Encryption is one of the most important tools that modern businesses have at their disposal. Confidential information is their lifeblood, and it’s constantly flowing through their systems – between databases, removable devices, emails and suppliers.
If organisations don’t take appropriate steps to protect sensitive information, they increase the risk of it being compromised.
ISO 27001, the international standard that describes best practice for an ISMS (information security management system), covers data encryption in Annex A.10.
In this blog, we explain everything you need to know about encryption and ISO 27001’s cryptographic controls.
What is encryption?
Encryption is a mechanism that scrambles data into an unreadable code. Anyone who wishes to interpret the information needs a decryption key, which reverts the information into its original form.
A basic example of encryption would be replacing one letter with another so that, for instance, the letters of the ‘Hello’ might be transposed one letter to the left on a standard keyboard to read: “Gwkki”.
In a cyber security context, encryption is more sophisticated than that, creating a code that is complex enough that it couldn’t be deciphered without the decryption key.
Cloudflare uses this as an example of what an encrypted piece of data might look like:
It adds: “Although encrypted data appears random, encryption proceeds in a logical, predictable way, allowing a party that receives the encrypted data and possesses the right key to decrypt the data, turning it back into plaintext.”
ISO 27001 and encryption
Organisations can find guidance on encryption in Annex A.10 of ISO 27001. It explains how cryptographic controls can protect sensitive information in transit and at rest.
The Annex provides a definition of and rules for the use of cryptographic solutions. It also provides specific technical guidance, explaining which algorithms and key sizes must be used in certain situation.
Likewise, it contains information on the way organisations should manage cryptographic keys, when keys need to be created, who is responsible for them and where they should be stored.
Is encryption required by the GDPR?
Data encryption is not mandatory under the GDPR (General Data Protection Regulation).
However, that is because the Regulation is deliberately vague on the use of specific technologies. It understands that technological best practices are subject to change, and what is appropriate now might not be in several years’ time.
It does not mean that the GDPR doesn’t recommend the use of cryptographic controls. In fact, encryption is suggested under Article 32, which requires organisations to adopt “appropriate technical and organisational measures” to protect personal data.
The Regulation notes that, where applicable, this might include pseudonymising or encrypting sensitive information.
Organisations can determine whether encryption is appropriate by conducting a DPIA (data protection impact assessment).
These assessments are mandatory where processing could result in a high risk to data subjects, and they help organisations determine relevant safeguards that are appropriate to the risk.
When to use cryptographic controls
Although encryption is invaluable for protecting sensitive data, organisations should be careful about when they use it. That’s because using the wrong cryptographic techniques can create vulnerabilities themselves.
Likewise, as with all information security measures, the use of encryption comes at a cost. The key to successful security management is knowing how to balance the benefits of security measures with the challenges that they present.
Encryption is most often appropriate for data in transit – i.e. when it’s moving from one location to another, such as by email. In these instances, encryption ensures that the information remains safe should an unauthorised actor intercept the message.
Organisations might also choose to encrypt data at rest – i.e. when it’s on their systems. This protects the information should a criminal hacker break into their systems.
However, encryption for data at rest is less common for several reasons. First, it essentially doubles the amount of the space required to store the information, because the file contains both the encrypted information plus the original data.
Additionally, encrypting information makes it harder to access for legitimate reasons. Every time an employee wants to access the data, it must be decrypted, and whenever they make changes, it must be re-encrypted.
Encryption also slows the processing and transmission of information. This might not be a major problem with end-to-end encryption for email, for example, where there is relatively little information being shared.
But if you are transferring a large document, it will take considerably longer to send if the information is encrypted. You therefore need to decide whether the security benefits are appropriate to the inconvenience caused.
As a rule, encryption should be used whenever there is a significant risk of confidential information being improperly accessed. This includes the use of devices that leave the organisation’s premises, such as removeable devices, external hard drives or laptops.
Organisations should also consider encrypting websites that ask users to enter their username or password, or e-commerce platforms that handle payment card transactions.
Encryption is also recommended when employees connect to the corporate network while working remotely.
Implementing a cryptography policy
Organisations that use encryption tools must implement a cryptographic policy. This ensures that encryption is used consistently and appropriately.
A cryptographic policy should cover:
- Staff awareness training on the benefits of encryption and how to use the technology;
- A risk assessment process that addresses the quality, strength and type of encryption algorithm;
- How and when encryption will be used for portable media devices;
- Organisational roles and responsibilities for managing cryptographic controls; and
- Any relevant laws governing the use of encryption.
Simplify your ISO 27001 requirements with Compliance Manager
You can find more advice on ISO 27001 and encryption with our Compliance Manager tool.
It contains everything you need to strengthen your information security processes and achieve ISO 27001 compliance.
It provides a curated list of information security clauses from UK law and a collection of GDPR articles, each accompanied by implementation guidance.
You can also add your own requirements or controls that are applicable to your organisation.
Compliance Manager’s interactive database lists the applicable clauses from each law and provides guidance on implementing them, mapped against the appropriate best-practice controls from Annex A of ISO 27001.