ISO 27001 - Annex A.10 – Cryptography

Dec 27, 2023by Maya G

The possibility of an entity or individual accessing this information increases because information travels in several ways through various mediums. If your data—the data you share, save, and access—is not encrypted, it is simple for anybody outside your organization to access it.

Organizations must be flexible to adapt and adopt the best information security procedures to meet legal requirements and the expectations of customers who provide sensitive data.

ISO 27001

What is Cryptography in information security?

  • Cryptography is a technique used to protect information from unauthorized access. It is a mathematical science that uses mathematical algorithms to encode and decode data. Cryptography is used in various applications, including email, file sharing, and secure communications.
  • Cryptography is an important part of information security. It is used to protect information from unauthorized access and ensure communications privacy. Cryptography is used in various applications, including email, file sharing, and secure communications.
  • Cryptography is a critical element of ISO 27001, an information security standard that provides guidance on protecting information. Cryptography is used in various applications, including email, file sharing, and secure communications.

Modern cryptography achieves the four objectives listed below:

  • Confidentiality: The data could be more comprehensible to anyone who wasn't supposed to receive it.
  • Integrity: The data cannot be altered while being stored or transported between the sender and the intended receiver without being detected.
  • Non-repudiation: It is impossible for the person who created the information to retract later or contest their motivations for creating or disseminating the data.
  • Authentication: The identities of the sender and recipient and the information's source and destination may all be verified.

In the field of information security, encryption—the transformation of plaintext into ciphertext and back again when it is received—is closely related to cryptography. The most frequent application of cryptography in data transmission is encrypting and decrypting email and other plain-text messages.

How does cryptography and encryption work together?

Cryptography and encryption are two essential security components that work together to protect data. Cryptography is the practice of secure communication in the presence of third parties. It uses mathematical algorithms to encode and decode data. Encryption is a process of transforming readable data into an unreadable format. It is used to protect information from unauthorized access.

 ISO 27001 is an international standard that specifies the requirements for an information security management system (ISMS). It includes cryptography as a control measure to protect data.

Cryptography and encryption are often used together to ensure the confidentiality, integrity, and availability of data. When used correctly, they can protect data from unauthorized access and modification.

What is Annex A.10?

Annex A.10 of the ISO 27001 standard contains the requirements for an organization's information security management system (ISMS) policies. ISO 27001 Annex A.10 is divided into four sections:

  • Policy Framework
  • Policy content
  • Policy review and update
  • Management commitment to the ISMS policy

Viewing ISO 27001 Annex A.10, an organization's ISMS policies play a vital role in the success of its information security management system.

Annex A.10 requires organizations to implement controls to protect their information assets from unauthorized access, disclosure, or destruction. The standard also requires organizations to have a process to identify, assess, and manage risks to their information assets.

Annex A.10 of the ISO/IEC 27001 standard is titled "Information security as a service". The standard defines this as "a comprehensive set of services that manage and protect an organization's information and data assets in a cost-effective and efficient manner".

The standard goes on to list a number of benefits of using such a service, including that it can:

  • Help to reduce the cost of implementation and management of an information security program
  • Help to improve the efficiency and effectiveness of the program
  • Help to provide a higher level of assurance that the program is being managed optimally.

The two controls under Annex A.10 that help your organization implement cryptography in your organization are:

  • Policy on the use of Cryptographic Controls
  • Key Management

What is the objective of Annex A.10?

Annex A.10 of the ISO 27001 standard defines the requirements for selecting and implementing security controls. The objective of this annex is to provide a framework for the identification, selection, and implementation of security controls that can be used to achieve the security objectives defined in Annex A.9.

Annex A.10 security controls are divided into three categories:

  • Physical and environmental security controls
  • Personnel security controls
  • Communications and operations security controls

Each category of security control has a different purpose and is implemented differently. To select the most appropriate security controls for your organization, you need to understand the objectives of each category and the risks that your organization faces.

ISO 27001

What are Annex A.10 cryptography controls?

Annex A.10 cryptography controls are a set of security controls designed to protect information stored or transmitted electronically. These controls are defined in the ISO/IEC 27001 standard and are intended to be used in conjunction with other security controls to create a comprehensive security program.

Annex A.10 cryptography controls are based on the principle of least privilege and require that only authorized individuals have access to cryptographic keys and that these keys are properly protected. In addition, the controls mandate the use of strong cryptography in order to protect information from unauthorized disclosure and to ensure the integrity of data.

Annex A.10 cryptography controls are an important part of any security program and should be implemented to protect information from unauthorized access and disclosure.

A.10.1.1 Policy on the use of Cryptographic Controls

Cryptographic controls are an important element of an Information Security Management System (ISMS), as specified in ISO/IEC 27001. An organization should have a policy identifying the requirements for using cryptographic controls within the ISMS.

The policy should address the following:

  • The use of cryptographic controls to protect information
  • The types of cryptographic controls that are to be used
  • The management of cryptographic keys
  • The use of cryptographic controls in communication systems
  • The use of cryptographic controls in electronic commerce
  • The use of cryptographic controls in other applications

In response to the requirements of ISO/IEC 27001, the organization shall develop and maintain a policy on using cryptographic controls. This policy shall address, as a minimum:

  1. The types of cryptographic controls to be used.
  2. The level of assurance required for each type of cryptographic control.
  3. The acceptable levels of risk for the organization.
  4. The circumstances in which cryptographic controls are to be used; and
  5. The consequences of loss or theft of cryptographic keys.

This policy shall be reviewed and approved by the organization’s management. 

A.10.1.2: Key Management

One of the most important aspects of information security is key management. This process includes the generation, storage, and distribution of keys used to encrypt and decrypt data. In order to ensure that keys are properly managed, ISO 27001 requires organizations to put in place certain controls.

The first control is the establishment of a key management policy. This policy should define the methods used to generate, store, and distribute keys. It should also establish who is responsible for each stage of the key management process.

The second control is the use of strong cryptography. Cryptography is the science of secure communications and is used to protect information from being accessed by unauthorized individuals.

The third control is the implementation of access control measures. This includes the use of physical security measures to protect keys from being stolen and logical security measures to protect keys from being copied or guessed.

The objective of key management is to ensure that only authorized individuals have access to cryptographic keys and that all keys are properly used and maintained.

The ISO/IEC 27001 standard requires that cryptographic keys are:

  • Properly generated
  • Securely distributed
  • Carefully used
  • Regularly changed
  • Properly disposed of when no longer needed

Why is Cryptography important for your organization’s information security management?

Key management is a vital part of any cryptographic system, and it is important to have a clear and well-defined key management policy.

The Annex A.10 – Cryptography standard is an important part of the ISO 27001 standards. It provides guidance on the use of cryptography to protect information.

Organizations use cryptography to protect the information in many different ways. For example, they may use it to protect data stored on devices, transmitted over networks, or in email messages.

Cryptography can also be used to verify the identity of individuals and devices. This is important for ensuring that only authorized individuals and devices can access information.

The Annex A.10 – Cryptography standard provides guidance on using cryptography to protect information. It is important for organizations to consider this guidance when implementing their information security management systems.

Conclusion:

Annex A.10 Cryptography is crucial for the implementation of ISO 27001 in your business since it enables you to showcase outstanding security practises and gives you a competitive edge.

ISO 27001