Audit observation

(Hello Dejan, I have a doubt, in recent audit we were made the observation that we have to document a data encryption policy, which is described according to the type of information, status (in transit, storage, moving) and according to their type of storage (servers, computer equipment, etc.), if they require the applications of cryptographic controls, and reviewing the document of the policy of the use of cryptographic controls nothing comes of it, thanks for your support.)

Answer: By the description you gave to us, the informatio n required by the audit can be found in the template "Information Classification policy", which is referenced in the "Policy on the Use of Cryptographic Controls" (on section 3.1). Both documents are part of the ES ISO 27001 Documentation Toolkit you bought. You can find these templates in the following folders:
- Information Classification policy : folder 08 Annex A, sub-folder A.8 Asset management
- Policy on the Use of Cryptographic Controls : 08 Annex A, sub-folder A.10 Cryptography

In the Information Classification policy template, the information about type of information, status and type of storage can be found in the table on section 3.4 - Handling classified information. E.g.: "the document must be stored in encrypted form", and "when files are exchanged..., they must be encrypted"