ISO 27001:2022 Annex A Control 8.24

Abstract of Control 8.24: Use of cryptography

Cryptography is one of the core tools you rely on to secure sensitive data. Control 8.24 in ISO 27001 focuses on how you should define and implement rules for using cryptography effectively. It also ensures you manage cryptographic keys securely. By doing this, you can maintain confidentiality, integrity, and authenticity of the information you handle—whether it’s stored, transmitted, or processed. Creating and following clear, consistent policies to meet business, regulatory, and legal requirements.

Iso 27001 Annex A Control 8.24 Use Of Cryptography

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Secure Configuration

Security Domains

  • Protection

Objective of Control 8.24

This control aims to protect your sensitive information using cryptographic techniques. It covers everything from creating robust cryptographic policies to ensuring proper key management. By following these guidelines, you can reduce risks like unauthorized access or data breaches while complying with regulations.

The Purpose Behind Cryptography

Why should you care about cryptography? Because it ensures your information remains protected in various forms. Cryptography safeguards confidentiality by encrypting data, ensures integrity with digital signatures, and confirms authenticity through secure protocols. Beyond security, cryptography helps you meet legal and contractual obligations, making it a non-negotiable element in your information security strategy.

Principles for Cryptographic Usage

Getting cryptography right means addressing several principles:

  1. Establishing a Policy You need a clear policy that outlines how cryptography is applied in your organization. This should include:
    • Approved algorithms and cipher strengths.
    • Guidelines on where and when to use encryption.
    • Approved tools and methods.
  2. Classification of Information Different data requires different levels of protection. Classify your information based on its sensitivity and define the cryptographic measures accordingly.
  3. Application in Devices and Networks Cryptography must protect data across all touchpoints. For instance, use encryption on endpoint devices, storage media, and during data transmission.
  4. Integration with Other Controls Cryptography can impact other security measures like content inspection or malware detection. Be sure your solutions don’t conflict.

Cryptographic Key Management

Managing cryptographic keys is as important as encryption itself. Without proper management, even the strongest cryptography fails. What to address:

  • Key Generation Use secure methods to generate strong keys for different systems and applications.
  • Key Storage Store keys securely to prevent unauthorized access. This includes encrypting keys at rest and controlling who can retrieve them.
  • Key Distribution Have a defined process for distributing keys to ensure they reach the right entities without compromise.
  • Key Lifecycle Management Set rules for when and how keys are changed, retired, and destroyed. This reduces the risk of compromised or outdated keys.
  • Compromised Keys Define actions to take if keys are lost or compromised. Immediate revocation and replacement are non-negotiable.
  • Auditing and Logging Track key-related activities to identify and respond to misuse or errors.

Legal and Compliance Considerations

Cryptography is subject to regulatory scrutiny, and your organization must navigate these requirements carefully. This includes understanding restrictions on cryptographic techniques in different countries and addressing compliance needs for data protection laws. If your data crosses borders, ensure your cryptographic practices align with international requirements.

Applications of Cryptography

Cryptography isn’t a one-size-fits-all solution. It serves specific purposes depending on your needs:

  • Confidentiality: Encrypt sensitive data to protect it from unauthorized access during storage or transmission.
  • Integrity: Use digital signatures to verify that your information hasn’t been tampered with.
  • Authenticity: Secure communications by ensuring data is exchanged between verified parties.
  • Non-repudiation: Provide evidence of actions or transactions to prevent denial by involved parties.
 

Other Controls Relevant to 8.24

related controls that complement control 8.24:

  • Control 5.31 Regulation of Cryptographic Techniques: Covers restrictions and regulations for cryptography use.
  • Control 5.22 Third-Party Agreements: Defines cryptographic service expectations in vendor contracts.
  • Control 8.25 Secure development life-cycle: Focuses on securing data during development.

Helpful Templates

Using templates can streamline the implementation of Control 8.24. Consider these helpful resources:

  • Cryptographic Policy Template: Outlines the rules and practices for using cryptography in your organization.
  • Key Management Policy Template: Provides guidelines for managing cryptographic keys throughout their lifecycle.
  • Encryption Implementation Checklist: Ensures all encryption processes adhere to the defined policies and standards.
  • Incident Response Plan for Cryptographic Key Compromise: Helps you respond effectively to incidents involving compromised keys.
  • Vendor Agreement Template for Cryptographic Services: Covers essential clauses for working with external providers of cryptographic tools or services.
Control 8.23
ISO 27001 overview
Control 8.25