ISO 27001:2022 Annex A Control 8.24

Use of Cryptography

Book a demo

closeup,group,young,coworkers,together,discussing,creative,project,during,work

When transmitting information between networks and devices, cyber attackers may attempt to steal sensitive data, alter content, imitate senders/recipients to gain unauthorised access, or intercept the exchange.

Cyber criminals may employ man-in-the-middle (MITM) attacks, intercepting data transmissions and masquerading as the server to get the sender to reveal login credentials. With these credentials, they can gain access to systems and jeopardise sensitive data.

Cryptography, such as encryption, can effectively safeguard the confidentiality, integrity, and availability of information when in transit.

Cryptographic techniques can keep information assets secure when not in use. They ensure that the data is protected from any unauthorised access or modification.

ISO 27001:2022 Annex A 8.24 outlines how organisations can create and apply regulations and processes regarding the utilisation of cryptography.

Purpose of ISO 27001:2022 Annex A 8.24

ISO 27001:2022 Annex A 8.24 allows organisations to secure the confidentiality, integrity, authenticity and availability of information assets through correct application of cryptography and satisfying the following criteria:

  • Business requirements are a must.
  • Ensure information security through the implementation of strict requirements.
  • Statutory, contractual, and organisational mandates necessitate the usage of cryptography.

Ownership on Annex A 8.24

Complying with Annex A 8.24 necessitates the implementation of a policy on cryptography, the establishment of an efficient key management process, and the determination of the type of cryptographic technique applicable to the data classification of a given information asset.

The Chief Information Security Officer must be held accountable for setting up proper regulations and protocols regarding cryptographic keys.

General Guidance on ISO 27001:2022 Annex A 8.24 Compliance

ISO 27001:2022 Annex A Control 8.24 stipulates seven requirements organisations must observe when employing cryptographic methods:

  1. Organisations should have a policy in place regarding the use of cryptography, to maximise its benefits and reduce risks. This policy should also outline general principles of protecting information.
  2. Organisations must take into account how delicate their information resources are, as well as the information classification level appointed to them, when selecting the type, strength, and quality of the encryption algorithm.
  3. Organisations ought to utilise cryptographic approaches when transferring info to portable devices, media equipment, or when it is stored thereon.
  4. Organisations need to tackle any matters connected to key management, like forming and shielding cryptographic keys and having a scheme of data recovery in the event that the keys are missing or vulnerable.
  5. Organisations should define the roles and responsibilities for the following:
    • The rules for using cryptographic techniques must be established and enforced.
    • Handling of keys, including their generation.

  6. The organisation adopts and approves standards encompassing the cryptographic algorithms, cipher strength, and usage practices of cryptography.
  7. Organisations should consider the potential impact of encryption on the efficacy of the content inspection controls, such as malware detection.

ISO 27001:2022 Annex A 8.24 emphasises that organisations should consider legal requirements and restrictions that may impact the use of cryptography, including the international transfer of encrypted information.

Organisations should take into consideration liability and continuity of services when they enter into service agreements with external providers of cryptographic services.

Guidance on Key Management

Organisations must set up and follow secure processes for the generation, storage, fetching, and disposal of cryptographic keys.

Organisations ought to install a solid key management system that features regulations, procedures, and criteria for:

  • Generating cryptographic keys for a variety of systems and applications is necessary.
  • The issuing and obtaining of public-key certificates.
  • Distribute keys to intended receivers, including the procedure of key activation.
  • Keys are to be stored securely. Those authorised to access them may do so with the necessary credentials.
  • Changing of keys.
  • Handling of compromised keys should be taken seriously.
  • If keys are compromised or an authorised personnel leaves an organisation, they should be revoked.
  • Recovery of lost keys.
  • Key backup and archival should be performed regularly.
  • Destroying keys.
  • Maintain a record of all activities linked to each key.
  • Establishing the activation and deactivation dates for keys.
  • Accessing keys in response to legal requests.

Finally, it is essential that organisations are aware of the three main risks that this supplementary guidance outlines:

  1. Secure and private keys ought to be safeguarded against unauthorised usage.
  2. Protecting equipment used for creating or storing encryption keys should be done with physical security measures.
  3. Organisations should ensure the validity of their public keys.

What Are the Benefits of Cryptography?

ISO 27001:2022 Annex A 8.24 states that cryptography can be used to help organisations attain four information security objectives. These objectives include verifying the authenticity of public keys through public key management processes:

  1. Cryptography ensures the confidentiality of data, both in transit and when stored, is preserved.
  2. Digital signatures and authentication codes guarantee information communicated is genuine and reliable.
  3. Cryptographic methods give assurance that all events or actions taken, including receipt of information, will not be disavowed.
  4. Authentication through cryptographic methods allows organisations to validate the identity of users seeking access to systems and applications.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.24 replaces ISO 27001:2013 Annex A 10.1.1 and 10.1.2 in the revised 2022 standard.

The content of the two is nearly the same, though there are some structural modifications.

Whereas the 2013 version had two separate controls, 10.1.1 and 10.1.2, for the use of cryptography, the 2022 version consolidated these into one Annex A Control, 8.24.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.Online is the foremost ISO 27001 management system software, aiding companies in adhering to ISO 27001:2022 and ensuring their security policies and procedures comply with the standard.

This cloud-based platform offers a comprehensive set of tools to aid organisations in implementing an Information Security Management System (ISMS) in line with ISO 27001.

Reach out and book a demonstration today.

I’ve done ISO 27001 the hard way so I really value how much time it saved us in achieving ISO 27001 certification.

Carl Vaughan
Infosec Lead, MetCloud

Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.