Encryption and Key Management Policy

All your company policies and legal agreements in one platform

What is an Encryption and Key Management Policy?

The Encryption and Key Management Policy aims to ensure cryptography is used effectively to protect the confidentiality, authenticity and/or integrity of information.

When storing or transmitting confidential data, it is considered good practice to encrypt the data.

Why is an Encryption and Key Management Policy important?

Many data protection regulations, including EU & UK GDPR, require you to implement appropriate technical and organisational measures to ensure you process personal data securely. They often reference encryption as an example of an appropriate technical measure.

Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available, it is important that the encryption solutions you utilise meet current standards.

The UK’s ICO (Information Commissioner’s Office) recommends that an encryption policy be implemented to govern how and when you implement encryption, and you should also train your staff in the use and importance of encryption.

ISO 27001 Encryption and Key Management Policy

InfoSec policies are part of the requirements of the ISO 27001 Certification standard. The Encryption and Key Management policy is one of those ISO 27001 policies required, you can take a look at the full list here.

Encryption and Key Management Policy Sections

The use of encryption

Encryption and data storage

Data At-Rest encryption

In-Transit encryption

Encryption key management

Policy governance

Encryption and Key Management Policy Related

Also known as: Encryption Policy, Data Encryption Policy, Key Management Policy, Cryptography Policy, Cryptographic controls policy, ISO 27001 Key Management, Cryptography Policy ISO 27001

Related terms: Cryptographic controls, Keys, Encryption, Decryption, AES, TLS, SSL, HTTPS

Framework references: ISO 27001