Created: Mar 07, 2023 Last commented: Mar 08, 2023

Policy on the use of Encryption

Hi, We are an IT company based in HK and there really in no official law/regulation that is applicable to us. So, in reviewing section 3.1 of the Policy on Use of Encryption where we need to list down individual systems or information, should we include: - network devices eg. firewall - cloud-based applications eg. Microsoft Exchange, Teams, Aure AD, Egnyte file management system, Confluence, etc - accounting system eg. Xero, etc - cloud-based backup eg. Datto, etc - on-premiuse backup - any other cloud-based and on-prem network monitoring applications Thank you

Tags: crytography

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 08, 2023

First is important to note that legal requirements also included contracts, with customers or partners, so you also should check them to ensure they do not require the application of encryption.

Considering that, please note that to define which systems will require encryption you need to evaluate the classification level of the information they store and/or process. The encryption is not based on the asset, but on the information, it handles or stores.

For example, if the accounting system does not process or stores information with a classification level that requires encryption, then you do not need to include this system in the Policy on the use of Encryption.

For further information, see:

How to use cryptography according to ISO 27001 control A.8.24 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 07, 2023

Mar 08, 2023

Expert Advice Community