ISO 27701, Clause 6.7 – Cryptography

ISO 27701 Controls and Clauses Explained

Book a demo

blue,clean,glass,wall,of,modern,skyscraper

Cryptography (encryption), along with role-based access, is the foremost method of securing PII and privacy-related information from unauthorised use.

Cryptographic controls are a prerequisite for almost all PII-related activities, where private information is transferred between systems, applications, users and third parties.

What’s Covered in ISO 27701 Clause 6.7

ISO 27701 6.7 contains two sub-clauses, both of which rely on the same guidance notes from ISO 27002 8.2.4, that provides a cryptographic framework for organisations to operate within:

  • ISO 27002 6.7.1.1 – Policy on the use of cryptographic controls (References ISO 27002 Control 8.24)

  • ISO 27002 6.7.1.2 – Key management (References ISO 27002 Control 8.24)

ISO 27002 6.7.1.1 contains guidance that falls under UK GDPR legislation. The relevant articles have been provided for your convenience.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Jump to Topic
Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.7.1.1 – Policy on the Use of Cryptographic Controls

References ISO 27002 Control 8.24

Organisations should use encryption to protect the confidentiality, authenticity and integrity of PII and privacy-related information, and to adhere to their various contractual, legal or regulatory obligations.

Encryption is a far-reaching concept – there is no ‘one size fits all’ approach. Organisations should assess their needs and choose a cryptographic solution that meets their unique commercial and operational objectives.

General Guidance

Organisations should consider:

  • Develop a topic-specific approach to cryptography, that takes into account various departmental, role-based and operational requirements.

  • The appropriate level of protection (along with the type of information to be encrypted).

  • Mobile devices and storage media.

  • Cryptographic key management (storage, processing etc).

  • Specialised roles and responsibilities for cryptographic functions, including implementation and and key management (see ISO 27002 8.24).

  • The technical encryption standards that are to be adopted, including algorithms, cipher strength, best practice guidelines.

  • How encryption will work alongside other cybersecurity efforts, such as malware protection and gateway security.

  • Cross-border and cross-jurisdictional laws and guidelines (see ISO 27002 5.31).

  • Contracts with third-party cryptography partners that cover all or part liability, reliability and response times.

Key Management

Key management procedures should be spread out over 7 main functions:

  1. Generation.

  2. Storage.

  3. Archiving.

  4. Retrieval.

  5. Distribution.

  6. Retiring.

  7. Destruction.

Organisational key management systems should:

  • Manage key generation for all encryption methods.

  • Implement public key certificates.

  • Ensure that all all relevant human and non-human entities are issued with the requisite keys.

  • Store keys.

  • Amend keys, as required.

  • Have procedures in place to deal with potentially compromised keys.

  • Decommission keys, or revoke access on a user-by-user basis.

  • Recover lost or malfunctioning keys, either from backups and key archives.

  • Destroy keys that are no longer required.

  • Manage the activation and deactivation lifecycle, so that certain keys are only available for the period of time that they are needed.

  • Process official requests for access, from law enforcement agencies or, in certain circumstances, regulatory agencies.

  • Contain access controls that protect physical access to keys and encrypted information.

  • Consider the authenticity of public keys, prior to implementation (certificate authorities and public certificates).

Relevant ISO 27002 Controls

  • ISO 27002 5.31

  • ISO 27002 8.24

Applicable GDPR Articles

  • Article 32 – (1)(a)

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.7.1.2 – Key Management

References ISO 27002 Control 8.24

See above section on Key Management (ISO 27701 6.7.1.1).

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.7.1.1Policy on the Use of Cryptographic Controls8.24 – Use of Cryptography for ISO 27002Article (32)
6.7.1.2Key Management8.24 – Use of Cryptography for ISO 27002None

How ISMS.online Helps

How do we help?

ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA.

Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.

All the features you need:

  • ROPA made easy

  • Built in Risk Bank

  • Secure space for DRR

Find out how much time and money you’ll save on your journey to a combined ISO 27002 and 27701 certification using ISMS.online by booking a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more