Cryptographic tool
Hello Dejan,
Thanks for your message. I am really satisfied with the ISO 27001 document pack.
I am having some interrogations about filling the document 08_Annex_A_Security_Controls > A.10_Cryptography > A.10_Policy_on_the_Use_of_Encryption.docx.
I am confused about chapter 3. table, especially the part "Cryptographic tool".
Type of information: Laptop - Backup - Source code - Data at rest - Data ion transit
Cryptographic tool:OSX File vault - Hardware security module - Hardware security module - Hardware security module - TLS 1.2
Encryption algorithm: XTS-AES-256 - AES-256 - AES-256 - AES-256 - ECDHE-ECDSA-AES128-GCM-SHA256
Key size: 256 bits - 2048 bits - 2048 bits - 2048 bits - 256 bits
Can you confirm to me I understood and fill this table correctly ? Or I mixed up some information?
Thanks a lot for the clarification and have a great day.
Assign topic to the user
By the information you provided:
- in the first column you need to use the original text of the template (Name of the System / Type of information) and be more specific about the situation you are describing because you are referring to information (source code and backup), where it is (laptop), and its state (at rest and in transit). The use of this different elements may cause confusion when defining which tools apply.
For example, will backup and source code stored in any place require HSM or only those stored on corporate servers? As a suggestion, you could use terms like “data at rest in corporate servers” and “data at rest in laptops” to be clearer (since backup and source code shares the same specifications as data at rest, you can exclude them from the list)
- the remaining columns are ok. Specifically, about the Cryptographic Tool column, you correctly defined by which means the encryption algorithm will be implemented (in your case, by the software OSX Filevault, by Hardware security module, and by TLS protocol).
Comment as guest or Sign in
Oct 09, 2021