ISO27001 Annex A.10 - Cryptography

Annex A.10 - Cryptography

The fifth control objective in the Annex A controls of ISO/IEC 27001 is to use cryptography to protect the confidentiality and integrity of information. Cryptography is the practice of using mathematical algorithms to encode and decode data in order to protect it from unauthorised access and tampering.

To meet this control objective, you can take the following steps:

  1. Identify the information that needs protection: Determine which information in your organisation needs to be protected and the level of protection required. This will help you to determine which cryptographic methods will be most appropriate.
  2. Select appropriate cryptographic methods: Choose cryptographic methods that are appropriate for the level of protection required. Examples include encryption, digital signatures, and hash functions.
  3. Implement the cryptographic methods: Implement the chosen cryptographic methods by following established standards and guidelines. This could include configuring encryption settings, installing software to perform encryption, or developing custom encryption software.
  4. Manage cryptographic keys: Manage and protect the cryptographic keys used to encrypt and decrypt the information. This includes generating, storing, distributing, and revoking keys as needed.
  5. Test the cryptographic methods: Test the cryptographic methods to ensure they are working as intended. This could include penetration testing, vulnerability scanning, or other types of security testing.
  6. Keep the cryptographic method up to date: Cryptographic methods and algorithms can be broken or become weaker over time, it is crucial to monitor for new weaknesses, and update the methods and algorithms accordingly.
  7. Review the cryptographic methods: Review the cryptographic methods regularly to ensure they are still effective and appropriate for the level of protection required.
  8. Document the process: Document the process of implementing and managing cryptography, including the methods used, the keys used and the process of key management.

It's important to keep in mind that cryptography is one of many control in information security, and it should be integrated with other controls and procedures, such as access control and incident management.

More from our security wiki

Continuous learning for your organisation, our knowledge base to help you grow

Cyber Essentials Self Assessment: Password-Based Authentication
This security wiki provides guidelines for implementing password-based authentication practices within your organisation. Follow these recommendations to enhance the security of user accounts and protect against unauthorised access.
Cyber Essentials Self Assessment: Administrative Accounts
This security wiki provides guidelines for the proper management and control of administrative accounts within your organisation. Follow these recommendations to establish secure administrative account practices.
Cyber Essentials Self Assessment: Malware Protection
This security wiki provides guidelines for implementing malware protection measures across your organisation's devices. Follow these recommendations to safeguard your desktop computers, laptops, tablets, and mobile phones from malware threats.
Cyber Essentials Self Assessment: Security Update Management
This security wiki provides guidelines for effective security update management to ensure that your organisation's devices and software remain protected against known vulnerabilities. Follow the recommendations below to establish a robust security update management process.
Cyber Essentials Self Assessment: Device Locking
This security wiki provides guidelines for implementing device locking mechanisms to enhance the security of your organisation's devices. Follow the recommendations below to protect against unauthorised access to software and services.
Cyber Essentials Self Assessment: Secure Configuration
This security wiki provides guidelines for achieving secure configuration of devices and services within your organisation. Follow the recommendations below to minimise potential vulnerabilities and enhance the overall security posture.
Now we're partners, you have unlocked:
Threat reports
1 Vuln scan
Security Wiki
Templates
Cyber Essentials logoCyber Essentials logo
©Periculo
Your Security Partner