ISO27001 and the Annex Clauses – Clause A10 Cryptography

ISO27001 and the Annex Clauses – Clause A10 Cryptography

When you first think about cryptography and it's uses, it's not hard to just to the realms of James Bond and secret codes that unlock the secrets of organisations and the nation, why would you need to care about it?

The answer is simple really, in today's cloud computing environment for example cryptography appears everywhere, in secure computer systems, even in your password for your phone or computer, it's all driven by cryptography, so what is it?

Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. ... Here, data is encrypted using a secret key, and then both the encoded message and secret key are sent to the recipient for decryption

Kaspersky.com

From a business point of view then it's about making sure that only those who should be able to access and see information actually can and those who shouldn't cant get access.

A10.1 Cryptography Controls

The ISO27001 Annex A clause A10.1 is the only clause for cryptography in the Information Security management systems standard, and it only has 2 sub clauses, you'd expect a little more on the subject in a standard about information security. The fact is however the little clause packs a big punch and it's going to need some expert help, either from your internal IT team or from your local IT specialist before you put pen to paper to write things down.

  • 10.1.1 - The Cryptography Policy. Like any policy, this is a formal document that outlines the use of the cryptography controls you intend to sue for the protection of your information. Now you could just sit down and write this but as we said, expert advice is gong to be needed. What type of cryptography will you use – Secret Key, Public Key or Hash function? If you don't know what these are then it's a big signal to go grab your knowledgeable and helpful IT professional to help. Your policy should give the framework about how your controls will be developed and implemented within your organisation.
  • 10.1.2 – Key Management Policy. Keys are what are used in cryptography to encode and decode information, having the key means you have the information. The subject of this policy then is about the level of protection your keys must have and the lifetime of the key itself. If you give someone a key to your system, are you happy for it to last indefinitely or do you want it to have a short like of a week, a day, an hour, a minute!? (Think about your rotating code on your Google or Microsoft authenticator). Again, you need to consider a few things before writing this particular Information Security management System (ISMS) Policy. What information are you trying to protect, how many people will have access, if someone does get access how bad would it be?

As you go through your process, think of each of the different levels of information you have, how much protection you will need, this will also form part of your decision process in implementing the Cryptographic controls annex.

It's easy to both underestimate and over complicate the requirements for this clause for your ISO27001 Information security management system so our serious advice is make sure you work with someone who understands it before you head off down a rabbit hole you don't have the keys to get back out of.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo

Simplify ISO27001 with Mango

Stop waiting time with multiple different systems, see how Mango can manage all of your ISO27001 requirements in one fully integrated solution.

Make a booking now to see how simple it is to integrate your systems, reduce paperwork, save time and be compliant.
Mango QHSE Compliance Software made simple
Reclaim your precious time
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.

Copyright

© Many Caps Consulting | All Rights Reserved

×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Takt Time Vs Cycle Time - Which is more important ...
Understanding the Compliance Register & why you ne...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, 14 December 2024

By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/

Subscribe to Our Newsletter

To Get Regular Updates on ISO | Lean | Free Resources
Sorry we need your name
Invalid Input - Sorry we need your last name here
Sorry Can you just check your email address as well
Invalid Input