keys that are compromised or no longer needed) and destruction (securely deleting keys at end of life). Poor key management can completely undermine otherwise strong encryption.
