Expert Advice Community

Guest

Use of encryption and ISO 27001

  Quote
Guest
Guest user Created:   Aug 20, 2019 Last commented:   Aug 20, 2019

Use of encryption and ISO 27001

Does ISO 27001 require the use of encryption for data at rest or is its implementation based on the risk assessment tolerance of the company?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 20, 2019

Answer:

According to ISO 27001, you only have to implement any kind of encryption, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control (i.e., based on the risk assessment results)
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a control.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 20, 2019

Aug 20, 2019

Suggested Topics