ISO 27001 Information Security Management Standard - Clause A.10

Posted by Craig Thornton

Part 29 - A10 Cryptography 

This objective of the clauses in A.10 in the annex of ISO 27001 is to ensure the proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of your information.

This one tales a while to work out and may require specialist advice from your IT Department or from a consultant.

Here at Mango we use encryption and decryption extensively in our Mango product. We are constantly making sure it isn’t compromised.

So let’s look at this small clause in some detail.

Businesswoman holding tablet pc entering password. Security concept 

A.10 Cryptographic Controls  

This clause is separated into two sub-clauses.

Firstly, you need to develop and implement a policy on the use of cryptographic controls.

Here at Mango we have a policy that we will use cryptographic controls if they have been proven to be resilient to attack and strong enough to protect our assets.

Secondly, you need to develop and implement a policy on the use, protection and lifetime of cryptographic through their whole lifecycle.

Here at Mango we have a policy on how we will use keys for managing encryption and decryption.

So there you have it.

This is a simple clause but does require specialist knowledge to develop and implement policies around encryption and key management.

 

Takeaways

  1. Seek specialist advice for this clause.
  2. Develop a simple policy for both cryptographic controls and for the lifecycle of cryptography for your business
  3. Implement the policy.


View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

 

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification