ISO27001. A.10.1.1. Policies for the use of cryptographic controls

ISO27001. A.10.1.1. Políticas de uso de controles criptográficos

ISO27001. A.10.1.1. Policies for the use of cryptographic controls

The use of elements related to cryptography and encryption are key today, especially in all the services that we expose on the Internet such as web portals, interconnection with third parties, communication with other providers or customers, etc. so that that information exchanged, even if intercepted maintains its confidentiality and integrity. At this point I want to comment on how I work with my clients when I collaborate as Internal Auditor ISO27001 and that we hope that the auditor will review. We’re talking about Policies for the Use of Cryptographic Controls

ISO27001. A.10.1.1. Policies for the use of cryptographic controls

Policies for the use of cryptogram controls are mandatory in the use of information systems.

How to implement it in our companies?

As progressed in the introduction of this post the effective use of cryptographic techniques should be accompanied by the use of cryptographic keys of adequate length, use of encryption and decryption algorithms, It is recommended to use industry-recognized encryption and decryption standards that help ensure confidentiality, integrity, privacy and non-repudiation in inter-party communication. The use of SSL/TLS and https protocols are critical.

Here’s a reduced example of how to manage this control:

Summary

  • The cryptography policy is critical to defining the scope of this scope in our ISMS.
  • The policy applies to all internal and external personnel.

Implementation

Certificate Requirements:

  • The maximum expiration date for signing certificates is a maximum of 1 year.
  • The maximum expiration date for SSL/TLS certificates is a maximum of 2 years.
  • All certificates must be at least 2048 bits long
  • All certificates are managed by asset management.

Requirements for SSL connections:

  • Using SSL is not allowed.
  • Instead TLS 1.2 or 1.3 or if allowed.
  • All web services must be configured at the highest possible level of encryption.
  • All public websites are periodically scanned with security analysis tests and reach A level.

Email requirements:

  • STARTTLS must be enabled.
  • All domains are scanned using tools such as mxtoolbox.com and the occurrence of critical problems must be solved.

What will the ISO27001 certification authority focus on?

Depending on the scope and other issues, I can generalise that the auditor would look at the following aspects:

  • The auditor will analyze whether security requirements have been analyzed and cryptography measures applied where necessary.
  • It must be aligned with control point A.10.1.2 relative to key management.
  • It will analyze the cryptography usage policy that your organization has written.
  • It will analyse that policy and controls are related and logical as well as communicated to employees and third parties concerned.
  • Strong enough keys should be used to strike a balance between performance and encryption of information exchanged between systems as well as industry cryptography standards.
  • Among other aspects…

Luis Vilanova Blanco. Auditor CISA by ISACA and trained in ISO27001 by SGS.

luis@luisvilanova.es

606954593

Tags: