Cryptography Controls

1. Which areas we need to implement in an organization.

According to ISO 27001, the application of a control (in your case, the areas where you need to implement cryptography) must be based on the results of risk assessment, applicable legal requirements (e.g., laws, regulations, or contracts), and/or in decision of top management.

Broadly speaking, areas with identified needs to protect the confidentiality and integrity of communications channels and information, would the most probable areas to implement cryptography control.

For example, you can use cryptography control to encryption of sensitive data sent over email or through removable media, or to digitally sign a document, ensuring you are the author of the document or that it was not changed.

 For further information see:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Example of encryption and decryption policies.

To see how an encryption policy looks like, I suggest you t take a look at this free demo: Policy on the Use of Encryption https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/