Understanding ISO 27701 Clause 6.7: Cryptographic Controls for PII Protection
Cryptography (encryption), along with role-based access, is the foremost method of securing PII and privacy-related information from unauthorised use.
Cryptographic controls are a prerequisite for almost all PII-related activities, where private information is transferred between systems, applications, users and third parties.
What’s Covered in ISO 27701 Clause 6.7
ISO 27701 6.7 contains two sub-clauses, both of which rely on the same guidance notes from ISO 27002 8.2.4, that provides a cryptographic framework for organisations to operate within:
- ISO 27002 6.7.1.1 – Policy on the use of cryptographic controls (References ISO 27002 Control 8.24)
- ISO 27002 6.7.1.2 – Key management (References ISO 27002 Control 8.24)
ISO 27002 6.7.1.1 contains guidance that falls under UK GDPR legislation. The relevant articles have been provided for your convenience.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.7.1.1 – Policy on the Use of Cryptographic Controls
References ISO 27002 Control 8.24
Organisations should use encryption to protect the confidentiality, authenticity and integrity of PII and privacy-related information, and to adhere to their various contractual, legal or regulatory obligations.
Encryption is a far-reaching concept – there is no ‘one size fits all’ approach. Organisations should assess their needs and choose a cryptographic solution that meets their unique commercial and operational objectives.
General Guidance
Organisations should consider:
- Develop a topic-specific approach to cryptography, that takes into account various departmental, role-based and operational requirements.
- The appropriate level of protection (along with the type of information to be encrypted).
- Mobile devices and storage media.
- Cryptographic key management (storage, processing etc).
- Specialised roles and responsibilities for cryptographic functions, including implementation and and key management (see ISO 27002 8.24).
- The technical encryption standards that are to be adopted, including algorithms, cipher strength, best practice guidelines.
- How encryption will work alongside other cybersecurity efforts, such as malware protection and gateway security.
- Cross-border and cross-jurisdictional laws and guidelines (see ISO 27002 5.31).
- Contracts with third-party cryptography partners that cover all or part liability, reliability and response times.
Key Management
Key management procedures should be spread out over 7 main functions:
- Generation.
- Storage.
- Archiving.
- Retrieval.
- Distribution.
- Retiring.
- Destruction.
Organisational key management systems should:
- Manage key generation for all encryption methods.
- Implement public key certificates.
- Ensure that all all relevant human and non-human entities are issued with the requisite keys.
- Store keys.
- Amend keys, as required.
- Have procedures in place to deal with potentially compromised keys.
- Decommission keys, or revoke access on a user-by-user basis.
- Recover lost or malfunctioning keys, either from backups and key archives.
- Destroy keys that are no longer required.
- Manage the activation and deactivation lifecycle, so that certain keys are only available for the period of time that they are needed.
- Process official requests for access, from law enforcement agencies or, in certain circumstances, regulatory agencies.
- Contain access controls that protect physical access to keys and encrypted information.
- Consider the authenticity of public keys, prior to implementation (certificate authorities and public certificates).
Relevant ISO 27002 Controls
- ISO 27002 5.31
- ISO 27002 8.24
Applicable GDPR Articles
- Article 32 – (1)(a)
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 6.7.1.2 – Key Management
References ISO 27002 Control 8.24
See above section on Key Management (ISO 27701 6.7.1.1).
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.7.1.1 | Policy on the Use of Cryptographic Controls | 8.24 – Use of Cryptography for ISO 27002 | Article (32) |
| 6.7.1.2 | Key Management | 8.24 – Use of Cryptography for ISO 27002 | None |
How ISMS.online Helps
How do we help?
ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA.
Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.
All the features you need:
- ROPA made easy
- Built in Risk Bank
- Secure space for DRR
Find out how much time and money you’ll save on your journey to a combined ISO 27002 and 27701 certification using ISMS.online by booking a demo.
