ISO27001 Annex A.10 - Cryptography

Annex A.10 - Cryptography

The fifth control objective in the Annex A controls of ISO/IEC 27001 is to use cryptography to protect the confidentiality and integrity of information. Cryptography is the practice of using mathematical algorithms to encode and decode data in order to protect it from unauthorised access and tampering.

To meet this control objective, you can take the following steps:

  1. Identify the information that needs protection: Determine which information in your organisation needs to be protected and the level of protection required. This will help you to determine which cryptographic methods will be most appropriate.
  2. Select appropriate cryptographic methods: Choose cryptographic methods that are appropriate for the level of protection required. Examples include encryption, digital signatures, and hash functions.
  3. Implement the cryptographic methods: Implement the chosen cryptographic methods by following established standards and guidelines. This could include configuring encryption settings, installing software to perform encryption, or developing custom encryption software.
  4. Manage cryptographic keys: Manage and protect the cryptographic keys used to encrypt and decrypt the information. This includes generating, storing, distributing, and revoking keys as needed.
  5. Test the cryptographic methods: Test the cryptographic methods to ensure they are working as intended. This could include penetration testing, vulnerability scanning, or other types of security testing.
  6. Keep the cryptographic method up to date: Cryptographic methods and algorithms can be broken or become weaker over time, it is crucial to monitor for new weaknesses, and update the methods and algorithms accordingly.
  7. Review the cryptographic methods: Review the cryptographic methods regularly to ensure they are still effective and appropriate for the level of protection required.
  8. Document the process: Document the process of implementing and managing cryptography, including the methods used, the keys used and the process of key management.

It's important to keep in mind that cryptography is one of many control in information security, and it should be integrated with other controls and procedures, such as access control and incident management.