In today’s digital environment where data breaches and cyber threats are increasingly common, safeguarding sensitive information has emerged as a top priority. Cryptographic controls play a vital role in protecting digital assets and maintaining data integrity in information security systems.

What is Cryptography?

Cryptography is the process of securing communication and data by converting them into an unreadable form, making it incomprehensible to unauthorized individuals. It is a fundamental component in protecting sensitive information from unauthorized access and ensuring its integrity.

The history of cryptography dates back thousands of years, with ancient civilizations using various encryption methods to transmit secret messages. They were later on developed into sophisticated algorithms.

Some types of cryptography are:

• Encryption – The process of transforming plaintext, which is plain and readable data, into what is called ciphertext or an encrypted form. It involves the use of an encryption algorithm and a cryptographic key to convert the data into an unclear format.
• Decryption – It is the opposite process of encryption. Here the encrypted ciphertext is converted back into plaintext using a decryption algorithm and the appropriate cryptographic key.
• Symmetric key cryptography – Often known as secret key cryptography, employs a single key for both encryption and decryption. The same secret key is shared by communicating parties, ensuring secure and confidential communication.
• Asymmetric key cryptography – It requires the use of two mathematically linked keys: a public key that can be shared for encryption and a secret private key for decoding. This sort of cryptography is also known as public key cryptography.
• Hash functions – These are cryptographic methods used to convert data into a fixed-length string of characters known as a hash value or digest, which will change even if the input data changes little.

Cryptographic Controls in Information Security

The Role of Cryptographic Controls

Cryptographic controls serve as a crucial line of defense against various threats, including unauthorized access, data breaches, tampering, and eavesdropping. By implementing cryptographic controls, organizations can establish a secure foundation for their information security systems.

The implementation of cryptographic controls brings several benefits, such as:

• Confidentiality – Cryptographic controls ensure that only authorized individuals can access confidential information, protecting it from unauthorized disclosure.
• Data integrity – By using cryptographic controls, organizations can verify the integrity of data and detect any unauthorized modifications or tampering.
• Authenticity – Cryptographic controls provide a means to verify the authenticity of data and the identities of communicating parties, preventing impersonation and ensuring trust.
• Non-repudiation – Cryptographic controls enable the creation of digital signatures, which provide evidence of the origin and integrity of electronic data, ensuring that parties cannot deny their involvement in a transaction.

Cryptographic controls find application in various scenarios and use cases within information security systems including data protection, secure communication and transport, non-repudiation of transactions, etc.

What are Cryptographic Controls in ISO/IEC 27001

ISO/IEC 27001 is an internationally recognized standard which provides a systematic approach to managing information security risks. It outlines a set of requirements and best practices that organizations can follow to establish, implement, maintain, and continually improve their ISMS.

Cryptography plays a significant role within the ISO/IEC 27001 framework and organizations seeking ISO/IEC 27001 implementation must comply with the appropriate cryptographic controls to protect their information assets.

Cryptography is explicitly mentioned within annex A Control 8.24 of ISO/IEC 27001:2022 standard as a means to protect information. It highlights the importance of selecting and implementing appropriate cryptographic controls to mitigate risks and ensure the confidentiality, integrity, and availability of information assets.

Cryptographic Controls Requirements

While the cryptographic controls are explicitly mentioned in ISO/IEC 27001, ISO/IEC 27002 explains them in a more detailed manner, providing guidelines and best practices for implementing them. It specifies several requirements related to cryptographic controls that organizations must fulfill to meet the standard. These requirements encompass areas such as:

• Identifying risks and appropriate cryptographic controls – ISO/IEC 27002 emphasizes the need for organizations to conduct risk assessments to identify the potential risks associated with their information assets. These risk assessments allow organizations to determine the appropriate cryptographic controls to implement.
• Cryptographic key management – Effective key management is critical to ensuring the security of cryptographic systems. ISO/IEC 27002 requires organizations to establish robust key management procedures, based on standards, procedures, and secure methods. It includes key generation, key storage, key distribution, key usage, key backup, key recovery, and key disposal.
• Cryptographic algorithms and protocols – ISO/IEC 27002 encourages the identification and use of cryptographic algorithms and protocols that are deemed secure and widely accepted. Organizations should assess the strength and suitability of cryptographic algorithms based on industry best practices.
• Compliance and legal considerations – ISO/IEC 27002 emphasizes the importance of regularly ensuring compliance with any legal, regulatory, or contractual requirements related to cryptography.

Developing a Cryptographic Control Policy

To ensure the effective implementation of cryptographic controls, organizations should develop a control policy that outlines the guidelines and procedures for utilizing cryptography within their information security framework.

A cryptographic control policy serves as a comprehensive document that guides organizations in implementing and managing these controls consistently. It provides clear instructions to ensure the proper use of cryptography and maintain a secure environment.

Some of the key components of a cryptographic control policy are:

• Policy statement and objectives
• Roles and responsibilities
• Cryptographic controls implementation guidelines
• Key management procedures
• Incident response and reporting

Cryptographic controls are indispensable tools in information security, playing a crucial role in safeguarding sensitive data and ensuring the integrity and confidentiality of information. Understanding the basic concepts of cryptography, their significance in ISO/IEC 27001, and the appropriate use of cryptographic controls is essential for organizations aiming to establish robust information security frameworks.

About the Author

Vlerë Hyseni is the Digital Content Officer at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact her at: content@pecb.com.