InfoSec Certification > ISO 27001 Guide

ISO 27001 Annex A.10 – Cryptography

Simplifying Information Security Certification

What is the objective of ISO 27001 Annex A.10?

Annex A.10.1 ‘Cryptographic controls’ requires the proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

It forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the two controls listed below.

A.10.1.1 Policy on the use of cryptographic controls

Annex 10.1.1 or Control A.10.1.1 stipulates that a policy on the use of cryptographic controls for protection of information should be developed and implemented. Adoptech’s Encryption and Key Management Policy is ideal for managing this control, outlining the company’s use of encryption for data at-rest and data in-transit.

A risk based approach should be taken to identify the need for and type of encryption that should be used. This includes taking into account regulatory and national restrictions that might be applicable in different parts of the world. Industry recognised encryption/decryption standards are recommended while the use of SSL/TLS and https protocols are critical.

The encryption used should:

Secure information and data while stored, processed and handled
Protect user credentials
Enable secure communications and connections
Enable verification, authentication, identification and validation
Secure ad-hoc internet/networked connections between company systems and devices

A.10.1.2 Key Management

Annex 10.1.2 or Control A.10.1.2 requires a policy on the use, protection and lifetime of cryptographic keys to be developed and implemented through their whole lifecycle. Adoptech’s Encryption and Key Management Policy achieves this.

The company’s approach towards the management of cryptographic keys through their lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys must be outlined within the Encryption and Key Management Policy.

Start simplifying your Information Security Certification

Talk to an expert

Do you need more info about ISO 27001? Take a look at our InfoSec Certification Guide

Take me to the guide

Annex A Domains & Controls

A.9 – Access control

A.9.1.1 – Access control policy

A.9.1.2 – Access to networks and network services

A.9.2.1 – User registration and de-registration

A.9.2.2 – User access provisioning

A.9.2.3 – Management of privileged access rights

A.9.2.4 – Management of secret authentication information of users

A.9.2.5 – Review of user access rights

A.9.2.6 – Removal or adjustment of access rights

A.9.3.1 – Use of secret authentication information

A.9.4.1 – Information access restriction

A.9.4.2 – Secure log-on procedures

A.9.4.3 – Password management system

A.9.4.4 – Use of privileged utility programs

A.9.4.5 – Access control to program source code

A.10 – Cryptography

A.10.1.1 – Policy on the use of cryptographic controls

A.10.1.2 – Key management

A.11 – Physical and environmental security

A.11.1.1 – Physical security perimeter

A.11.1.2 – Physical entry controls

A.11.1.3 – Securing offices, rooms and facilities

A.11.1.4 – Protecting against external and environmental threats

A.11.1.5 – Working in secure areas

A.11.1.6 – Delivery and loading areas

A.11.2.1 – Equipment siting and protection

A.11.2.2 – Supporting utilities

A.11.2.3 – Cabling security

A.11.2.4 – Equipment maintenance

A.11.2.5 – Removal of assets

A.11.2.6 – Security of equipment and assets off-premises

A.11.2.7 – Secure disposal or reuse of equipment

A.11.2.8 – Unattended user equipment

A.11.2.9 – Clear desk and clear screen policy

A.12 – Operations security

A.12.1.1 – Documented operating procedures

A.12.1.2 – Change management

A.12.1.3 – Capacity management

A.12.1.4 – Separation of development, testing and operational environments

A.12.2.1 – Controls against malware

A.12.3.1 – Information backup

A.12.4.1 – Event logging

A.12.4.2 – Protection of log information

A.12.4.3 – Administrator and operator logs

A.12.4.4 – Clock synchronization

A.12.5.1 – Installation of software on operational systems

A.12.6.1 – Management of technical vulnerabilities

A.12.6.2 – Restrictions on software installation

A.12.7.1 – Information systems audit controls

A.13 – Communications Security

A.13.1.1 – Network controls

A.13.1.2 – Security of network services

A.13.1.3 – Segregation in networks

A.13.2.1 – Information transfer policies and procedures

A.13.2.2 – Agreements on information transfer

A.13.2.3 – Electronic messaging

A.13.2.4 – Confidentiality or nondisclosure agreements

A.14 – Systems acquisition, development and maintenance

A.14.1.1 – Information security requirements analysis and specification

A.14.1.2 – Securing application services on public networks

A.14.1.3 – Protecting application services transactions

A.14.2.1 – Secure development policy

A.14.2.2 – System change control procedures

A.14.2.3 – Technical review of applications after operating platform changes

A.14.2.4 – Restrictions on changes to software packages

A.14.2.5 – Secure system engineering principles

A.14.2.6 – Secure development environment

A.14.2.7 – Outsourced development

A.14.2.8 – System security testing

A.14.2.9 – System acceptance testing

A.14.3.1 – Protection of test data

A.15 – Supplier relationships

A.15.1.1 – Information security policy for supplier relationships

A.15.1.2 – Addressing security within supplier agreements

A.15.1.3 – Information and communication technology supply chain

A.15.2.1 – Monitoring and review of supplier services

A.15.2.2 – Managing changes to supplier services

A.16 – Information security incident management

A.16.1.1 – Responsibilities and procedures

A.16.1.2 – Reporting information security events

A.16.1.3 – Reporting information security weaknesses

A.16.1.4 – Assessment of and decision on information security events

A.16.1.5 – Response to information security incidents

A.16.1.6 – Learning from information security incidents

A.16.1.7 – Collection of evidence

A.17 – Information security aspects of business continuity management

A.17.1.1 – Planning information security continuity

A.17.1.2 – Implementing information security continuity

A.17.1.3 – Verify, review and evaluate information security continuity

A.17.2.1 – Availability of information processing facilities

A.18 – Compliance

A.18.1.1 – Identification of applicable legislation and contractual requirements

A.18.1.2 – Intellectual property rights

A.18.1.3 – Protection of records

A.18.1.4 – Privacy and protection of personally identifiable information

A.18.1.5 – Regulation of cryptographic controls

A.18.2.1 – Independent review of information security

A.18.2.2 – Compliance with security policies and standards

A.18.2.3 – Technical compliance review

Some of the companies trusting Adoptech