When you first think about cryptography and it's uses, it's not hard to just to the realms of James Bond and secret codes that unlock the secrets of organisations and the nation, why would you need to care about it?
The answer is simple really, in today's cloud computing environment for example cryptography appears everywhere, in secure computer systems, even in your password for your phone or computer, it's all driven by cryptography, so what is it?
Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. ... Here, data is encrypted using a secret key, and then both the encoded message and secret key are sent to the recipient for decryption
Kaspersky.com
From a business point of view then it's about making sure that only those who should be able to access and see information actually can and those who shouldn't cant get access.
A10.1 Cryptography Controls
The ISO27001 Annex A clause A10.1 is the only clause for cryptography in the Information Security management systems standard, and it only has 2 sub clauses, you'd expect a little more on the subject in a standard about information security. The fact is however the little clause packs a big punch and it's going to need some expert help, either from your internal IT team or from your local IT specialist before you put pen to paper to write things down.
- 10.1.1 - The Cryptography Policy. Like any policy, this is a formal document that outlines the use of the cryptography controls you intend to sue for the protection of your information. Now you could just sit down and write this but as we said, expert advice is gong to be needed. What type of cryptography will you use – Secret Key, Public Key or Hash function? If you don't know what these are then it's a big signal to go grab your knowledgeable and helpful IT professional to help. Your policy should give the framework about how your controls will be developed and implemented within your organisation.
- 10.1.2 – Key Management Policy. Keys are what are used in cryptography to encode and decode information, having the key means you have the information. The subject of this policy then is about the level of protection your keys must have and the lifetime of the key itself. If you give someone a key to your system, are you happy for it to last indefinitely or do you want it to have a short like of a week, a day, an hour, a minute!? (Think about your rotating code on your Google or Microsoft authenticator). Again, you need to consider a few things before writing this particular Information Security management System (ISMS) Policy. What information are you trying to protect, how many people will have access, if someone does get access how bad would it be?
As you go through your process, think of each of the different levels of information you have, how much protection you will need, this will also form part of your decision process in implementing the Cryptographic controls annex.
It's easy to both underestimate and over complicate the requirements for this clause for your ISO27001 Information security management system so our serious advice is make sure you work with someone who understands it before you head off down a rabbit hole you don't have the keys to get back out of.