High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.24 Use of Cryptography

ISO 27001 Annex A 8.24 Use of Cryptography

Last updated Aug 21, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Use of Cryptography

Table of contents

ISO 27001 Cryptography

ISO 27001 Annex A 8.24 Use of Cryptography is an ISO 27001 control that requires us to define and manage the rules associated with cryptography, which in laymen’s terms is encryption.

Purpose

ISO 27001 Annex A 8.24 is a preventive control to ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.24 as:

Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.

ISO27001:2022 Annex A 8.24 Use of Cryptography
ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

Implementation Guide

The implementation of cryptography can be as simple or as difficult as you want to make it. Let us take a look at some of the considerations and guidance.

The Law

The main overriding factor of any implementation of this controls is the law. The laws around encryption and cryptography vary around the world and even within countries so it is paramount that what ever you are going to do, you get checked and signed of by a legal professional and keep evidence of the advice that you received.

Information Classification and Handling Policy

Information classification is a requirement of the standard and good practice. You will implement a topic specific information classification and handling policy, either with the template or writing it yourself, and the considerations for encryption will be captured within in. For simplicity, it is usual, that confidential data, or data of the highest classification, will be encrypted during transmission and at rest.

More information on the requirements of the standard is covered in ISO 27001 Annex A 5.12 Classification Of Information and there is a handy ISO 27001 Information Classification and Handling Policy Beginner’s Guide

ISO 27001 Information Classification and Handling Policy Template
ISO 27001 Information Classification Summary Template

Topic Specific Cryptography Policy

To meet the requirements of this particular ISO 27001 clause you are going to need a topic specific policy for cryptography and for key management.

The topic-specific policy on cryptography defined by the organisation will include the general
principles for the protection of information. A topic-specific policy on the use of cryptography is
necessary to reduce the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.

ISO 27001 Cryptographic Control and Encryption Policy Template
ISO 27001 Cryptographic Key Management Policy Template

Standards

When using encryption it is likely that you will use default and off the shelf technology but you should consider and record that standards that you are following and include in that information on cipher strength, algorithms used.

Technical Implementation

You will implement the technology required to realise what you have set out in your topic specific policies. The best approach is the use of industry standard technologies and usually that means the built in product features of technology that you already have.

As part of the technical implementation you will implement endpoint encryption and this is, where feasible, for all endpoints including mobile devices.

Key Management

This is an important step as the keys are the things that can cause you a lot of problems if they are compromised or even if you forget what they are. The implementation of a robust key management process is therefore, pardon the pun, key.

There are many steps to consider in the management of keys so let us list out the common ones that you will need to address.

  • Generating keys
  • Issuing keys
  • Obtaining Public Keys
  • Distributing keys
  • Storing keys
  • Changing keys
  • Updating keys
  • Dealing with key compromise
  • Dealing with key loss
  • Revoking keys
  • Recovering keys
  • Backing up keys
  • Destroying keys
  • Logging key management activity
  • Monitoring key management activity
  • Responding to legal requests for keys

Practical Real World

This really is going to depend but for most small business this requirement really comes down to encrypting devices and this is usually with standard or built in technology. The management of keys is often built in and easy to implement. The advice would be that unless you need something overly sophisticated keep it simple. Have HTTPs on your website, encrypt traffic, rely on the network technology of the likes of Azure and AWS and the apps that use that all these days are connections over encrypted links. Be able to show how the keys are managed in line with the above key management process requirements which again is usually easy to do and built into the technology that you are using.

The questions most asked at audit is, what if you loose the key, who knows what the key is, where is the key stored and is the key stored securely.

Cryptographic Objectives

The objectives of cryptography may seem common sense but lets us examine them.

You are looking to ensure the confidentiality of data as the main objective. We want to reduce the risk of a data breach, of data being intercepted and if it is intercepted we want that data to be useless.

It can be the case that cryptography can ensure non-repudiation, which means that we can provide evidence of events or actions.

Finally it can be used to authentication, to grant access only to the right people or resources or entities.

Further Reading

ISO 27001 Controls Ultimate Guide

Tags: Availability Confidentiality Integrity Preventive Protect Protection Secure Configuration
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.