Cryptography must be used sufficiently and effectively to protect the confidentiality, authenticity, and integrity of information in your organisation’s network and information systems.

Requirement

You must establish and implement a policy and procedures for using cryptography. These must ensure that cryptography is used effectively to protect confidentiality, authenticity, and integrity, reflect the current state of technology, and in line with the results of your risk assessments and asset classification. 

Your organisation must use cryptography to protect networks and information systems where required by asset classification and risk assessment.

The policy and procedures for cryptography may include:

• which cryptographic protocols may be used,
• which cryptographic algorithms are approved,
• approved key lengths for different algorithms,
• approved cryptographic solutions and practices, such as end-to-end encryption, disk encryption, and others,
• the approach to key management, including methods for:
  • generating keys for different systems and applications,
  • issuing and acquiring public key certificates,
  • distributing keys and activating them upon receipt,
  • storing keys and granting access to authorised users,
  • changing or updating keys, including rules for key rotation,
  • handling compromised keys and certificates,
  • revoking and deactivating keys,
  • restoring lost or damaged keys,
  • backing up or archiving keys,
  • securely deleting keys that are no longer needed,
  • monitoring and auditing key management activities,
  • defining activation and deactivation dates for keys,
  • handling legal requests for access to cryptographic keys,

Documentation

All relevant employees should have access to the organisation’s cryptography policies and procedures. These policies and procedures should be reviewed at planned intervals and whenever vulnerabilities or technological advances arise that may affect cryptographic security, which could be the case if an algorithm is broken or stronger key lengths are required due to increased computing power.

If a security review identifies vulnerabilities then your documentation and technical solutions must be updated, and the changes must be communicated to the relevant employees.