Assign topic to the user
First is important to note that legal requirements also included contracts, with customers or partners, so you also should check them to ensure they do not require the application of encryption.
Considering that, please note that to define which systems will require encryption you need to evaluate the classification level of the information they store and/or process. The encryption is not based on the asset, but on the information, it handles or stores.
For example, if the accounting system does not process or stores information with a classification level that requires encryption, then you do not need to include this system in the Policy on the use of Encryption.
For further information, see:
- How to use cryptography according to ISO 27001 control A.8.24 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
Comment as guest or Sign in
Mar 08, 2023