Encryption is a cryptographic process for scrambling data into an unreadable format to ensure information confidentiality and integrity under ISO 27001. The formalisation of a robust cryptographic policy is the primary implementation requirement, delivering the business benefit of sustained data protection and citable regulatory compliance.
What is Encryption?
ISO 27001 Encryption is a way of scrambling information so that it can’t be read by just anyone. Think of it like a secret code. You use a key to lock the information, and only someone with the right key can unlock it to see the original message.
Examples
- Private Messaging: Sending a private message to a friend online. The app uses encryption to make sure only your friend can read it.
- Financial Transactions: Protecting your credit card details when you shop on a website. The website uses encryption to keep your information safe.
Context
In the world of ISO 27001, which is about keeping information safe, encryption is a key tool. It helps companies protect their important information, like customer details or business secrets, from being seen by people who shouldn’t see it. It’s a way of making sure that even if someone gets the information, they can’t understand it.
How to implement Encryption
1. Formalise the Cryptographic Policy
Provision a formal Cryptographic Policy that defines the organisation’s rules for the protection of information: This document acts as the technical baseline for algorithm selection, key management, and implementation standards. Key requirements include:
- Defining the required encryption levels based on data classification labels.
- Identifying roles and responsibilities for cryptographic key management.
- Documenting the legal and regulatory requirements for encryption in your specific jurisdiction.
2. Audit the Information Asset Register
Audit the centralised Asset Register to identify 100% of the data sets requiring cryptographic protection: You cannot protect data that has not been identified and categorised. Technical actions include:
- Mapping data locations across on-premise servers, mobile devices, and cloud SaaS platforms.
- Identifying “Personally Identifiable Information” (PII) and “Intellectual Property” (IP).
- Documenting the data owner for every high-value information asset.
3. Provision TLS Encryption for Data in Transit
Provision Transport Layer Security (TLS) for 100% of data moving across public and internal networks: This technical control prevents man-in-the-middle attacks and ensures communication privacy. Technical requirements include:
- Enforcing TLS 1.2 or higher for all web-facing applications and APIs.
- Revoke support for legacy protocols such as SSL and early versions of TLS.
- Utilising secure VPN tunnels for all remote administrative access to the network.
4. Provision Technical Controls for Data at Rest
Provision full-disk encryption and database-level encryption to protect stored information: This ensures that if physical hardware is lost or cloud buckets are misconfigured, the data remains unreadable. Implementation steps involve:
- Deploying AES-256 bit encryption for all corporate laptops and mobile devices.
- Enabling transparent data encryption (TDE) for all production databases.
- Configuring server-side encryption for all cloud-based storage repositories.
5. Formalise a Robust Key Management System (KMS)
Formalise a centralised Key Management System to handle the lifecycle of cryptographic keys: Secure key management is the most critical technical failure point during ISO 27001 audits. Requirements include:
- Utilising Hardware Security Modules (HSM) or cloud-native KMS providers.
- Implementing automated key rotation schedules to reduce the impact of potential key compromise.
- Documenting secure procedures for key generation, storage, and archival.
6. Enforce Multi-Factor Authentication (MFA) for Key Access
Enforce the Principle of Least Privilege (PoLP) by restricting access to cryptographic keys via IAM roles: This technical safeguard ensures that only authorised administrators can access the “Keys to the Kingdom.” Necessary actions include:
- Mandating Multi-Factor Authentication (MFA) for 100% of KMS administrative logins.
- Assigning Identity and Access Management (IAM) roles that require manager approval for key retrieval.
- Utilising “Just-In-Time” (JIT) access protocols for high-sensitivity cryptographic operations.
7. Revoke Weak or Legacy Cryptographic Algorithms
Audit and revoke any legacy cryptographic algorithms that are no longer considered secure by industry standards: Using outdated encryption such as MD5 or SHA-1 will result in a major non-conformity. Technical requirements include:
- Scanning the technical estate for deprecated ciphers and hashing algorithms.
- Updating system configurations to only allow NIST-approved cryptographic modules.
- Documenting the technical justification for any exceptions within the Risk Register.
8. Provision Data Loss Prevention (DLP) Integrations
Provision Data Loss Prevention rules to identify and block the transmission of unencrypted sensitive data: This provides an automated layer of protection against human error or malicious exfiltration. Implementation involves:
- Configuring DLP sensors to recognise unencrypted credit card numbers or PII.
- Enforcing automatic encryption for email attachments containing sensitive technical documents.
- Auditing DLP logs weekly to identify gaps in the encryption implementation.
9. Audit Implementation via Technical Vulnerability Scanning
Audit the encryption framework through regular vulnerability scans and penetration testing: This provides objective evidence that the controls are operating effectively in a real-world environment. Verification methods include:
- Conducting automated scans to verify the validity and expiry dates of SSL/TLS certificates.
- Performing authenticated scans on servers to confirm active full-disk encryption.
- Including cryptographic failure scenarios within your annual penetration test ROE document.
10. Formalise Cryptographic Incident Response Playbooks
Formalise specific incident response playbooks for cryptographic failures: This ensures the organisation can react quickly to lost keys or compromised encrypted volumes. Necessary steps are:
- Documenting the “Key Compromise” recovery procedure.
- Assigning technical responders for cryptographic alerts within the SOC.
- Conducting annual tabletop exercises to test the speed of the key restoration process.
Encryption FAQ
What is encryption in the context of ISO 27001?
Encryption is the technical process of encoding information so only authorised parties can access it. Under ISO 27001:2022 Control 8.24, encryption is used to protect 100% of sensitive data at rest and in transit, ensuring confidentiality and integrity across the organisation’s technical estate.
Is encryption mandatory for ISO 27001 certification?
Encryption is effectively mandatory for ISO 27001 if your risk assessment identifies data sensitivity. While the standard allows for alternative controls, failing to encrypt high-risk data like PII often results in technical non-conformity, with approximately 95% of Lead Auditors expecting active cryptographic safeguards.
Which encryption standards does ISO 27001 require?
ISO 27001 does not mandate specific algorithms but requires industry-standard cryptography based on risk. To satisfy technical audit criteria, organisations should implement the following protocols:
- Data at Rest: AES-256 bit encryption for all laptops, servers, and cloud storage volumes.
- Data in Transit: TLS 1.2 or TLS 1.3 for 100% of network communications and APIs.
- Hashing: SHA-256 or higher for secure password storage and data integrity verification.
How does ISO 27001 handle cryptographic key management?
Cryptographic keys must be managed through a formalised lifecycle covering generation, storage, usage, and destruction. Key management failure is a top technical risk; auditors verify that 100% of keys are protected using Hardware Security Modules (HSM) or cloud-native Key Management Systems (KMS).
Relevant ISO 27001 Controls
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 Annex A 8.24: Use of Cryptography | Direct Control: While not explicitly listed in the page’s “Relevant Controls” snippet, this is the primary control for encryption (cryptography) in the 2022 standard, governing the use of scrambling techniques to protect data. |
| ISO 27001 Annex A 5.14: Information Transfer | Communication Security: Encryption is a vital tool for ensuring that information moving between systems or people remains confidential and protected from interception during transit. |
| ISO 27001 Annex A 5.33: Protection of Records | Storage Security: Encryption is used to protect stored records and sensitive documents from unauthorized access or tampering, ensuring their long-term integrity and confidentiality. |
| ISO 27001 Annex A 8.25: Secure Development Life Cycle | Design Integration: Requires that encryption and other security measures are planned and built into software and systems from the very beginning of a project. |
| ISO 27001 Annex A 8.28: Secure Coding | Implementation: Ensures that developers correctly implement cryptographic libraries and encryption protocols to prevent vulnerabilities like “plaintext” data exposure in applications. |
| ISO 27001 Annex A 8.7: Protection Against Malware | Defensive Tool: Encryption helps mitigate the impact of certain malware types; for example, data that is already encrypted may remain protected even if exfiltrated by an attacker. |
| ISO 27001 Annex A 8.34: Protection During Audit | Operational Safety: Ensures that encryption is maintained and sensitive data is protected while auditors or testers are performing checks on live systems. |
| Glossary: Confidentiality | Primary Goal: Encryption is the most effective technical method for preserving confidentiality, ensuring data is only understandable to those with the authorized “secret key.” |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Encryption is categorized as a vital technological and data protection term. |
About the author
