ISO 27001:2022 Annex A 8.24: Mastering the Use of Cryptography
In the digital age, encryption is often seen as the silver bullet for information security. However, simply “switching on” encryption is rarely enough to satisfy a rigorous auditor. This is where ISO 27001:2022 Annex A 8.24 comes into play.
This control, titled Use of Cryptography, moves beyond the basic act of scrambling data. It requires organisations to establish a comprehensive framework for how cryptography is defined, managed, and implemented. It ensures that you aren’t just using tools blindly, but are managing the keys to the kingdom—quite literally—in a secure and compliant manner.
Table of contents
What is Annex A 8.24?
Annex A 8.24 is a preventive control designed to ensure the proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information. In simple terms, it asks you to define the rules of the game.
It is not enough to say “we use HTTPS.” You need to define why you use it, what level of encryption is acceptable (e.g., AES-256), and most importantly, how you manage the cryptographic keys that lock and unlock that data. For a broader view of how this fits into the standard, you can refer to the controls listed on ISO27001.com.
The Foundation: Your Cryptography Policy
Implementation starts with documentation. You generally need a specific policy that outlines your organisation’s stance on encryption. This policy acts as the instruction manual for your IT and security teams.
Your policy should cover:
- Principles of Protection: What data actually needs encrypting? This should align with your Information Classification Policy. You rarely need to encrypt publicly available marketing brochures, but you absolutely must encrypt customer PII (Personally Identifiable Information).
- Approved Standards: Explicitly state which algorithms and protocols are permitted. For example, you might ban the use of outdated standards like DES or MD5 in favour of modern, robust alternatives.
- Legal and Regulatory Compliance: Cryptography is heavily regulated in some parts of the world. Your policy must acknowledge local laws regarding the import/export of encryption software and law enforcement access rights.
The Core Challenge: Key Management
If you ask any security expert where cryptography fails, they won’t say “the math was wrong.” They will say “someone lost the key.” This is why Annex A 8.24 places such a heavy emphasis on Key Management.
Managing cryptographic keys is arguably more important than the encryption engine itself. If you lose the key, the data is gone forever (availability issue). If a hacker steals the key, the data is compromised (confidentiality issue).
The Key Lifecycle
You must demonstrate that you manage keys throughout their entire life:
- Generation: Are keys generated using a secure method?
- Distribution: How do keys get to the users or systems that need them without being intercepted?
- Storage: Are keys stored securely, separate from the encrypted data? (e.g., using a Hardware Security Module or a secure cloud key vault).
- Rotation: Do you change keys regularly to minimise the impact of a potential compromise?
- Destruction: When a key is no longer needed, is it destroyed in a way that it can never be recovered?
Roles and Responsibilities
Who actually owns the encryption process? In a modern cloud environment, this can be tricky. You might rely on a cloud provider (like AWS or Azure) to handle the heavy lifting, but ISO 27001 makes it clear: you are still accountable.
You need to clarify who is responsible for generating keys, who is authorised to request access to them, and who manages the relationship with third-party cryptographic service providers. This is part of the “Shared Responsibility Model.” While your vendor provides the vault, you hold the combination.
Practical Implementation Steps
To implement this control effectively and pass your audit, follow these practical steps:
1. Classify Your Data First
Don’t try to encrypt everything; it kills performance and usability. Look at your Asset Inventory. Identify High-Risk and Confidential data. Focus your cryptographic efforts there.
2. Use Industry Standard Tools
Avoid “rolling your own” crypto. Custom-written encryption algorithms are almost always flawed. Stick to industry-standard libraries and tools that have been battle-tested. If you are using cloud services, utilise their built-in Key Management Services (KMS).
3. Secure Your Endpoints
Ensure all laptops and mobile devices are encrypted (e.g., BitLocker, FileVault). This is a quick win that satisfies a significant portion of this control regarding physical theft of devices.
4. Plan for Disaster
What happens if you lose a key? Do you have a backup? Is the backup key stored securely (e.g., in a physical safe or an offline “cold” storage)? You need a recovery process that ensures business continuity without compromising security.
Conclusion
ISO 27001 Annex A 8.24 is about maturity. It shifts an organisation from simply buying security tools to actively governing them. By defining a clear policy and rigorously managing your cryptographic keys, you not only meet the standard but also build a resilient defence against data breaches. Remember, encryption is only as strong as the key protection behind it.
