Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Blog

    How to use the cryptography according to ISO 27001 control A.10

    Today, information travels constantly from one part of the world to another through email, online transactions, USB flash drives, and external hard drives. Outside the facilities of the organization, the information is in many places, such as ISP servers, routers, switches, external suppliers, carries and more, before arriving at its final destination. Have you ever thought that this information could be accessible to people outside your organization? Take care – if you want to be protected from unauthorized access, you need to encrypt the information!

    To clarify who should do what, and how, a policy for the use of cryptographic controls can help you a lot. So, in order to keep the “steering wheel in your hands” cryptographic policy considers several points. Let me show you what to take care of while setting up the policy.

    When to use cryptographic controls

    Cryptographic controls should be used whenever it is necessary protect confidential information against unauthorized access. Cryptography is the science of writing in secret code, while the encryption is the specific mechanism to convert the information in a different code that is understandable to those who know the mechanism of encryption/decryption.

    Therefore, some examples where we could use cryptographic controls include:

    • You have a device with confidential information (external hard drive, flash drive, laptop, etc.) and it goes outside the organization.
    • You want to send an email with confidential information.
    • You have a file server with a folder to which all employees have access, but one (or more) of the files contain confidential information.
    • You have a public website that users can access by entering username/password (in this case, the password is sensitive information which, if not travelling on a secure channel, could be disclosed).
    • You have a website from which you offer e-commerce and have a payment gateway.
    • Your employees connect to the corporate network from home to access corporate resources.

    Keys and certificates

    There are many encryption algorithms, AES is one of the most well-known and strong (from the point of view of cryptanalysis). Therefore, the expert in cryptography needs to define not only the policy of what controls to apply, but also the encryption algorithm (within AES, there are also different options (AES128, AES256, etc.). This encryption algorithm does not have to be the same for all situations, although whenever possible it is recommended.

    On the other hand, to encrypt the information, a key is generally needed. When the key for encrypting and decrypting is the same, we have a model of symmetric cryptography while, when it is different, we have a model of asymmetric cryptography. In both cases, the mechanism for securely storing keys needs to be established (for example in a place where only authorized persons have access).

    Cryptographic controls and risk assessment

    We must not forget that the implementation of security controls, including cryptographic controls, has to be based on the results of the risk analysis. Therefore, the information protection level required should be identified by taking into account the time, complexity and quality of the required encryption algorithm.

    There are many options for the implementation of cryptographic controls:

    ISO 27001 cryptography policy checklist – What to include?ISO 27001 cryptography policy checklist – What to include?

    • Software tools to encrypt the entire contents or parts (files, folders, etc.) of hard disks (it can be used to protect confidential information in information systems). These software tools can also be used to protect confidential information stored on removable devices that can go out of the organization (hard drives, USB flash drives, etc.).
    • Software tools to encrypt the information in emails (the original protocol of the email is not secure).
    • Encryption for critical web transactions (e-commerce, access to critical information about the business in the website, etc.).
    • Encryption for external connections to the corporate network (teleworking, remote access, etc.).

    By the way, in some countries there are regulations and restrictions regarding the use of cryptographic controls, which must be considered when developing the use of a cryptographic controls policy. If you want to know the regulations that exist around the world, you can consult this article Laws and regulations on information security and business continuity.

    Un-encrypted information can ruin your business

    I often meet companies in which employees, or even managers or senior executives have confidential business information on USB flash drives. A question needs to be asked: “Have you ever thought what can occur if these pen drives are lost or stolen and competing companies obtain this information?” The answer is that your company can start to lose money, or even close doors if the disclosure of information has been very critical. To avoid this, the solution is simple: protect the information by establishing cryptographic controls when the information goes out of the boundaries of the organization.

    To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.