In this ultimate how to implement guide to ISO 27001 Annex A 8.24 Use of Cryptography, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Use of Cryptography Implementation Checklist
- 1. Define Approved Cryptographic Algorithms
- 2. Implement Centralised Key Management
- 3. Enforce Data at Rest Encryption
- 4. Secure Data in Transit
- 5. Establish Key Rotation Procedures
- 6. Secure Key Generation
- 7. Implement Digital Signatures for Integrity
- 8. Manage Encryption Regulations
- 9. Segregate Keys from Data
- 10. Plan for Key Compromise
- ISO 27001 Annex A 8.24 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 8.24 requires the establishment of rigorous rules for the use of cryptography to ensure the confidentiality, integrity, and authenticity of information. This control mandates the deployment of centralised key management, secure algorithms, and automated encryption for data at rest and in transit. The primary business benefit is protecting sensitive assets from unauthorised access and interception.
ISO 27001 Use of Cryptography Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.24. This control mandates the formulation and enforcement of rules for the effective use of cryptography to protect the confidentiality, integrity, and authenticity of information.
1. Define Approved Cryptographic Algorithms
Control Requirement: Organisation-wide rules must define which cryptographic algorithms are permissible and which are banned.
Required Implementation Step: Create a technical standard document explicitly listing allowed cipher suites (e.g., AES-256, RSA-2048+, Ed25519) and explicitly banning deprecated ones (e.g., DES, MD5, SHA-1). Update your web server (Nginx/Apache) and load balancer configurations to technically reject connections using banned ciphers.
Minimum Requirement: A configuration file exists that blocks TLS 1.0 and 1.1 connections.
2. Implement Centralised Key Management
Control Requirement: Cryptographic keys must be managed securely throughout their lifecycle, from generation to destruction.
Required Implementation Step: Deploy a dedicated Key Management Service (KMS) or Secrets Manager (e.g., HashiCorp Vault, AWS KMS, Azure Key Vault). Move all hardcoded encryption keys out of source code and configuration files and into this secure vault, injecting them only at runtime.
Minimum Requirement: No encryption keys are stored in the application source code repository.
3. Enforce Data at Rest Encryption
Control Requirement: Sensitive data stored on physical media or databases must be encrypted to prevent unauthorised physical access.
Required Implementation Step: Enable Full Disk Encryption (FDE) (e.g., BitLocker, FileVault, dm-crypt) on all company laptops and servers. Configure database engines (SQL/NoSQL) to use Transparent Data Encryption (TDE) for all tables containing PII or financial data.
Minimum Requirement: Stolen laptops or hard drives are unreadable without the decryption key.
