Use of Cryptography - ISO 27001 Annex A Control

ISO 27001 Annex A 8.24

Cryptography protects information when other controls fail - it has to be used right or not at all.

ISO 27001 Annex A 8.24 - Use of Cryptography

Cryptography sits at the foundation of modern information security. Encryption protects data at rest from physical compromise and data in transit from interception. Digital signatures provide integrity and non-repudiation. Hashing supports authentication. The control asks for cryptography to be used effectively - which means choosing appropriate algorithms, managing keys properly, and avoiding the common pitfalls.

Algorithm choice should follow current standards. Algorithms once considered strong (DES, MD5, SHA-1) are now broken or weakened. Current recommendations from sources such as NCSC and NIST move over time as research advances and computing capability grows. The cryptographic policy should reference these sources rather than fixing specific algorithms forever.

Key management is where cryptography most often fails in practice. Keys stored alongside the data they protect, keys hardcoded into applications, keys reused across environments, keys with no rotation schedule. Each undermines the protection that the cryptography is supposed to provide. Hardware security modules, key management services, and disciplined key lifecycle handling address these risks.

The cryptography that fails in audit is rarely the algorithm choice - it is usually the key management. Keys checked into source repositories. Keys reused between development and production. Keys with no rotation. The audit will look at how keys are generated, stored, distributed and retired, and any weakness in that lifecycle is a finding.

Cryptography is also where regulatory requirements from outside the ISMS often surface. Payment card processing has its own cryptographic standards. Some sectors have specific algorithm requirements. The cryptographic policy should reference these where they apply rather than relying on a single ISMS-level rule.

Practical Compliance Guidance

Cryptographic use is described in the IMS1 manual at section 8.5 alongside the Information Security Policy. The cryptographic policy and key management records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the cryptographic standards and key management requirements. Use as the source for cryptographic governance.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What algorithms should we use?

Current recommendations from NCSC and NIST should be the starting point. AES for symmetric encryption, RSA or elliptic curve cryptography for asymmetric, SHA-256 or stronger for hashing, TLS 1.2 or 1.3 for transport. The policy should reference these sources rather than fixing the choice indefinitely.

How should keys be managed?

Through a defined lifecycle - generation in approved ways, secure storage (hardware security modules or key management services), controlled distribution, scheduled rotation, and secure destruction. The policy should set out the lifecycle and the technical implementation should follow.

What about quantum-resistant cryptography?

The transition to post-quantum cryptography is an emerging area. Most organisations should track the work without immediate action, with longer-lived sensitive data potentially requiring earlier consideration. The cryptographic policy should reference the position rather than ignore the topic.

Further Resources