Cryptographic Controls Procedure

Table of Contents
Cryptographic Controls Procedure 1
Purpose 1
Scope 1
Roles and Responsibilities 1
Cryptographic Controls 2
Encryption Standards 2
Decryption Procedures 2
Key Management 2
Cryptographic Techniques 3
Cryptographic Implementation in Systems 3
Monitoring and Compliance 4
Policy Review and Updates 4
Exceptions 4
Approval & Acknowledgment 4

Purpose
This document establishes the cryptographic policy of the organization in alignment with ISO
27001:2022 standards. It defines the principles, guidelines, and measures to safeguard the
confidentiality, integrity, and availability of sensitive data through encryption, decryption, key
management, and cryptographic controls The goal is to protect organizational assets from
unauthorized access and data breaches.

Scope
This policy applies to all employees, contractors, third-party vendors, and any entities handling
the organization's sensitive data. It covers cryptographic practices for data at rest, data in
transit, and data in use across all information systems, including servers, workstations, mobile
devices, cloud environments, and communication channels.

Roles and Responsibilities

● The Chief Information Security Officer (CISO) will oversee the strategic implementation
of cryptographic controls, ensuring compliance with policies and regulatory
requirements. They should also review cryptographic incidents and risk assessments
regularly.
 ● The IT Security Team will be responsible for deploying, managing, and monitoring
cryptographic mechanisms. They will also conduct periodic security assessments and
audits to validate the effectiveness of cryptographic implementations.

● The Data Owners will be accountable for classifying information, as well as determining
the appropriate cryptographic measures needed based on the sensitivity of data.

● The System Administrators will ensure the correct application and maintenance of
cryptographic solutions. They will also be responsible for key distribution, secure
storage, and system updates to maintain encryption effectiveness.

Cryptographic Controls

Encryption Standards

● All sensitive data at rest must be encrypted using the Advanced Encryption Standard
(AES) with a key length of at least 256 bits.

● Data in transit must be secured using Transport Layer Security (TLS) version 1.2 or
higher, ensuring encryption during network communications.

● Passwords must be hashed using PBKDF2, bcrypt, or Argon2 to enhance security and
prevent unauthorized decryption.

● Digital signatures must be implemented using RSA with a minimum key size of 2048 bits
or ECC with a minimum curve size of 256 bits to ensure data integrity and authenticity.

Decryption Procedures

● Decryption keys must only be accessible to authorized personnel who have been
explicitly granted permission.

● Logs of decryption activities must be maintained and regularly reviewed to detect

unauthorized access or anomalies.

● Decryption operations must be performed in secure environments to prevent exposure of

sensitive information.

Key Management
 ● Cryptographic keys must be generated using FIPS 140-2/3 compliant hardware security
modules (HSM) to ensure secure key generation and storage.

● Private keys must never be stored in plaintext and must always be protected using
strong encryption and access control mechanisms.

● Key rotation must occur periodically, at least once every year, or immediately in the
event of a suspected compromise.

● Access to cryptographic keys must be strictly controlled through role-based access

control (RBAC), ensuring that only authorized personnel have access.

● Secure backup mechanisms must be implemented to store cryptographic keys in

geographically separated and protected environments.

Cryptographic Techniques

● Public Key Infrastructure (PKI): Used for secure authentication, digital certificates, and
encrypted email communications to ensure trusted interactions.

● Secure Multiparty Computation (SMPC): Employed for high-security data processing

without exposing sensitive data to individual parties.

● Homomorphic Encryption: Used for operations requiring computations on encrypted data

without revealing plaintext information.

● Elliptic Curve Cryptography (ECC): Utilized for secure key exchange and digital
signatures, offering robust security with smaller key sizes.

Cryptographic Implementation in Systems

● Full-disk encryption must be implemented on all organizational endpoints, servers, and
storage devices to prevent unauthorized access in case of physical theft or compromise.

● Database encryption must be applied at the field level for sensitive information such as
personal identification data, financial records, and authentication credentials.

● Secure email communication must be enforced using Secure/Multipurpose Internet Mail

Extensions (S/MIME) or Pretty Good Privacy (PGP) encryption.

● All API communications must employ mutual TLS authentication to ensure secure data
exchanges between services.
Monitoring and Compliance
● Regular security audits and penetration testing must be conducted to verify compliance
with cryptographic policies and identify potential vulnerabilities.

● Incident response teams must be immediately notified in the event of cryptographic key
compromise or suspected security breaches.

● Continuous employee training programs must be implemented to educate personnel on

cryptographic security measures and best practices.

● The organization must ensure compliance with relevant legal and regulatory
requirements, including GDPR, HIPAA, and industry-specific security standards.

Policy Review and Updates

This policy must be reviewed at least annually or whenever significant changes in cryptographic
standards, technologies, or regulatory requirements occur. All updates must be documented,
approved by the CISO, and communicated to relevant stakeholders to ensure continued
compliance and security effectiveness.

Exceptions
Any exceptions to this policy must be formally documented, justified with a risk assessment, and
approved by the CISO. A mitigation plan must be in place for any deviations to ensure that
security risks remain controlled and minimized.

Approval & Acknowledgment

Approved by: [CISO Name]
Date: [DD/MM/YYYY]