Content library
ISO 27001 (2022): Full
8.24: Use of cryptography

How to fill the requirement

ISO 27001 (2022): Full

8.24: Use of cryptography

Task name
Priority
Status
Theme
Policy
Other requirements
Encryption of laptops
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
13
requirements

Task is fulfilling also these other security requirements

10.1.1: Policy on the use of cryptographic controls
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
TEK-18.1: Etäkäyttö - tietojen ja tietoliikenteen salaaminen
Julkri
8.24: Use of cryptography
ISO27k1 Full
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
1. Task description

Laptops are protected by full-disk encryption.

Encryption of backup data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
14
requirements

Task is fulfilling also these other security requirements

12.3.1: Information backup
ISO27 Full
10.1.1: Policy on the use of cryptographic controls
ISO27 Full
12.3: Backup
ISO27 Full
TEK-20: Varmuuskopiointi
Julkri
8.13: Information backup
ISO27k1 Full
1. Task description

When the confidentiality of backups is important, backups are protected by encryption. The need to encrypt backups may become highlighted when backups are stored in a physical location where security policies are unknown.

General, risk-based encryption policy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
12
requirements

Task is fulfilling also these other security requirements

I12: Salausratkaisut
Katakri
10.1.1: Policy on the use of cryptographic controls
ISO27 Full
10.1: Cryptographic controls
ISO27 Full
10: Cryptography
ISO27 Full
10.1.2: Key management
ISO27 Full
1. Task description

Deciding on the need for encryption solutions is seen as part of an overall process that includes risk assessment and the definition of other management tasks.

The organization has established a general encryption policy that is always followed when protecting information using encryption.

Encryption policy defines:

  • general principles for using cryptographic controls throughout the organization
  • methods for determining the needed level of encryption on the basis of a asset risk assesment
  • the use of encryption on mobile devices
  • ways to protect encryption keys and recover encrypted data when keys are lost
  • roles and responsibilities related to encryption
  • the effects of encryption on other tasks of the security management system
Encryption of user password information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
9
requirements

Task is fulfilling also these other security requirements

9.4.2: Secure log-on procedures
ISO27 Full
10.1.1: Policy on the use of cryptographic controls
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
14.1.3: Protecting application services transactions
ISO27 Full
8.5: Secure authentication
ISO27k1 Full
1. Task description

We use strong encryption during password transmission and storage in all services we develop.

Encryption of portable media
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
15
requirements

Task is fulfilling also these other security requirements

8.3.1: Management of removable media
ISO27 Full
10.1.1: Policy on the use of cryptographic controls
ISO27 Full
8.3.3: Physical media transfer
ISO27 Full
A.11.4: Protecting data on storage media leaving the premises
ISO 27018
PR.PT-2: Removable media
NIST
1. Task description

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

Revision of encryption methods and assessment of adequacy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
9
requirements

Task is fulfilling also these other security requirements

10.1.1: Policy on the use of cryptographic controls
ISO27 Full
8.24: Use of cryptography
ISO27k1 Full
21.2.h: Encryption
NIS2
CC6.1c: Technical security for protected information assets
SOC 2
9.8 §: Salaus
KyberTL
1. Task description

When choosing the encryption methods to be used, take into account e.g. the following points:

  • the cost of using encryption
  • encryption level (eg type, strength and quality of the encryption algorithm)
  • the value of the assets to be protected

The need for the advice of external experts is always considered when determining used cryptographic practices.

No items found.