Inverifi logo

ISO 27001

Annex A.10- Cryptography

Get compliant with ISO 27001 – Annex A.10 and simplify compliance for your organisation.

Cryptography is a term that refers to secure information and communication techniques that use mathematical concepts and a set of rule-based calculations known as algorithms to convert messages into difficult to interpret messages. In a few words, it is a safe way for a sender and receiver to communicate without an outsider hacking or reading its content.
Cryptography is important for an organisation, as it is used to secure transactions and communications, protect personal information, verify identity, prevent document manipulation, and build trust between users.
This annex ensures that cryptography is used correctly and efficiently to protect information’s privacy, authenticity, and integrity.

A.10.1.1 – Policy on the use of Cryptographic controls

A policy on the use of cryptographic controls for protection of information should be developed and implemented.


When creating the policy, these should be considered;

  • The management guide to the use of cryptographic controls across the organisation.
  • Based on a risk assessment, the necessary level of protection should be identified considering the type, strength, and quality of the encryption algorithm required. 
  • The use of encryption to secure sensitive information transported by phone or removable media, devices or over communication lines. 
  • The procedure of key management; methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys. 
  • Roles and responsibilities.
  • Standards to be followed in the organisation for successful implementation. 
  • The impact of using encrypted information on controls that rely on content inspection. 


When applying the cryptographic policy of the organisation, we should consider regulations and national restrictions that may relate to the use of cryptography techniques in different parts of the world and to issues relating to the trans-border flow of encrypted information. 


A policy on the use of cryptographic controls is necessary to maximise the benefits and minimise the risk of using cryptographic techniques, and to avoid inappropriate or incorrect use.

A.10.1.2 – Key management

Cryptographic keys should be protected against modification, loss and destruction. Private keys need to be protected against unauthorised access.

A management system should be based on an agreed set of principles, procedures and secure process to cover the following;

  • Generating keys for different cryptographic systems and applications.
  • Generating and obtaining public key certificates.
  • Distribute keys to the intended user, and how to activate them when received.
  • Storing keys.
  • Changing or updating keys; rules on when keys should be changed and how this will be done. 
  • How keys should be withdrawn or deactivated.
  • Recovering keys that are lost or corrupted as part of business continuity management. 
  • Archiving keys.
  • Destroying keys.
  • Key management related activities.

To reduce the risk of compromising use of keys, activation and deactivation dates for keys should be defined so that the keys can only be used for a limited period of time. 


Want to learn more? Read our blog about cryptography