According to ISO 27001, you only have to implement any kind of encryption, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control (i.e., based on the risk assessment results)
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.