Sign in Subscribe
By devsecopsbook

Cryptographic Controls Policy

Document Version: 1.0
Last Updated: July 19, 2025
Classification: Internal

1. Purpose

The purpose of this policy is to ensure the proper and effective use of cryptography to protect the confidentiality, integrity, and availability of information in accordance with ISO/IEC 27001 requirements.

2. Scope

This policy applies to all personnel, systems, applications, and services that store, process, or transmit information using cryptographic controls within the organization’s IT and cloud environments, including third-party services.

3. Policy Statement

3.1 Use of Cryptographic Controls

  • Cryptographic methods shall be used to protect sensitive data in transit and at rest.
  • Encryption shall be applied in accordance with the classification of the information (e.g., confidential, internal, public).
  • Only approved cryptographic algorithms and protocols (e.g., AES-256, RSA-2048, TLS 1.2/1.3) shall be used.

3.2 Key Management

  • Cryptographic keys must be generated, stored, distributed, retired, and destroyed securely and in accordance with a defined key management process.
  • Key management procedures must include:
    • Role-based access to keys
    • Regular key rotation and expiry
    • Secure key escrow and recovery
    • Logging of key access and changes

3.3 Digital Signatures and Certificates

  • Digital signatures must be used to verify the authenticity and integrity of sensitive data and software artifacts.
  • Only certificates issued by approved Certificate Authorities (CAs) may be used.
  • Expired or revoked certificates must be removed promptly.

3.4 Cryptographic Implementation and Compliance

  • All cryptographic implementations must be reviewed and approved by security personnel or cryptography experts.
  • Cryptographic controls must comply with relevant legal, regulatory, and contractual obligations (e.g., GDPR, PDPA, HIPAA).
  • Legacy or weak cryptographic mechanisms (e.g., MD5, SHA-1, TLS 1.0) must be phased out.

4. Roles and Responsibilities

  • Information Security Team: Maintain the approved list of cryptographic algorithms, review implementations, and manage key management systems.
  • IT Operations: Ensure systems apply appropriate encryption standards and monitor for compliance.
  • Developers: Follow secure coding practices and utilize approved cryptographic libraries and services.
  • All Staff: Protect credentials and encryption keys from unauthorized access.

5. Monitoring and Review

  • Compliance with this policy shall be monitored through periodic audits, system checks, and access logs.
  • The policy shall be reviewed annually or upon significant changes in technology or compliance requirements.

6. Exceptions

Any exception to this policy must be formally approved by the Information Security Manager with documented justification and risk acceptance.

  • Information Classification Policy
  • Key Management Procedures
  • Secure Development Policy
  • Access Control Policy

8. References

  • ISO/IEC 27001:2022 Annex A.10.1 – Cryptographic Controls
  • ISO/IEC 27002:2022 – Guidelines on implementation of cryptographic controls
  • NIST SP 800-57 – Key Management Guidelines
  • OWASP Cryptographic Storage Cheat Sheet

Subscribe to devsecopsbook

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe