CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Antonio Jose Segovia

How to use the cryptography according to ISO 27001 control A.10

Today, information travels constantly from one part of the world to another through email, online transactions, USB flash drives, and external hard drives. Outside the facilities of the organization, the information is in many places, such as ISP servers, routers, switches, external suppliers, carries and more, before arriving at its final destination. Have you ever thought that this information could be accessible to people outside your organization? Take care – if you want to be protected from unauthorized access, you need to encrypt the information!

To clarify who should do what, and how, a policy for the use of cryptographic controls can help you a lot. So, in order to keep the “steering wheel in your hands” cryptographic policy considers several points. Let me show you what to take care of while setting up the policy.

When to use cryptographic controls


Cryptographic controls should be used whenever it is necessary protect confidential information against unauthorized access. Cryptography is the science of writing in secret code, while the encryption is the specific mechanism to convert the information in a different code that is understandable to those who know the mechanism of encryption/decryption.

Therefore, some examples where we could use cryptographic controls include:

  • You have a device with confidential information (external hard drive, flash drive, laptop, etc.) and it goes outside the organization.
  • You want to send an email with confidential information.
  • You have a file server with a folder to which all employees have access, but one (or more) of the files contain confidential information.
  • You have a public website that users can access by entering username/password (in this case, the password is sensitive information which, if not travelling on a secure channel, could be disclosed).
  • You have a website from which you offer e-commerce and have a payment gateway.
  • Your employees connect to the corporate network from home to access corporate resources.

Keys and certificates

There are many encryption algorithms, AES is one of the most well-known and strong (from the point of view of cryptanalysis). Therefore, the expert in cryptography needs to define not only the policy of what controls to apply, but also the encryption algorithm (within AES, there are also different options (AES128, AES256, etc.). This encryption algorithm does not have to be the same for all situations, although whenever possible it is recommended.

On the other hand, to encrypt the information, a key is generally needed. When the key for encrypting and decrypting is the same, we have a model of symmetric cryptography while, when it is different, we have a model of asymmetric cryptography. In both cases, the mechanism for securely storing keys needs to be established (for example in a place where only authorized persons have access).

Cryptographic controls and risk assessment

We must not forget that the implementation of security controls, including cryptographic controls, has to be based on the results of the risk analysis. Therefore, the information protection level required should be identified by taking into account the time, complexity and quality of the required encryption algorithm.

There are many options for the implementation of cryptographic controls:

  • Software tools to encrypt the entire contents or parts (files, folders, etc.) of hard disks (it can be used to protect confidential information in information systems). These software tools can also be used to protect confidential information stored on removable devices that can go out of the organization (hard drives, USB flash drives, etc.).
  • Software tools to encrypt the information in emails (the original protocol of the email is not secure).
  • Encryption for critical web transactions (e-commerce, access to critical information about the business in the website, etc.).
  • Encryption for external connections to the corporate network (teleworking, remote access, etc.).

By the way, in some countries there are regulations and restrictions regarding the use of cryptographic controls, which must be considered when developing the use of a cryptographic controls policy. If you want to know the regulations that exist around the world, you can consult this article Laws and regulations on information security and business continuity.

Un-encrypted information can ruin your business

I often meet companies in which employees, or even managers or senior executives have confidential business information on USB flash drives. A question needs to be asked: “Have you ever thought what can occur if these pen drives are lost or stolen and competing companies obtain this information?” The answer is that your company can start to lose money, or even close doors if the disclosure of information has been very critical. To avoid this, the solution is simple: protect the information by establishing cryptographic controls when the information goes out of the boundaries of the organization.

If you would like to learn more about  ISO 27001 and its requirements, use our free  ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.