Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

ISO 27001 - Annex A.10 - Cryptography

Information travels in multiple ways through different mediums in today's day and age—therefore the likelihood of an entity or an individual gaining access to this information increases. This means that if your data: the data that you store, the data that you share, is not encrypted, it can be accessed by people outside your organisation with ease.

In order to comply with government regulations and exceed the expectations of consumers who hand over sensitive data, organisations must be able to adopt the best practices of information security. 

In this article, let us learn about the cryptography specific Annex, its objectives, controls, and how this Annex can benefit your organisation in its information security journey.

What is Cryptography in information security?

In its textbook definition, cryptography is a term that refers to secure information and communication techniques that use mathematical concepts and a set of rule-based calculations known as algorithms to convert messages into difficult-to-decipher formats.

Essentially, this means that it is used as a safe way for a sender and recipient to communicate without an outside party to hack in and read its contents.

The following four goals are covered by modern cryptography:

  • Confidentiality 
    Anyone who was not supposed to receive the data is most likely unable to interpret it. 
  • Integrity 
    The information cannot be tampered with either in storage or in transit between the sender and the intended recipient without being noticed. 
  • Non-repudiation 
    The information originator cannot later deny their intentions in the development or transmission of the data. 
  • Authentication
    The sender and recipient may verify each other's identities as well as the information's origin and destination.

It is closely linked to encryption, which is the process of converting plaintext into ciphertext and then back again when it is received. Encrypting and decrypting email and other plain-text messages is the most typical usage of cryptography when moving data. 

How does cryptography and encryption work together?

The symmetric or "secret key" method is used for encryption and decryption. The encoded message and secret key are then delivered to the receiver for decoding.

However, if the data is intercepted, a third party has all they need to decode and read it. To solve this problem, cryptologists created the asymmetric or "public key" method where each user has two keys: one public and one private.

After receiving the recipient's public key, senders encrypt the message and send it along to the recipient. Once the message arrives, only the recipient's private key can decode it, therefore theft is pointless without the matching private key on the receiving end.

What is Annex A.10?

Annex A.10 is how cryptography should be handled in your organisation on your journey to information security compliance. When handling data in your organisation, it includes sensitive organisational data, your employees data and your customers data. 

Whether your customers are individuals or organisations, you still store and transmit their data within your organisation. This includes your customers personal data such as their location, financial information, medical records, revenue/income, etc.

The two controls under Annex A.10 that help your organisation implement cryptography in your organisation are:

  • Policy on the use of Cryptographic Controls
  • Key Management

Next, let us take a look at the objective of Annex A.10 to start implementing ISO 27001 on your journey to achieve overall information security compliance for your organisation.

What is the objective of Annex A.10?

Annex A.10 is a part of the Annex A controls of the ISO 27001 certification. Once you start your compliance journey you must select which controls apply to your organisation. 

Annex A.10s main objective is to assure that cryptography is used correctly and efficiently to safeguard information's privacy, authenticity, and integrity. It also helps your organisation build overall strong information security practices covering a wide area of encryption as it is an important part of the ISMS (information security management system).

Let us go over the controls of Annex A.10 in depth as they are included in ISO 27001 in the next section.

What are the Annex A.10 cryptography controls?

  • A.10.1.1 Policy on the use of Cryptographic Controls

    Cryptography can be used when storing data as well as transmitting data as it uses public keys to ensure encryption. Conducting a risk assessment for your organisation could help speed up its encryption process by helping you understand and identify risks and opportunities to focus on.

    A risk assessment comes in handy when identifying corrupt or missing keys which allow you to navigate those risks and increase information security during ISO 27001 implementation.

  • A.10.1.2: Key Management

    The essential components of encryption are cryptographic keys. Without them, encryption's entire purpose is lost. The use of cryptographic techniques should be in line with the organisation's best practices and information security policy. 


    Cryptographic keys are all part of proper key management and provide safe mechanisms for:

    • Creating keys
    • Processing keys
    • Archiving keys
    • Retrieving keys
    • Transferring keys
    • Deleting keys
    • Destroying keys

    Physical environmental security should also be considered for the equipment used to generate, process, and archive keys.

    A key management framework should be built around a collection of agreed-upon concepts, protocols, and procedures for generating keys for various cryptographic algorithms and applications. They are:
  • Creating a public key certificate
  • Distribute keys to designated entities, with the keys activated upon reception. 
  • Keeping track of keys, as well as who has access to them
  • Keys that need to be adjusted or upgraded; keys that are missing
  • Keys that have been revoked, as well as how they may be removed or disabled
  • Keys that have gone missing or have been corrupted can be recovered
  • Keys for backup or archiving
  • Destruction of keys
  • Key managerial activities are logged and audited

Why is Cryptography important for your organisation's information security management?

Cryptography is used to secure transactions and communications, protect personal information, verify identity, prevent document manipulation, and build trust between servers as the basis of advanced security systems. 

Cryptography is one of the most important methods used by organisations to safeguard the systems that store their most valuable data.


Annex A.10 Cryptography is important for ISO 27001 implementation in your organisation since the certification helps you demonstrate excellent security procedures and gives you a competitive advantage.

DataGuard helps organisations implement ISO 27001 controls and become certified. Interested in taking Info-Sec to the next level? Book an appointment and get in touch with our experts today.

Book an appointment


About the author