Welcome to your guide on implementing one of the most technical controls in the standard. At ISO27001.com, we know that the word cryptography can sound intimidating. It brings to mind complex maths and hackers in dark rooms. But for your information security management system, it is much simpler. It is about having a plan to scramble your data so unauthorised people cannot read it.
Annex A 8.24 is titled “Use of cryptography rules”. Its goal is to ensure you use encryption effectively to protect the confidentiality, authenticity, and integrity of your information. As a certification body, we want to see that you are not just buying tools but using them with a clear strategy. This guide will walk you through what you need to do.
Table of contents
Understanding the Basics of Annex A 8.24
This control requires you to define and implement rules for the effective use of cryptography. You likely use encryption every day without thinking about it. When you visit a secure website or send a message on a secure app, you are using it. For ISO 27001, you must formalise this process.
You need to decide what data needs protection. Not all data requires high-level encryption. Public marketing materials do not need the same protection as customer credit card numbers. You must assess the risks and apply controls where they matter most. This approach saves you money and computing power.
Developing Your Cryptographic Policy
The first step is documentation. We expect to see a Topic Specific Policy on the use of cryptographic controls. This document does not need to be a textbook on algorithms. It should be a set of rules for your organisation.
Your policy should state the general principles you follow. It should define the required level of protection for different classifications of information. For example, you might state that all laptops must have hard drive encryption. You might also state that sensitive data sent over public networks must be encrypted.
At ISO27001.com, we advise you to reference current standards. Do not invent your own encryption methods. Stick to industry standards like AES for data at rest or TLS for data in transit. Your policy should explicitly state that proprietary or secret algorithms are forbidden. Standard algorithms are tested and trusted.
The Importance of Key Management
Encryption is only as good as the keys used to lock and unlock the data. If you leave the key under the doormat, the strongest lock in the world is useless. This is why Annex A 8.24 places a heavy focus on key management.
You must have a process for the entire lifecycle of a cryptographic key. This includes generating the key, storing it, distributing it, and eventually destroying it. We often see organisations encrypt data but store the decryption key in the same folder as the data. This is a major failure. You must keep keys separate from the encrypted data.
Consider who has access to these keys. Access should be restricted to the absolute minimum number of people. If a key is lost or compromised, you need a plan to revoke it and issue a new one. You also need to consider what happens if a key holder leaves the company.
Legal and Regulatory Considerations
Cryptography is powerful, and because of this, it is regulated. Some countries have strict laws about the import and export of cryptographic technology. If you operate globally, you must be aware of these local laws.
Your policy should acknowledge these legal requirements. For example, some authorities may require access to encrypted information under a court order. You need to know how you would handle such a request. Ignoring these regulations can lead to significant legal trouble, which is a risk your ISMS is meant to prevent.
What the Auditor Expects to See
When an auditor from a body like ours visits, they will look for specific evidence. We will ask to see your policy. We will check if it is reviewed regularly. We will look at your devices to see if encryption is actually turned on.
We will also ask about your key management. We might ask a system administrator how they generate keys. We might ask how they dispose of old keys. If you use a cloud provider, we will check that you understand how they manage keys for you. You are still responsible for the security of your data even if it is in the cloud.
Do not panic if you are not a maths genius. We do not expect you to write code. We expect you to manage risk. If you can show that you have identified your sensitive data and applied standard encryption tools to protect it, you are on the right path.
Summary
Implementing Annex A 8.24 is about discipline. It is about applying consistent rules to protect your most valuable assets. Start with a clear policy. managing your keys with care. Adhere to legal requirements. If you do these things, you will satisfy the auditor and, more importantly, keep your data safe.