Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Application of controls A.10.1.1 and A.10.1.2

  Quote
Guest
Guest user Created:   Jul 23, 2017 Last commented:   Jul 23, 2017

Application of controls A.10.1.1 and A.10.1.2

If an organisation has DC issued by external party, and the organisation does NOT use an other encryption controls , will the control 10.1.1 and 10.1.2 be applicable ?? the organisation does not generate any digital certificate.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 23, 2017

Answer: If your organization makes use of digital certificates, both controls A.10.1.1 (Policy on the use of cryptographic controls) and A.10.1.2 (Key management) should be stated as applicable.

The reason for application of A.10.1.1 is because you should have clear rules about when, how, and by whom these certificates should be used, and how they should be managed.

As for A.10.1.2, the adoption of practices for protection of cryptographic keys should be included as a clause in the service agreement with the provider, so you can ensure they will provide at least the same level of protection as if your organization was managing the keys itself.

Please note that when stating a control as applicable, you could use as justification results of risk assessment, top management decision, or compliance with a legal or cont ractual requirement.

This articles will provide you further explanation about providers and cryptographic controls:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

This material will also help you regarding about providers and cryptographic controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 23, 2017

Jul 23, 2017