Cryptography in ISO 27001
Cryptography is one of the most important technical safeguards for protecting information confidentiality and integrity. ISO 27001 Annex A control A.8.24 requires organizations to define and implement rules for the effective use of cryptography, including cryptographic key management. This control recognizes that encryption is only as strong as its implementation — poorly managed cryptography can provide a false sense of security while leaving information vulnerable to compromise.
Implementing cryptographic controls for ISO 27001 involves more than simply enabling encryption on your systems. It requires a policy-driven approach that addresses what information needs encryption, what algorithms and protocols are acceptable, how encryption keys are managed throughout their lifecycle, and how cryptographic controls are maintained and monitored over time.
Developing Your Cryptography Policy
Your cryptography policy should address several key areas. Define when encryption is required based on your data classification scheme. At minimum, information classified at higher sensitivity levels should be encrypted at rest on all storage media and in transit across any network. Consider also encrypting lower classification levels on portable devices and when transmitted over public networks.
Specify the acceptable cryptographic algorithms and minimum key lengths for your organization. Industry standards recommend AES-256 for symmetric encryption, RSA-2048 or higher for asymmetric encryption, and SHA-256 or higher for hashing. Avoid deprecated algorithms such as DES, 3DES, MD5, and SHA-1, which have known weaknesses. Your policy should be specific enough to prevent the use of weak cryptography while flexible enough to accommodate different use cases.
Address legal and regulatory considerations related to cryptography. Some jurisdictions restrict the import, export, or use of certain cryptographic technologies. If your organization operates internationally, ensure your cryptographic practices comply with all applicable laws. For defense contractors, FIPS 140-2 or FIPS 140-3 validation may be required for cryptographic modules.
Key Management Lifecycle
Key management is often described as the hardest part of cryptography, and poor key management is a leading cause of cryptographic failures. Your key management procedures must address the complete lifecycle of cryptographic keys from generation through eventual destruction.
Key generation must use cryptographically secure random number generators and produce keys of appropriate length. Keys should be generated in secure environments and protected immediately upon creation. Key distribution must use secure channels — transmitting encryption keys alongside the data they protect defeats the purpose of encryption.
Key storage requires strong access controls and protection against loss or compromise. Hardware security modules provide the highest level of key protection for organizations requiring strong assurance. For most organizations, properly secured key management systems with strict access controls provide adequate protection. Never store encryption keys in plain text alongside encrypted data.
Key rotation — periodically replacing keys with new ones — limits the exposure if a key is compromised and reduces the volume of data encrypted with any single key. Define rotation schedules appropriate to the sensitivity of the information protected and the risk environment. Automated key rotation reduces operational burden and ensures consistency.
Key revocation and destruction procedures ensure that compromised or expired keys are promptly removed from use and securely destroyed. When keys are compromised, the information encrypted with those keys must be re-encrypted with new keys as quickly as possible.
Encryption Implementation
Implement encryption for data at rest across all storage media within your ISMS scope. Full disk encryption protects data on laptops, workstations, and servers against physical theft or loss. File or folder-level encryption provides additional granularity for protecting specific sensitive files. Database encryption protects structured data in database management systems. Backup encryption ensures that copies of sensitive data are protected as thoroughly as the originals.
Implement encryption for data in transit across all network communications that carry sensitive information. TLS 1.2 or 1.3 should be used for all web-based communications. VPN tunnels with strong encryption should protect remote access connections. Email encryption should be available for sensitive communications, with automatic encryption policies for messages meeting defined criteria. File transfer protocols should use encrypted channels such as SFTP rather than unencrypted alternatives like FTP.
Audit Evidence and Monitoring
During certification audits, auditors will verify that your cryptography policy exists and is appropriate, that encryption is actually implemented where required by your policy, that key management procedures are followed, that deprecated algorithms are not in use, and that certificates and keys are properly maintained. Prepare evidence including encryption configuration screenshots, key management procedure documentation, certificate inventories, and any automated compliance reports from your encryption management tools.
Monitor your cryptographic implementations for certificate expiration, key rotation compliance, use of deprecated protocols, and encryption coverage gaps. Automated monitoring tools can alert you to issues before they become security problems or audit findings.
Easy Compliances provides training on cryptographic controls implementation for ISO 27001, including practical guidance on algorithm selection, key management procedures, and encryption deployment strategies. Our compliance toolkit includes cryptography policy templates and key management procedure documentation that align with ISO 27001 requirements and current best practices.