How to use cryptography according to ISO 27001 control A.8.24

Today, information travels constantly from one part of the world to another through email, online transactions, USB flash drives, and external hard drives. Outside the facilities of the organization, the information is in many places, such as ISP servers, routers, switches, external suppliers, carries and more, before arriving at its final destination. Have you ever thought that this information could be accessible to people outside your organization? Take care—if you want to be protected from unauthorized access, you need to encrypt the information!

To clarify who should do what, and how, a cryptographic controls policy can help you a lot. So, in order to keep the “steering wheel in your hands,” a cryptographic policy considers several points. Let me show you what to take care of while setting up the policy.

In ISO 27001, cryptographic control A.8.24 covers the definition of rules for:

Basic concepts of cryptography

To better understand how to use cryptography, it is important to know some concepts:

What are cryptographic devices?

Encryption mechanisms can be software-based (i.e., a program that depends on a computer to be executed) or hardware-based. In this last case, it is implemented in dedicated hardware, and is known as a cryptographic device.

What are the types of cryptographic methods?

A method refers to how keys and mechanisms interact. In this matter, there are two types: They can use the same cryptographic key (a method known as symmetric cryptography) or different, but related keys for encryption and decryption (this method is known as asymmetric cryptography).

How is encryption done?

The encryption process is quite simple:

So, when you input the information in plain text and use the cryptographic key, the encryption mechanism performs the information transformations, creating the cyphertext.

In the decryption process, the information transformations are performed in the reverse sequence, generating the original plain text.

What makes a good cryptographic solution, and is the cryptographic key important?

The robustness of a cryptographic solution resides:

So, that’s the importance of taking extreme care when developing/choosing the encryption and decryption mechanisms, and using and storing cryptographic keys.

When to use cryptographic solutions?

Cryptographic solutions should be used whenever it is necessary to protect confidential information against unauthorized access.

Therefore, some examples where we could use cryptographic solutions include:

What is the current encryption standard?

In terms of encryption algorithm, the AES (Advanced Encryption Standard) is currently the most secure encryption available. Its weakness is the fact that users share the same encryption key, which brings a relevant risk when several users need to change sensitive information.

To avoid risks related to key sharing, the use of the RSA (a method named after its creators Rivest – Shamir – Adleman) algorithm is the current alternative choice. Its Public Key Infrastructure approach increases the security when several users need to change sensitive information, at the cost of speed of processing.

What is cryptography in ISO 27001, and what do cryptographic controls refer to?

In ISO 27001, use of cryptography refer to a set of security practices to be used with the objective to ensure proper and effective use of cryptography to protect information, according to perceived risks, either when it is at rest or during communication. They cover the definition of rules for:

Many people ask if ISO 27001 requires encryption at rest. Encryption at rest is not mandatory when the control is applicable. It only needs to be considered.

Cryptographic controls and risk assessment

We must not forget that the implementation of security controls, including the encryption policy, has to be based on the results of the risk analysis. Therefore, the information protection level required should be identified by taking into account the time, complexity and quality of the required encryption algorithm.

There are many options for the implementation of cryptographic controls considered in an encryption policy:

ISO 27001 cryptographic controls policy | What needs to be included?

By the way, in some countries there are regulations and restrictions regarding the use of cryptographic controls, which must be considered when developing the use of an encryption policy. If you want to know the regulations that exist around the world, you can consult this article: Laws and regulations on information security and business continuity by country.

Un-encrypted information can ruin your business

I often meet companies in which employees, or even managers or senior executives have confidential business information on USB flash drives. A question needs to be asked: “Have you ever thought what can occur if these pen drives are lost or stolen and competing companies obtain this information?” The answer is that your company can start to lose money, or even close doors if the disclosure of information has been very critical. To avoid this, the solution is simple: protect the information by establishing cryptographic controls when the information goes out of the boundaries of the organization.

To learn how to become compliant with every clause and control from Annex A, and to get all the required policies and procedures for controls and clauses, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Banner image

Banner image

Conformio all-in-one ISO 27001 compliance software

Automate the implementation of ISO 27001 in the most cost-efficient way

Try it for free

Conformio all-in-one ISO 27001 compliance software

Automate the implementation of ISO 27001 in the most cost-efficient way

Try it for free

Banner image

Conformio all-in-one ISO 27001 compliance software

Automate the implementation of ISO 27001 in the most cost-efficient way

Try it for free

Banner image

Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.

Contributor

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.