iso 270001 : management clause -10
TRANSCRIPT
iFour Consultancy
ISMS Framework: Clause 10 – Cryptography
ISO 27001:2013 has classified the Cryptography into:Clause A.10.1: Cryptographic controls
Cryptography – ISMS Requirements
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/ or integrity of information.
Clause A.10.1: Cryptographic controls
Objective
A.10.1.1 Policy on the use o f cryptographic controls
A.10.1.2 Key Management
Cryptographic controls will be used to achieve the three (3) following security objectives :
Clause A.10.1: Cryptographic controls
Confidentiality
Non - Repudiation
Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information;
Using cryptographic techniques to obtain proof of the occurrence or non-occurrence of an event or action.
Using encryption of information to protect sensitive or critical information either stored or transmitted
Integrity
There should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management.
A.10.1.1 Policy on the use o f cryptographic controls
Control• A policy on the use of cryptographic controls for protection of information shall be developed and
implemented.
Key management is the management of cryptographic keys in a cryptosystem
This includes dealing with the generation, exchange, storage, use, and replacement of keys
Cryptographic systems may use different types of keys - symmetric keys or asymmetric keys.
A.10.1.2 Key Management
Control• A policy on the use, protection and lifetime of cryptographic keys shall be developed and
implemented through their whole lifecycles.
In a symmetric key algorithm the keys involved are identical for both encrypting and decrypting a message. Keys must be chosen carefully, and distributed and stored securely.
A.10.1.2 Key Management
Symmetric key
Asymmetric key
Asymmetric keys, in contrast, are two distinct keys that are mathematically linked. They are typically used in conjunction to communicate.
Generating keys for different cryptographic systems and different applications;
Generating and obtaining public key certificates;
Distributing keys to intended users, including how keys should be activated when received;
Storing keys, including how authorized users obtain access to keys; changing or updating keys including rules on when keys should be changed and how this will be done;
Recovering keys that are lost or corrupted as part of business continuity management
Archiving keys, e.g. for information archived or backed up;
Destroying keys
A.10.1.2 Key Management
Cryptography Standards
Encryption standards
Hash standards
Digital signature standards
Public-key infrastructure (PKI) standards
Wireless Standards
U.S. Government Federal Information Processing Standards (FIPS)
Internet Requests for Comments (RFCs)
• There are number of standards related to Cryptography like :
https://en.wikipedia.org/wiki/Cryptography_standardshttps://en.wikipedia.org/wiki/Key_management
References
Visit our websites :
http://www.ifour-consultancy.com http://www.ifourtechnolab.com
For more details :
THANK YOU