ISO 27001 Controls: What is Annex A:10?

crop man with paper roller reading data

Today we’re going to discuss Annex 10 of the ISO 27001:2013 Controls. Annex 10 is all about Cryptography controls and it’s implementation, to ensure that an organisation is using the best practices of cyber security. In order to meet increasingly stringent government regulations and exceed the expectations of customers that are handing over their sensitive data, it’s essential that organisations make information security a top priority.

iso 27001 certification by best practice

What is Cryptography?

Cryptography is a technique used to share confidential information. It’s the only intention is to identify the user and share the information needed. ISO 27001 Annex: A 10 Cryptography in this blog defines Cryptographic controls, Policy on the Utilization of Cryptographic Controls and Key Management.

A.10.1.1 Policy on the Utilization of Cryptographic Controls

A policy on the use of cryptographic controls to secure information should be developed and implemented.

Each organization looking to achieve ISO 27001, must implement Cryptographic policy. Below are the needs to consider while designing this policy:

  1. Training to the relevant users on how to protect the general information and use of Cryptographic controls.
  2. A risk assessment procedure- It must includes necessary calculations in relation to quality, strength and type of encryption algorithm.
  3. Usage of encryption to secure information transported by mobile or portable media devices.
  4. Build Strategies for the security of encryption keys.
  5. Roles and responsibilities
     Implementing policy
    – key management including quality generation;
  6. Abide with the encryption laws.

Many organizations ignored the fact, what type of encryption laws will be applicable to them. As per Global Partners Digital, they have created a perfect place to find the encrypted laws around the globe.

 A policy on the use of cryptographic controls is important to optimize the benefits and reduce the risks associated with the use of cryptographic techniques and to prevent inappropriate or incorrect use. Expert consultations shoud be considered while meeting the controls of this policy.

Get Your Free ISO Gap Analysis Checklist

black and silver laptop computer on brown wooden table

A.10.1.2 Key Management

A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.

The policy should provide criteria for handling cryptographic keys over their entire life cycle, including generating, processing, archiving, retrieving, transmitting, removing, and destroying keys.

Cryptographic algorithms, primary lengths, and implementation methods should be chosen in line with best practice. Appropriate key management includes safe processes for generating, processing, archiving, retrieving, transmitting, removing and destroying cryptographic keys.

All cryptographic keys should be safe against change and loss. The equipment used for generating, processing, and archiving keys should be physically secured. A key management framework should be based on an agreed set of principles, protocols, and appropriate methods for:

  1. Generate keys for various cryptographic schemes and applications;
  2. Issuing and receiving a public key certificate;
  3. Distribute key to intended entities with the activation of the keys on receiving;
  4. Storing keys, including how approved users can access them;
  5. Adjust or upgrade keys;
  6. Addressing missing keys;
  7. Revoking keys, and how keys can be deleted or disabled;
  8. Recovery of keys that are missing or corrupted;
  9. Backup or archiving keys;
  10. Destroying keys;
  11. Logging and auditing of key management activities.

The organization must run the authentication process that may be carried out using public key certificates, which are usually provided by a Certification Authority, which should be a recognized organization with adequate controls and procedures in place to provide the necessary degree of confidence. The service level agreements or contracts with external suppliers of cryptographic services, e.g. with the Certification Authority, will cover issues of accountability as per the same internal procedures.


Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover