When to use this
Use this policy to define approved cryptographic uses, algorithms, protocols, key management responsibilities, legal checks, and exceptions.
Related controls
- A.8.24 Use of Cryptography
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- Risk Assessment
Policy areas
| Area | Rule/requirement | Owner | Evidence |
|---|---|---|---|
| Approved algorithms/protocols | TBD | TBD | TBD |
| Prohibited algorithms/protocols | TBD | TBD | TBD |
| Key generation | TBD | TBD | TBD |
| Key storage | TBD | TBD | TBD |
| Key rotation/expiry | TBD | TBD | TBD |
| Certificate management | TBD | TBD | TBD |
| Key escrow/recovery | TBD | TBD | TBD |
| Legal/regulatory restrictions | TBD | TBD | TBD |
Minimum rules
- Cryptographic use must trace to risk or legal/business requirement.
- Approved industry-standard algorithms must be used.
- Secret/private keys must be protected from disclosure.
- Public keys and certificates must be protected from unauthorized replacement.
- Key lifecycle controls must be defined before production use.
- Exceptions must be risk-assessed and approved.
- Template
- Iso27001
- Technological controls
- Cryptography
Note Metadata
Aliases: Cryptography Policy
Source: 90 Templates/Cryptographic Controls Policy.md
Related Notes
- Risk Assessment
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- A.8.24 Audit Evidence Pack
- ISO 27001 A.8.24 - Use of Cryptography
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-037 - Use of Cryptography
- ISO 27002 Annex A Control Interpretation Map
- A.8.24 Audit Checklist
- Cryptographic Key Management Register
- Cryptographic Use Case and Algorithm Register
- Templates MOC