The basics
Control A.8.24 Use of cryptography requires companies to define and implement rules for the use of encryption to ensure such technologies are used properly and according to applicable laws and regulations.
Documentation
ISO 27001 control A.8.24 Use of cryptography can be documented by writing a Policy on the Use of Encryption.
This policy is not a mandatory document but is recommended for all companies.
Implementation
In order to comply with control A.8.24 Use of cryptography you might implement the following:
- Technology — the technology to enable the use of cryptography could include software (e.g., digital certificates, and tools for disk encryption of protection of communication channels like SSL, and VPN.) and hardware (e.g., cryptographic appliances for dedicated storage or backup of encryption keys, and cryptographic tokens for user authentication). Small companies will probably be able to use cryptography by installing encryption solutions on computers, mobile devices, servers, and applications, while bigger companies may use centralized software to manage encryption keys.
- Organization/processes — you should set up a process for defining rules for the use of encryption, ensuring that adopted technologies are compliant with applicable laws and regulations. You can document those processes through a Policy on the Use of Encryption.
- People — make employees aware of why protecting stored and communicated data is needed, and train them on how to use encryption tools.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.24 Use of cryptography: if rules for the effective use of cryptography, and management of cryptographic keys, are defined and implemented.
