ISO 27001 - Annex A.10 - cryptography

What is Cryptography in information security?

In its textbook definition, cryptography is a term that refers to secure information and communication techniques that use mathematical concepts and a set of rule-based calculations known as algorithms to convert messages into difficult-to-decipher formats.

Essentially, this means that it is used as a safe way for a sender and recipient to communicate without an outside party to hacking and reading its contents.

The following four goals are covered by modern cryptography:

• Confidentiality 
  Anyone who was not supposed to receive the data is most likely unable to interpret it. 
• Integrity 
  The information cannot be tampered with either in storage or in transit between the sender and the intended recipient without being noticed. 
• Non-repudiation 
  The information originator cannot later deny or dispute their intentions in the development or transmission of the data. 
• Authentication
  The sender and recipient may verify each other's identities as well as the information's origin and destination.

In Information Security, cryptography is closely linked to encryption, which is the process of converting plaintext into ciphertext and then back again when it is received. Encrypting and decrypting email and other plain-text messages are the most typical usage of cryptography when moving data. 

How does cryptography and encryption work together?

In information technology, cryptography is generally series of numbers and letters in plaintext that are stored in a file often referred to as a "key".

The symmetric-key or "secret key" is an algorithm used for encryption and decryption. The encoded message and secret key are then delivered to the receiver for decoding.

However, if the data is intercepted, a third party has all they need to decode and read it. To solve this problem, cryptologists created the asymmetric or "public key". Encryption through public key cryptography offers its users with two keys, one private key and the public key is  avaialable to anyone to use. 

After receiving the recipient's public key, senders encrypt the message and send it along to the recipient. Once the message arrives, only the recipient's private key can decode it, therefore theft is pointless without the matching private key on the receiving end.

What is Annex A.10?

Annex A.10 is how cryptography should be handled in your organisation on your journey to information security compliance. When handling data in your organisation, it includes sensitive organisational data, your employee's data and your customer's data. 

Whether your customers are individuals or businesses, you store and transmit their private data within your organisation including but not limited to personal data such as location, financial information, medical records, revenue/income, etc.

The two controls under Annex A.10 that help your organisation implement cryptography in your organisation are:

• Policy on the use of Cryptographic Controls
• Key Management

Next, let us take a look at the objective of Annex A.10 to start implementing ISO 27001 on your journey to achieve overall information security compliance for your organisation.

What is the objective of Annex A.10?

Annex A.10 is a part of the Annex A controls of the ISO 27001 certification. Once you start your compliance journey you must select which controls apply to your organisation. 

The main objective of Annex A.10s is to assure that cryptography is used correctly and efficiently to safeguard information's privacy, authenticity, and integrity. It also helps your organisation build overall strong information security practices covering a wide area of encryption as it is an important part of the ISMS (information security management system).

What are the Annex A.10 cryptography controls?

Whether the information being protected is stored and at rest or being transmitted during communication, in ISO 27001, cryptographic controls are defined as security practices tailored toward proper and effective use of cryptography to protect information, according to perceived risks.

• A.10.1.1 Policy on the use of Cryptographic Controls
  
  

   

  Conducting a risk assessment for your organisation could help speed up its encryption process by helping you understand and identify risks and opportunities to focus on.

  A risk assessment comes in handy when identifying corrupt or missing keys which allow you to navigate those risks and increase information security during ISO 27001 implementation.

• A.10.1.2: Key Management

  The essential components of encryption are cryptographic keys. Without them, encryption's entire purpose is lost. The use of cryptographic techniques should be in line with the organisation's best practices and information security policy. 

   

  Cryptographic keys are all part of proper key management and provide safe mechanisms for:

  • Creating keys
  • Processing keys
  • Archiving keys
  • Retrieving keys
  • Transferring keys
  • Deleting keys
  • Destroying keys

  Physical environmental security should also be considered for the equipment used to generate, process, and archive keys.

  
  A key management framework should be built around a collection of agreed-upon concepts, protocols, and procedures for generating keys for various cryptographic algorithms and applications. They are:

• Creating a public key certificate
• Distribute keys to designated entities, with the keys activated upon reception. 
• Keeping track of keys, as well as who has access to them
• Keys that need to be adjusted or upgraded; keys that are missing
• Keys that have been revoked, as well as how they may be removed or disabled
• Keys that have gone missing or have been corrupted can be recovered
• Keys for backup or archiving
• Destruction of keys
• Key managerial activities are logged and audited

Why is Cryptography important for your organisation's information security management?

Cryptography is used to secure transactions and communications, protect personal information, verify identity, prevent document manipulation, and build trust between servers as the basis of advanced security systems. 

Cryptography is one of the most important methods used by organisations to safeguard the systems that store their most valuable data.

Conclusion

Annex A.10 Cryptography is important for ISO 27001 implementation in your organisation since the certification helps you demonstrate excellent security procedures and gives you a competitive advantage.

DataGuard helps organisations implement ISO 27001 controls and become certified. Interested in taking Info-Sec to the next level? Book an appointment and get in touch with our experts today.