Content library
ISO 27017
10.1: Cryptographic controls

How to fill the requirement

ISO 27017

10.1: Cryptographic controls

Task name
Priority
Status
Theme
Policy
Other requirements
Encryption key inventory and management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
8
requirements

Task is fulfilling also these other security requirements

10: Cryptography
ISO 27017
10.1: Cryptographic controls
ISO 27017
10.1.2: Key management
ISO 27017
21.2.h: Encryption
NIS2
CC6.1c: Technical security for protected information assets
SOC 2
1. Task description

The Encryption Key Management System (CKMS) handles, manages, stores, and monitors encryption keys. The management system can be implemented as an automated tool or as a more manual implementation.

The organization must have the means to monitor and report on all encryption materials and their status using an encryption key management system. The cryptographic key management system should be used at least to:

  • Track changes to cryptographic states
  • Generate and distribute cryptographic keys
  • Generate public-key certificates
  • For monitoring unidentified encrypted assets
  • For cataloging, archiving, and backing up encryption keys
  • Maintains a database of connections to an organization's certificate and encryption key structures
Providing customers with encryption key management capabilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
4
requirements

Task is fulfilling also these other security requirements

10: Cryptography
ISO 27017
10.1: Cryptographic controls
ISO 27017
10.1.2: Key management
ISO 27017
1. Task description

The service provider has to be able to offer the customer a possibility for independently controlling storage and management of encryption keys that are used for the data they manage.

Details for this division of labor should be mentioned in service level agreements, terms of use or other similar documents.

Monitoring management of encryption and encryption keys
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
4
requirements

Task is fulfilling also these other security requirements

10: Cryptography
ISO 27017
10.1: Cryptographic controls
ISO 27017
10.1.2: Key management
ISO 27017
1. Task description

The organization must have the ability to monitor and report on actions related to encryption and encryption key management.

When abnormal activity is detected it must be handled in accordance with incident management processes.

No items found.