This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.24 Use of cryptography.
ISO 27001: 2022 Control Description
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Purpose
To ensure cryptography is used properly to protect the confidentiality, authenticity, and integrity of information, in line with business needs and legal requirements.
Guidance on implementation
When implementing cryptography, consider the following:
- Cryptography Policy:
Establish a policy that outlines how cryptography will be used within the organisation. This policy should guide the correct and effective use of cryptographic methods to avoid risks and maximise benefits. - Information Protection Levels:
Determine the required level of protection based on the classification of the information. This will help in selecting the appropriate type, strength, and quality of cryptographic algorithms. - Use in Mobile and Networked Devices:
Implement cryptography to protect information on mobile devices and during transmission over networks. - Key Management:
Develop a robust key management strategy, which includes generating, protecting, and recovering cryptographic keys in case they are lost, compromised, or damaged. - Roles and Responsibilities:
Clearly define who is responsible for implementing cryptographic rules and managing keys. - Standards and Algorithms:
Use approved cryptographic standards and algorithms, ensuring that cipher strength and usage practices meet organisational requirements. - Impact on Security Controls:
Consider how encrypted data might affect other security controls, such as malware detection or content filtering. - Compliance with Regulations:
Be aware of and comply with any legal restrictions on the use of cryptography, especially when dealing with international data transfers. - Supplier Agreements:
Ensure contracts with external cryptographic service providers cover liability, service reliability, and response times.
Key Management
Effective key management requires secure processes for generating, storing, distributing, and eventually retiring cryptographic keys. Your key management system should include:
- Generating Keys: For various cryptographic systems and applications.
- Issuing Certificates: Handling public key certificates securely.
- Distributing Keys: Ensuring keys reach their intended recipients securely.
- Storing Keys: Protecting keys and controlling access.
- Updating Keys: Establishing when and how keys should be changed.
- Compromised Keys: Procedures for handling compromised keys.
- Revoking Keys: Removing keys from use when necessary, such as when a user leaves the organisation.
- Recovering Keys: Retrieving lost or corrupted keys.
- Archiving Keys: Safely storing old keys.
- Destroying Keys: Securely disposing of keys when no longer needed.
- Auditing: Keeping logs of all key management activities.
- Activation/Deactivation: Setting dates for when keys are valid for use.
- Legal Requests: Handling requests to provide cryptographic keys in legal situations.
Additional Information
- Public Key Authenticity:
Ensure public keys are authentic, typically by using certificate authorities and public key certificates. - Use of Cryptography:
Cryptography can serve various security purposes:- Confidentiality: Encrypting sensitive information.
- Integrity/Authenticity: Using digital signatures or message authentication codes.
- Non-Repudiation: Providing proof of actions or events.
- Authentication: Verifying identities through cryptographic methods.