• Post category:StudyBullet-3
  • Reading time:5 mins read


Learn about cryptography as it relates to Annex 10 of ISO 27001:2013

What you will learn

 

Learn about ISO 27001:3013 guidelines concerning cryptography

 

Obtain general knowledge about cryptography

 

Familiarize yourself with common cryptographic techniques

 

Understand the purpose of cryptography: confidentiality, integrity, authentication, non-repudiation

 

Gain a general understanding of symmetric/asymmetric keys & digital signitures

Description

In this course, we’ll explore an overview of what cryptography is and how it relates to annex 10 of ISO 27001:2013. I’ll be teaching using slides and explaining some notes about the topic. In addition to reading the notes on the screen and listening to the lecture, you can take notes if you wish. This course is less about cryptography itself and more about the requirement of ISO 27001:2013 with regards to cryptography. Therefore we won’t be discussing any particular cryptographic control at great length.

Here’s a summary of what you can expect to learn from this course:

Section 1:


Get Instant Notification of New Courses on our Telegram channel.


Cryptography has been around for ages. It means scrambling data so that it’s unreadable to people who don’t know how to decrypt it. When computers became a thing and there was a whole bunch of information out there, we needed more encryption. Since then it’s really taken off and people have come up with really sophisticated ways to encrypt data.

Section 2:

So, what does ISO 27001:2013 say about this? It says that you have to have a cryptographic policy. This basically means that you have to prepare a document that’s going to govern how you use encryption in your organization. It answers the who what where when and how questions. This means the policy should answer the following questions:

  • Who is going to implement the policy? (The roles and responsibilities)
  • What data needs to be encrypted? (Sensitive data needs to be encrypted)
  • Where is the data that needs to be encrypted? (In transit, at rest, or in processing)
  • When should the organization encrypt? (Only when it is effective)
  • How they will encrypt their data? (The ciphers they’ll use, how they’ll manage their keys, permissions, etc.)

Section 3:

The strength of encryption controls relies heavily on the effective implementation of key management. You need the keys to gain access to your data so if you lose your keys or they get destroyed then you won’t have access to your data anymore. Also, if a thief gets your keys and they have access to your encrypted files, they can easily steal or alter your data.

Therefore, an organization has to create an effective key management policy that’s going to force them to decide how keys will be generated, backed up, stored, protected, retired, and deleted. They can use key management solutions and implement their policy themselves or they can outsource this process to another specialized organization.

English
language

Content

Introduction
Introduction
Ciphers
Modern Cryptography
Public Key Encryption
Cryptographic Controls
10.1.1 Cryptographic Control Policies
Developing Requirements
The Data States Encryption Method
Key Management
Clause 10.1.2 – Key Management Policy
Key Management Principles
Key Sharing and Digital Signitures
When and How to Encrypt