In the current era of cloud computing, those organisations that seek to limit any kind of extra financial burden, particularly without compromising information security, are considering ISO 27001 certification. ISO 27001 is best explained as a means that gives an opportunity for an entity to develop its overall information security position. When it comes to protecting information assets, then an ISO 27001 Information Security Management System (ISMS) is the most recognised system. It focusses on three main areas which is availability, integrity and confidentiality of information.
Transfer of Information
In the present day, one can see constant travelling of information from one region of the world to another via online transactions, email, USB flash drives, and external hard drives. This means, before information get to its ultimate destination, it travels or is transferred through various places outside the controlled area of an organisation such as routers, ISP servers, external suppliers, switches, carries and many more.
If information is intercepted during transfer from one location to another, this will have a negative impact on an organisation. Especially if the information consists of Personal Identifiable Information (PII) or is company sensitive data.
Importance of Cryptographic Controls in ISO 27001
The solution to avoid an information security breach during transfer of information, is to establish cryptographic controls for protecting the information when it goes outside the boundaries of an organisation. Basically, cryptography is a method of storing and transmitting data in such kind of form that can be read and processed by the intended parties only. Cryptographic controls can be used to accomplish the confidentiality objectives of information security. By using encryption, information that is sensitive or confidential can be stored or transmitted in a secure way.
Annex A.10.1 of ISO 27001 covers cryptographic controls. The main objective of this control is to ensure appropriate and effective cryptography use for securing the integrity and confidentiality of information. It is a significant component of the ISMS (Information Security Management System), particularly if an organisation seeks to attain ISO 27001 certification. However, encryption and cryptographic controls on its own does not resolve all problems, as the wrong choice of cryptographic technologies and methods, or the ineffective management of cryptographic keys and certificates can generate liabilities themselves. Likewise, the processing and transmission of information can be slowed down due to encryption. It is therefore essential to be aware of every risk and balance out the control to a satisfactory level to accomplish required performance goals at the same time.
Cryptographic Controls Policy
An ideal way for classifying business requirements is a policy on the use of encryption, covering elements such as when encryption should be used as well as the standards that require implementation. Similarly, legal requirements around encryption should also be considered.
Usually, the weakest point for encryption is the management of keys which, if not adequately protected, can be compromised during an attack. For that reason, it is vital to have a strong and safe process around it. Furthermore, dealing with compromised keys is central too and where suitable should be joined with Annex A.16 Security Incident Management as well.
It must not be disregarded that the implementation of security controls, including cryptographic controls, has to be derived from the results of the risk evaluation. Consequently, the required level of information protection should be recognised by considering the complexity, time and quality of the needed encryption algorithm. Last but not the least, there are regulations and restrictions in different countries about the use of cryptographic controls and they must be taken into account while developing the use of a cryptographic controls policy.
If you are looking to implement and ISO 27001 ISMS, then contact us for a free consultation on how we can support.