Content library
NSM ICT Security Principles (Norway)
2.7.1: Establish crypto strategy in the organisation

How to fill the requirement

NSM ICT Security Principles (Norway)

2.7.1: Establish crypto strategy in the organisation

Task name
Priority
Status
Theme
Policy
Other requirements
Encryption key inventory and management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
9
requirements

Examples of other requirements this task affects

10: Cryptography
ISO 27017
10.1: Cryptographic controls
ISO 27017
10.1.2: Key management
ISO 27017
21.2.h: Encryption
NIS2
CC6.1c: Technical security for protected information assets
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Encryption key inventory and management system
1. Task description

The Encryption Key Management System (CKMS) handles, manages, stores, and monitors encryption keys. The management system can be implemented as an automated tool or as a more manual implementation.

The organization must have the means to monitor and report on all encryption materials and their status using an encryption key management system. The cryptographic key management system should be used at least to:

  • Track changes to cryptographic states
  • Generate and distribute cryptographic keys
  • Generate public-key certificates
  • For monitoring unidentified encrypted assets
  • For cataloging, archiving, and backing up encryption keys
  • Maintains a database of connections to an organization's certificate and encryption key structures
Compliance of used cryptographic controls in relation to applicable requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
4
requirements

Examples of other requirements this task affects

18.1.5: Regulation of cryptographic controls
ISO27 Full
18.1.5: Regulation of cryptographic controls
ISO 27017
5.31: Legal, statutory, regulatory and contractual requirements
ISO27k1 Full
2.7.1: Establish crypto strategy in the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Compliance of used cryptographic controls in relation to applicable requirements
1. Task description

Organisation should verify that the set of cryptographic controls that apply to the use of data systems comply with relevant agreements, legislation and regulations.

Managing compromised encryption keys
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
2
requirements

Examples of other requirements this task affects

2.7.1: Establish crypto strategy in the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Managing compromised encryption keys
1. Task description

The organization must have the means to handle compromised encryption keys. Endangered cryptographic keys may be in a state where they are awaiting further investigation to determine the appropriate course of action.

The handling of compromised cryptographic keys shall take into account at least the following:

  • compromised encryption keys should generally be used only for decryption and not for encryption, and in controlled environment
  • compromised keys should be included in the organization's compromised key lists
  • The immediate revocation of compromised encryption keys should be subject to the organisation's emergency revocation processes.

    Encryption key recovery
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    2.7.1: Establish crypto strategy in the organisation
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption key recovery
    1. Task description

    Recovering an encryption key means rebuilding the encryption key using backups or archives.

    The organization must have the means to assess the risk of disclosure of the encryption key or encrypted data compared to compromising business continuity if the encryption key is lost.

    Activation of encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    3
    requirements

    Examples of other requirements this task affects

    2.7.1: Establish crypto strategy in the organisation
    NSM ICT-SP
    2.7.2: Activate encryption in services which offer such functionality
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Activation of encryption keys
    1. Task description

    The organization must have the means to generate encryption keys in pre-activated state when the key has been generated but not yet approved for use.

    When activating encryption keys, please note the following:

    • The encryption key can be changed from pre-activated to activated by adding the start date of the encryption period
    • Inactive encryption keys cannot be used for encryption
    • Inactivated encryption keys can only be used to prove key management or key validation
    • An encryption key in pre-activated mode should be destroyed if it is no longer needed
    Recycling encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    2.7.1: Establish crypto strategy in the organisation
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Recycling encryption keys
    1. Task description

    The organization must ensure that encryption keys are recycled in accordance with the specified encryption cycles. The risks of disclosure and statutory requirements must be taken into account when determining the encryption period.

    When recycling encryption keys, the old key must first be used for decryption and then the new key for recryption.

    Good encryption key management practices
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    12
    requirements

    Examples of other requirements this task affects

    10.1.2: Key management
    ISO27 Full
    I12: Salausratkaisut
    Katakri
    6.6.3: Tekniset vaatimukset
    Self-monitoring
    TEK-16: Tiedon salaaminen
    Julkri
    21.2.h: Encryption
    NIS2
    See all related requirements and other information from tasks own page.
    Go to >
    Good encryption key management practices
    1. Task description

    Our organization has defined policies for creating, storing, sharing, and deleting encryption keys.

    Encryption key lengths and usage practices will be selected in accordance with best general practices by monitoring developments in the industry.

    No items found.

    Universal cyber compliance language model: Comply with confidence and least effort

    In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

    Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
    Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
    Start your free trial
    1.1 (MIL2): Manage IT and OT Asset Inventory
    C2M2: MIL1
    1.1 (MIL3): Manage IT and OT Asset Inventory
    C2M2: MIL1
    1.1.1: Availability of information security policies
    TISAX
    1.1.1: Identify the organisation’s strategy and priorities
    NSM ICT-SP
    1.1.2: Identify the organisation’s structures and processes for security management
    NSM ICT-SP
    1.1.3: Identify the organisation’s processes for ICT risk management
    NSM ICT-SP
    1.1.4: Identify the organisation’s tolerances for ICT risk
    NSM ICT-SP
    1.1.5: Identify the organisation’s deliverables, information systems and supporting ICT functions
    NSM ICT-SP
    1.1.6: Identify information processing and data flow
    NSM ICT-SP
    1.2 (MIL2): Manage Information Asset Inventory
    C2M2: MIL1
    1.2 (MIL3): Manage Information Asset Inventory
    C2M2: MIL1
    1.2.1: Establish a process to identify devices and software in use at the organisation
    NSM ICT-SP
    1.2.1: Scope of Information Security management
    TISAX
    1.2.2: Establish organisational guidelines for approved devices and software
    NSM ICT-SP
    1.2.2: Information Security Responsibilities
    TISAX
    1.2.3: Identify devices in use at the organisation
    NSM ICT-SP
    1.2.3: Information Security requirements in projects
    TISAX
    1.2.4: Definition of responsibilities with service providers
    TISAX
    1.2.4: Identify the software in use at the organisation
    NSM ICT-SP
    1.2: Manage Information Asset Inventory
    C2M2: MIL1
    1.3 (MIL2): Manage IT and OT Asset Configuration
    C2M2: MIL1
    1.3 (MIL3): Manage IT and OT Asset Configuration
    C2M2: MIL1
    1.3.1: Identification of information assets
    TISAX
    1.3.1: Identify the users of the information systems
    NSM ICT-SP
    1.3.2: Classification of information assets
    TISAX
    1.3.2: Identify and define the different user categories
    NSM ICT-SP
    1.3.3: Identify roles and responsibilities linked especially to ICT security
    NSM ICT-SP
    1.3.3: Use of approved external IT services
    TISAX
    1.3.4: Use of approved software
    TISAX
    1.3: Manage IT and OT Asset Configuration
    C2M2: MIL1
    1.4 (MIL2): Manage Changes to IT and OT Assets
    C2M2: MIL1
    1.4 (MIL3): Manage Changes to IT and OT Assets
    C2M2: MIL1
    1.4.1: Management of Information Security Risks
    TISAX
    1.4: Manage Changes to IT and OT Assets
    C2M2: MIL1
    1.5 (MIL1): Management Activities for the ASSET domain
    C2M2: MIL1
    1.5 (MIL2): Management Activities for the ASSET domain
    C2M2: MIL1
    1.5 (MIL3): Management Activities for the ASSET domain
    C2M2: MIL1
    1.5.1: Assessment of policies and requirements
    TISAX
    1.5.2: External review of ISMS
    TISAX
    1.5: Management Activities for the ASSET domain
    C2M2: MIL1
    1.6.1: Reporting of security events
    TISAX
    1.6.2: Management of reported events
    TISAX
    1.6.3: Crisis preparedness
    TISAX
    10 §: Johdon vastuu
    KyberTL
    10. Processing of personal data relating to criminal convictions and offences
    GDPR
    10.1 (MIL2): Establish Cybersecurity Program Strategy
    C2M2: MIL1
    10.1 (MIL3): Establish Cybersecurity Program Strategy
    C2M2: MIL1
    10.1.1: Policy on the use of cryptographic controls
    ISO27 Full
    10.1.2: Key management
    ISO27 Full
    10.1.2: Key management
    ISO 27017
    10.1: Continuous improvement
    ISO27k1 Full
    10.1: Cryptographic controls
    ISO27 Full
    10.1: Cryptographic controls
    ISO 27017
    10.1: Establish Cybersecurity Program Strategy
    C2M2: MIL1
    10.2 (MIL2): Establish and Maintain Cybersecurity Program
    C2M2: MIL1
    10.2 (MIL3): Establish and Maintain Cybersecurity Program
    C2M2: MIL1
    10.2: Establish and Maintain Cybersecurity Program
    C2M2: MIL1
    10.2: Non-conformity and corrective action
    ISO27k1 Full
    10.3 (MIL1): Management Activities for the PROGRAM domain
    C2M2: MIL1
    10.3 (MIL2): Management Activities for the PROGRAM domain
    C2M2: MIL1
    10.3 (MIL3): Management Activities for the PROGRAM domain
    C2M2: MIL1
    10.3: Management Activities for the PROGRAM domain
    C2M2: MIL1
    10: Cryptography
    ISO27 Full
    10: Cryptography
    ISO 27017
    10: Cybersecurity Program Management (PROGRAM)
    C2M2: MIL1
    10: Prosessi väärinkäytöksiin reagoimiseksi
    Sec overview
    11 §: Poikkeamailmoitukset viranomaiselle
    KyberTL
    11. Processing which does not require identification
    GDPR
    11.1.1: Physical security perimeter
    ISO27 Full
    11.1.2: Physical entry controls
    ISO27 Full
    11.1.3: Securing offices, rooms and facilities
    ISO27 Full
    11.1.4: Protecting against external and environmental threats
    ISO27 Full
    11.1.5: Working in secure areas
    ISO27 Full
    11.1.6: Delivery and loading areas
    ISO27 Full
    11.1: Secure areas
    ISO27 Full
    11.2.1: Equipment siting and protection
    ISO27 Full
    11.2.2: Supporting utilities
    ISO27 Full
    11.2.3: Cabling security
    ISO27 Full
    11.2.4: Equipment maintenance
    ISO27 Full
    11.2.5: Removal of assets
    ISO27 Full
    11.2.6: Security of equipment and assets off-premises
    ISO27 Full
    11.2.7: Secure disposal or re-use of equipment
    ISO27 Full
    11.2.7: Secure disposal or re-use of equipment
    ISO 27017
    11.2.8: Unattended user equipment
    ISO27 Full
    11.2.9: Clear desk and clear screen policy
    ISO27 Full
    11.2: Equipment
    ISO27 Full
    11.2: Equipment
    ISO 27017
    11: Digiturvan mittarien määrittäminen
    Sec overview
    11: Physical and environmental security
    ISO27 Full
    11: Physical and environmental security
    ISO 27017
    12 §: Luotettavuutta edellyttävien tehtävien tunnistaminen ja luotettavuudesta varmistuminen
    TiHL
    12 §: Poikkeamaa koskeva väliraportti
    KyberTL
    12. Transparent information, communication and modalities for the exercise of the rights of the data subject
    GDPR
    12.1.1: Documented operating procedures
    ISO27 Full
    12.1.2: Change management
    ISO27 Full
    12.1.3: Capacity management
    ISO27 Full
    12.1.4: Separation of development, testing and operational environments
    ISO27 Full
    12.1: Operational procedures and responsibilities
    ISO27 Full
    12.2.1: Controls against malware
    ISO27 Full
    12.2: Protection from malware
    ISO27 Full