When information is transmitted between networks, and devices, cyber attackers may use various techniques to steal sensitive information during transit, tamper with the content of the information, impersonate the sender/recipient to gain unauthorised access to information or intercept the transfer of information.
For example, cyber criminals may use the man-in-the-middle (MITM) attack technique, intercept the transmission of data and impersonate the server to persuade the sender to disclose his/her login credentials to the false server. They can then use these credentials to gain access to systems and compromise sensitive information.
The use of cryptography such as encryption can be effective to protect the confidentiality, integrity, and availability of information assets when they are in transit.
Furthermore, cryptographic techniques can also maintain the security of information assets when they are at rest.
Control 8.24 addresses how organisations can establish and implement rules and procedures for the use of cryptography.
Control 8.24 enables organisations to maintain the confidentiality, integrity, authenticity, and availability of information assets by properly implementing cryptographic techniques and by taking into account the following criteria:
Control 8.24 is a preventive type of control that requires organisations to establish rules and procedures for the effective use of cryptographic techniques and thus eliminate and minimise risks to the compromise of information assets when they are in transit or at rest.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Secure Configuration | #Protection |
Compliance with 8.24 requires the establishment and implementation of a specific policy on cryptography, creating an effective key management process, and determining the type of cryptographic technique appropriate to the level of information classification assigned to a particular information asset.
Therefore, the chief information security officer should be responsible for setting out appropriate rules and procedures for the use of cryptographic keys.
Control 8.24 lists seven requirements that organisations should adhere to when using cryptographic techniques:
Furthermore, Control 8.24 highlights that organisations should take into account laws and requirements that may restrict the use of cryptography, including the cross-border transfer of encrypted information.
Finally, organisations are also advised to address liability and continuity of services when they enter into service agreements with third parties for the provision of cryptographic services.
Organisations should define and apply secure procedures for the creation, storage, retrieval, and destruction of cryptographic keys.
In particular, organisations should put in place a robust key management system that includes rules, processes, and standards for the following:
Last but not the least, this supplementary guidance cautions organisations against three particular risks:
We’ll give you an 81% headstart
from the moment you log in
Book your demo
After highlighting that organisations can ensure the authenticity of public keys by methods such as public key management processes, Control 8.24 explains how cryptography can help organisations achieve four information security objectives:
27002:2022/8.24 replace 27002:2013/(10.1.1. And 10.1.2)
While the content of both versions is almost identical, there are a few structural changes.
Whereas the 2013 version addressed the use of cryptography under two separate controls, namely 10.1.1. And 10.1.2, the 2022 version combined these two under one Control, 8.24.
ISMS.Online is the leading ISO 27002 management system software that supports compliance with ISO 27002, and helps companies to align their security policies and procedures with the standard.
The cloud-based platform provides a complete set of tools to assist organisations in setting up an information security management system (ISMS) according to ISO 27002.
Get in touch and book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |