How to use cryptography according to ISO 27001 control A.8.24

Updated: December 28, 2022., according to the ISO 27001:2022 revision.

Today, information travels constantly from one part of the world to another through email, online transactions, USB flash drives, and external hard drives. Outside the facilities of the organization, the information is in many places, such as ISP servers, routers, switches, external suppliers, carries and more, before arriving at its final destination. Have you ever thought that this information could be accessible to people outside your organization? Take care—if you want to be protected from unauthorized access, you need to encrypt the information!

To clarify who should do what, and how, a cryptographic controls policy can help you a lot. So, in order to keep the “steering wheel in your hands,” a cryptographic policy considers several points. Let me show you what to take care of while setting up the policy.

In ISO 27001, cryptographic control A.8.24 covers the definition of rules for:
  • use of cryptographic solutions
  • use and protection of cryptographic keys for as long as they are used

Basic concepts of cryptography

To better understand how to use cryptography, it is important to know some concepts:

  • cryptography: it is the science of writing in secret code so that only the sender and intended recipient of a message can understand its content.
  • encryption: it is the specific mechanism to convert usable information (known as plain text) into a format that is useless if not decrypted.
  • decryption: it is the specific mechanism to convert cyphertext to plain text.
  • cryptographic key: it is a string of characters used with encryption and/or decryption mechanisms to convert information from plain text to cyphertext or vice-versa.

What are cryptographic devices?

Encryption mechanisms can be software-based (i.e., a program that depends on a computer to be executed) or hardware-based. In this last case, it is implemented in dedicated hardware, and is known as a cryptographic device.

What are the types of cryptographic methods?

A method refers to how keys and mechanisms interact. In this matter, there are two types: They can use the same cryptographic key (a method known as symmetric cryptography) or different, but related keys for encryption and decryption (this method is known as asymmetric cryptography).

How is encryption done?

The encryption process is quite simple:

  • The encryption mechanism is a set of functions to be performed over the information (e.g., change a character for another, move a character to another position, etc.).
  • The cryptographic key defines which functions need to be performed, in which order, and the number of times.

So, when you input the information in plain text and use the cryptographic key, the encryption mechanism performs the information transformations, creating the cyphertext.

In the decryption process, the information transformations are performed in the reverse sequence, generating the original plain text.

What makes a good cryptographic solution, and is the cryptographic key important?

The robustness of a cryptographic solution resides:

  • in the proper construction of the encryption/decryption mechanisms: a flawed design/implementation of a mechanism can allow information to be inferred from the cyphertext.
  • in the protection of the confidentiality of the cryptographic keys: anyone who has access to the cryptographic keys being used by the mechanism can perform the functions, compromising information.

So, that’s the importance of taking extreme care when developing/choosing the encryption and decryption mechanisms, and using and storing cryptographic keys.

When to use cryptographic solutions?

Cryptographic solutions should be used whenever it is necessary to protect confidential information against unauthorized access.

Therefore, some examples where we could use cryptographic solutions include:

  • You have a device with confidential information (external hard drive, flash drive, laptop, etc.) and it goes outside the organization.
  • You want to send an email with confidential information.
  • You have a file server with a folder to which all employees have access, but one (or more) of the files contain confidential information.
  • You have a public website that users can access by entering username/password (in this case, the password is sensitive information which, if not travelling on a secure channel, could be disclosed).
  • You have a website from which you offer e-commerce and have a payment gateway.
  • Your employees connect to the corporate network from home to access corporate resources.


What is the current encryption standard?

In terms of encryption algorithm, the AES (Advanced Encryption Standard) is currently the most secure encryption available. Its weakness is the fact that users share the same encryption key, which brings a relevant risk when several users need to change sensitive information.

To avoid risks related to key sharing, the use of the RSA (a method named after its creators Rivest – Shamir – Adleman) algorithm is the current alternative choice. Its Public Key Infrastructure approach increases the security when several users need to change sensitive information, at the cost of speed of processing.

What is cryptography in ISO 27001, and what do cryptographic controls refer to?

In ISO 27001, use of cryptography refer to a set of security practices to be used with the objective to ensure proper and effective use of cryptography to protect information, according to perceived risks, either when it is at rest or during communication. They cover the definition of rules for:

  • use of cryptographic solutions, i.e., which algorithms and key sizes need to be used, in which situations, etc.; e.g., within AES, there are also different options related to key size (AES128, AES256, etc.).
  • use and protection of cryptographic keys for as long as they are used, i.e., when keys need to be created, by whom, where they need to be stored, etc.

Many people ask if ISO 27001 requires encryption at rest. Encryption at rest is not mandatory when the control is applicable. It only needs to be considered.

Cryptographic controls and risk assessment

We must not forget that the implementation of security controls, including the encryption policy, has to be based on the results of the risk analysis. Therefore, the information protection level required should be identified by taking into account the time, complexity and quality of the required encryption algorithm.

There are many options for the implementation of cryptographic controls considered in an encryption policy:

ISO 27001 cryptographic controls policy | What needs to be included?

 

  • Software tools to encrypt the entire contents or parts (files, folders, etc.) of hard disks (it can be used to protect confidential information in information systems). These software tools can also be used to protect confidential information stored on removable devices that can go out of the organization (hard drives, USB flash drives, etc.).
  • Software tools to encrypt the information in emails (the original protocol of the email is not secure).
  • Encryption for critical web transactions (e-commerce, access to critical information about the business in the website, etc.).
  • Encryption for external connections to the corporate network (teleworking, remote access, etc.).

By the way, in some countries there are regulations and restrictions regarding the use of cryptographic controls, which must be considered when developing the use of an encryption policy. If you want to know the regulations that exist around the world, you can consult this article: Laws and regulations on information security and business continuity by country.

Un-encrypted information can ruin your business

I often meet companies in which employees, or even managers or senior executives have confidential business information on USB flash drives. A question needs to be asked: “Have you ever thought what can occur if these pen drives are lost or stolen and competing companies obtain this information?” The answer is that your company can start to lose money, or even close doors if the disclosure of information has been very critical. To avoid this, the solution is simple: protect the information by establishing cryptographic controls when the information goes out of the boundaries of the organization.

To learn how to become compliant with every clause and control from Annex A, and to get all the required policies and procedures for controls and clauses, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.
Advisera Rhand Leal
Contributor
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.