ISO 27001 controls: What is Annex A:10?

Today we’re going to discuss Annex A:10 of the ISO 27001:2013 Controls. Annex A:10 is all about cryptography controls and their implementation to ensure that an organisation is using the best practices in cybersecurity. To meet increasingly stringent government regulations and exceed customer expectations regarding the handling of sensitive data, it’s essential that organisations make information security a top priority.

What is Cryptography?

Cryptography is a technique used to share confidential information, intending to identify the user and share the necessary information securely. ISO 27001 Annex A:10 defines cryptographic controls, policies on the utilisation of cryptographic controls, and key management.

A.10.1.1 Policy on the utilisation of cryptographic controls

A policy on the use of cryptographic controls to secure information should be developed and implemented. Each organisation looking to achieve ISO 27001 must implement a cryptographic policy. Here are the key considerations for designing this policy:

• Training relevant users on protecting general information and using cryptographic controls.
• A risk assessment procedure, including necessary calculations related to the quality, strength, and type of encryption algorithm.
• Usage of encryption to secure information transported by mobile or portable media devices.
• Building strategies for the security of encryption keys.
• Roles and responsibilities, including implementing the policy and key management.
• Complying with encryption laws.

Many organisations overlook the types of encryption laws applicable to them. Global Partners Digital provides a resource to find encryption laws worldwide.

A policy on the use of cryptographic controls is crucial to optimise the benefits and reduce the risks associated with cryptographic techniques and prevent inappropriate or incorrect use. Expert consultations should be considered when meeting the controls of this policy.

A.10.1.2 Key management

A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire lifecycle. The policy should include criteria for handling cryptographic keys, covering generation, processing, archiving, retrieval, transmission, removal, and destruction of keys.

Cryptographic algorithms, primary lengths, and implementation methods should be chosen in line with best practices. Appropriate key management includes safe processes for generating, processing, archiving, retrieving, transmitting, removing, and destroying cryptographic keys.

All cryptographic keys should be protected against change and loss. The equipment used for generating, processing, and archiving keys should be physically secured. A key management framework should be based on an agreed set of principles, protocols, and appropriate methods for:

• Generating keys for various cryptographic schemes and applications.
• Issuing and receiving a public key certificate.
• Distributing keys to intended entities with activation upon receipt.
• Storing keys, including access protocols for approved users.
• Adjusting or upgrading keys.
• Addressing missing keys.
• Revoking keys and how they can be deleted or disabled.
• Recovering keys that are missing or corrupted.
• Backing up or archiving keys.
• Destroying keys.
• Logging and auditing key management activities.

The organisation must run the authentication process, which may be carried out using public key certificates provided by a Certification Authority, a recognised organisation with adequate controls and procedures to provide the necessary degree of confidence. Service level agreements or contracts with external suppliers of cryptographic services, such as the Certification Authority, should cover issues of accountability per the same internal procedures.

For more guidance and support on achieving ISO 27001 certification and understanding Annex A:10, contact Citation Certification today. We provide comprehensive support and training to help your organisation meet all necessary requirements and achieve compliance with ISO 27001 standards.