iFour Consultancy

ISMS Framework: Clause 10 – Cryptography

ISO 27001:2013 has classified the Cryptography into:Clause A.10.1: Cryptographic controls

Cryptography – ISMS Requirements

To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/ or integrity of information.

Clause A.10.1: Cryptographic controls

Objective

A.10.1.1 Policy on the use o f cryptographic controls

A.10.1.2 Key Management

Cryptographic controls will be used to achieve the three (3) following security objectives :

Clause A.10.1: Cryptographic controls

Confidentiality

Non - Repudiation

Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information;

Using cryptographic techniques to obtain proof of the occurrence or non-occurrence of an event or action.

Using encryption of information to protect sensitive or critical information either stored or transmitted

Integrity

There should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management.

A.10.1.1 Policy on the use o f cryptographic controls

Control• A policy on the use of cryptographic controls for protection of information shall be developed and

implemented.

Key management is the management of cryptographic keys in a cryptosystem

This includes dealing with the generation, exchange, storage, use, and replacement of keys

Cryptographic systems may use different types of keys - symmetric keys or asymmetric keys.

A.10.1.2 Key Management

Control• A policy on the use, protection and lifetime of cryptographic keys shall be developed and

implemented through their whole lifecycles.

In a symmetric key algorithm the keys involved are identical for both encrypting and decrypting a message. Keys must be chosen carefully, and distributed and stored securely.

A.10.1.2 Key Management

Symmetric key

Asymmetric key

Asymmetric keys, in contrast, are two distinct keys that are mathematically linked. They are typically used in conjunction to communicate.

Generating keys for different cryptographic systems and different applications;

Generating and obtaining public key certificates;

Distributing keys to intended users, including how keys should be activated when received;

Storing keys, including how authorized users obtain access to keys; changing or updating keys including rules on when keys should be changed and how this will be done;

Recovering keys that are lost or corrupted as part of business continuity management

Archiving keys, e.g. for information archived or backed up;

Destroying keys

A.10.1.2 Key Management

Cryptography Standards

Encryption standards

Hash standards

Digital signature standards

Public-key infrastructure (PKI) standards

Wireless Standards

U.S. Government Federal Information Processing Standards (FIPS)

Internet Requests for Comments (RFCs)

• There are number of standards related to Cryptography like :

https://en.wikipedia.org/wiki/Cryptography_standardshttps://en.wikipedia.org/wiki/Key_management

References

Visit our websites :

http://www.ifour-consultancy.com http://www.ifourtechnolab.com

For more details :

THANK YOU