How to use cryptography according to ISO 27001 control A.8.24

Updated: December 28, 2022., according to the ISO 27001:2022 revision.

Today, information travels constantly from one part of the world to another through email, online transactions, USB flash drives, and external hard drives. Outside the facilities of an organization, information can be found in many places, such as ISP servers, routers, switches, external suppliers, carriers, and more, before arriving at its final destination. Have you ever thought that this information could be accessible to people outside your organization? Take care — if you want to be protected from unauthorized access, you need to encrypt your information!

To clarify who should do what, and how, a policy on the use of cryptographic controls can help you a lot. So, in order to “take control of the wheel,” a cryptographic policy considers several points. Let me show you what to take care of while setting up the policy.

In ISO 27001, cryptographic control A.8.24 covers the definition of rules for:
  • Use of cryptographic solutions
  • Use and protection of cryptographic keys for as long as they are used

Basic concepts of cryptography

To better understand how to use cryptography, it is important to know some concepts:

  • Cryptography: the science of writing in secret code so that only the sender and intended recipient of a message can understand its content.
  • Encryption: the specific mechanism to convert usable information (known as plain text) into a format that is useless if not decrypted.
  • Decryption: the specific mechanism to convert cyphertext to plain text.
  • Cryptographic key: a string of characters used with encryption and/or decryption mechanisms to convert information from plain text to cyphertext, or vice-versa.

What are cryptographic devices?

Encryption mechanisms can be software-based (i.e., a program that depends on a computer to be executed) or hardware-based. In this last case, it is implemented in dedicated hardware, and is known as a cryptographic device.

What is a cryptographic key?

A cryptographic key is information, often in the form of a long string of numbers and letters, that can be put through an algorithm to change data into something unrecognizable (encryption). This key can later be used to decipher that data and return it to its original state (decryption).

What are the types of cryptographic methods?

A method refers to how keys and mechanisms interact. In this matter, there are two types:

  1. They can use the same cryptographic key (a method known as symmetric cryptography).
  2. They can use different, but related keys for encryption and decryption (known as asymmetric cryptography).

What are cryptography controls?

The term cryptographic controls in ISO 27001 simply refers to any security measures designed and implemented to protect information via encryption and subsequent decryption.

How is encryption done?

The encryption process is quite simple:

  • The encryption mechanism is a set of functions to be performed over the information (e.g., change one character to another, move a character to another position, etc.).
  • The cryptographic key defines which functions need to be performed, in which order, and the number of times.

So, when you input the information in plain text and use the cryptographic key, the encryption mechanism performs the information transformations, creating the cyphertext.

In the decryption process, the information transformations are performed in the reverse sequence, generating the original plain text.

What makes a good cryptographic solution, and is the cryptographic key important?

The robustness of a cryptographic solution resides in:

  • The proper construction of the encryption/decryption mechanisms: A flawed design/implementation of a mechanism can allow information to be inferred from the cyphertext.
  • The protection of the confidentiality of the cryptographic keys: Anyone who has access to the cryptographic keys being used by the mechanism can perform the functions, compromising information.

So, that’s the importance of taking extreme care when developing/choosing the encryption and decryption mechanisms, and using and storing cryptographic keys.

When to use cryptographic solutions

Cryptographic solutions should be used whenever it is necessary to protect confidential information against unauthorized access.

Therefore, some examples where we could use cryptographic solutions include:

  • You have a device with confidential information (external hard drive, flash drive, laptop, etc.), and it goes outside the organization.
  • You want to send an email with confidential information.
  • You have a file server with a folder to which all employees have access, but one (or more) of the files contains confidential information.
  • You have a public website that users can access by entering their username/password (in this case, the password is sensitive information which, if not traveling on a secure channel, could be disclosed).
  • You have a website from which you offer e-commerce and have a payment gateway.
  • Your employees connect to the corporate network from home to access corporate resources.


What is the current encryption standard?

In terms of encryption algorithm, the AES (Advanced Encryption Standard) is currently the most secure encryption available. Its weakness is the fact that users share the same encryption key, which brings a relevant risk when several users need to change sensitive information.

To avoid risks related to key sharing, the use of the RSA (a method named after its creators Rivest – Shamir – Adleman) algorithm is the current alternative choice. Its Public Key Infrastructure approach increases the security when several users need to change sensitive information, at the cost of speed of processing.

What is ISO 27001 encryption, and what do cryptographic controls refer to?

In ISO 27001, use of cryptography refers to a set of security practices to be used with the objective of ensuring proper and effective use of cryptography to protect information, according to perceived risks, either when it is at rest or during communication. They cover the definition of rules for:

  • Use of cryptographic solutions, i.e., which algorithms and key sizes need to be used, in which situations, etc.; e.g., within AES, there are also different options related to key size (AES128, AES256, etc.).
  • Use and protection of cryptographic keys for as long as they are used, i.e., when keys need to be created, by whom, where they need to be stored, etc.

Many people ask if ISO 27001 requires encryption at rest. Encryption at rest is not mandatory when the control is applicable. It only needs to be considered.

Encryption policy according to ISO 27001

An Encryption policy that is compliant with ISO 27001 could include the following elements:

  • Who is responsible for defining which algorithms to use.
  • Who defines key sizes, and under which criteria.
  • What are the methods of protection of cryptographic keys.
  • Who defines where the cryptographic keys are stored.
  • What is the allowed use of cryptographic keys.
  • How all the records related to cryptographic controls are stored.

Cryptographic controls and risk assessment

We must not forget that the implementation of security controls, including the encryption policy, has to be based on the results of the risk analysis. Therefore, the information protection level required should be identified by taking into account the time, complexity, and quality of the required encryption algorithm.

There are many options for the implementation of cryptographic controls considered in an encryption policy:

ISO 27001 cryptographic controls policy | What needs to be included?

 

  • Software tools to encrypt the entire contents or parts (files, folders, etc.) of hard disks, which can be used to protect confidential information in information systems. These software tools can also be used to protect confidential information stored on removable devices that can go outside of the organization (hard drives, USB flash drives, etc.).
  • Software tools to encrypt the information in emails (when the original protocol of the email is not secure).
  • Encryption for critical web transactions (e-commerce, access to critical information about the business on the website, etc.).
  • Encryption for external connections to the corporate network (teleworking, remote access, etc.).

By the way, in some countries there are regulations and restrictions regarding the use of encryption controls, which must be considered when developing an encryption policy. If you want to know the regulations that exist around the world, you can consult this article: Laws and regulations on information security and business continuity by country.

Un-encrypted information can ruin your business

I often meet companies in which employees, or even managers or senior executives, have confidential business information on USB flash drives. A question needs to be asked: “Have you ever thought what can occur if these pen drives are lost or stolen and competing companies obtain this information?” The answer is that your company can start to lose money, or even have to close its doors if a disclosure of information is very critical. To avoid this, the solution is simple: Protect the information by establishing cryptographic controls when the information goes out of the boundaries of the organization.

To learn how to become compliant with every clause and control from Annex A, and to get all the required policies and procedures for controls and clauses, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.
Advisera Rhand Leal
Contributor
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.