This article provides an overview of Cryptography as part of  ISO 27002 compliance.

The objective of cryptographic controls is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information.

Policy on the use of cryptographic controls

Control – a policy on the use of cryptographic controls for protection of information should be developed and implemented.

Guidelines – when developing a cryptographic policy the following should be considered:

  1. Management approach towards the use of cryptographic controls across the organisation, including the general principles under which business information should be protected;
  2. Based on a risk assessment, the required level of protection should be identified taking into account the type, strength and quality of the encryption algorithm required;
  3. The use of encryption for protection of information transported by mobile or removable media devices or across communication lines;
  4. The approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
  5. Roles and responsibilities, i.e. who is responsible for (1) the implementation of the policy and (2) key management, including key generation;
  6. The standards to be adopted for effective implementation throughout the organisation (which solution is used for which business processes);
  7. The impact of using encrypted information on controls that rely upon content inspection (i.e. malware detection).

When implementing the organisation’s cryptographic policy, consideration should be given to the regulatory and legal requirements that might apply to the use of cryptographic techniques in different location and to the issues of trans-border flow of encrypted information. Cryptographic controls can be used to achieve different information security objectives – for example:

  1. Confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted;
  2. Integrity/authenticity: using digital signatures or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information;
  3. Non-repudiation: using cryptographic techniques to provide evidence of the occurrence or non-occurrence of an event or action;
  4. Authentication: using cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users, entities and resources.

Key management:

A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.

Guidelines – the policy should include requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys.

Cryptographic algorithms, key lengths and usage practices should be selected according to best practice. Key management requires secure processes for generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys.

All cryptographic keys should be protected against modification and loss. In addition, secret and private keys need protection against unauthorized use as well as disclosure. Equipment used to generate, store and archive keys should be physically protected.
A key management system should be based on an agreed set of standards, procedures and secure methods for:

  1. Generating keys for different cryptographic systems and different applications;
    Issuing and obtaining public key certificates;
  2. Distributing keys to intended entities, including how keys should be activated when received;
  3. Storing keys, including how authorized users obtain access to keys;
  4. Changing or updating keys including rules on when keys should be changed and how this will be done;
  5. Dealing with compromised keys;
  6. Revoking keys including how keys should be withdrawn or deactivated, i.e. when keys have been compromised or when a user leaves an organisation (in which case keys should also be archived);
  7. Recovering keys that are lost or corrupted;
  8. Backing up or archiving keys;
  9. Destroying keys;
  10. Logging and auditing of key management related activities.

In order to reduce the likelihood of improper use, activation and deactivation dates for keys should be defined so that the keys can only be used for the period of time defined in the associated key management policy.

The contents of service level agreements or contracts with external suppliers of cryptographic services – i.e. with a certification authority, should cover issues of liability, reliability of services and response times for the provision of services.

For more information please contact Morland-Austin at