SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Cryptographic tool

Guest

Cryptographic tool

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Oct 09, 2021 Last commented:   Oct 09, 2021

Cryptographic tool

ISO 27001 & 22301

Hello Dejan,

Thanks for your message. I am really satisfied with the ISO 27001 document pack. 

I am having some interrogations about filling the document 08_Annex_A_Security_Controls > A.10_Cryptography > A.10_Policy_on_the_Use_of_Encryption.docx.

I am confused about chapter 3. table, especially the part "Cryptographic tool".

 

Type of information: Laptop - Backup - Source code - Data at rest - Data ion transit

Cryptographic tool:OSX File vault - Hardware security module - Hardware security module - Hardware security module - TLS 1.2

Encryption algorithm: XTS-AES-256 - AES-256 - AES-256 - AES-256 - ECDHE-ECDSA-AES128-GCM-SHA256

Key size: 256 bits - 2048 bits - 2048 bits - 2048 bits - 256 bits

Can you confirm to me I understood and fill this table correctly ? Or I mixed up some information?

Thanks a lot for the clarification and have a great day.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Oct 09, 2021

By the information you provided:

- in the first column you need to use the original text of the template (Name of the System / Type of information) and be more specific about the situation you are describing because you are referring to information (source code and backup), where it is (laptop), and its state (at rest and in transit). The use of this different elements may cause confusion when defining which tools apply.

For example, will backup and source code stored in any place require HSM or only those stored on corporate servers? As a suggestion, you could use terms like “data at rest in corporate servers” and “data at rest in laptops” to be clearer (since backup and source code shares the same specifications as data at rest, you can exclude them from the list)

- the remaining columns are ok. Specifically, about the Cryptographic Tool column, you correctly defined by which means the encryption algorithm will be implemented (in your case, by the software OSX Filevault, by Hardware security module, and by TLS protocol). 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 09, 2021

Oct 09, 2021

Suggested Topics
Guest user Created:   Jun 01, 2021 ISO 27001 & 22301
Replies: 2
0 0

Question about IT Security Policy
Guest user Created:   Jun 12, 2020 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 scope
Guest user Created:   Mar 24, 2016 ISO 27001 & 22301
Replies: 1
0 0

Policy documents