Applicability of A.10.1 Cryptographic Controls
Our organization uses Digital Certificates for Internet facing services, apart from that we do not use any cryptography. In this case, would A.10 be applicable to our organization?
Assign topic to the user
If you are referring to SSL certificates, then control A.10.1.1 Policy on the use of cryptographic controls is probably applicable to you, while control A.10.1.2 Key management may not be applicable because you are not handling keys.
But you primarily need to assess your risks, and analyze requirements to define which controls are applicable and which not.
Here are a couple of helpful articles:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jan 24, 2020