In this course, we'll explore an overview of what cryptography is and how it relates to annex 10 of ISO 27001:2013. I'll be teaching using slides and explaining some notes about the topic. In addition to reading the notes on the screen and listening to the lecture, you can take notes if you wish. This course is less about cryptography itself and more about the requirement of ISO 27001:2013 with regards to cryptography. Therefore we won't be discussing any particular cryptographic control at great length.
Here's a summary of what you can expect to learn from this course:
Cryptography has been around for ages. It means scrambling data so that it's unreadable to people who don't know how to decrypt it. When computers became a thing and there was a whole bunch of information out there, we needed more encryption. Since then it's really taken off and people have come up with really sophisticated ways to encrypt data.
So, what does ISO 27001:2013 say about this? It says that you have to have a cryptographic policy. This basically means that you have to prepare a document that's going to govern how you use encryption in your organization. It answers the who what where when and how questions. This means the policy should answer the following questions:
Who is going to implement the policy? (The roles and responsibilities)
What data needs to be encrypted? (Sensitive data needs to be encrypted)
Where is the data that needs to be encrypted? (In transit, at rest, or in processing)
When should the organization encrypt? (Only when it is effective)
How they will encrypt their data? (The ciphers they'll use, how they'll manage their keys, permissions, etc.)
The strength of encryption controls relies heavily on the effective implementation of key management. You need the keys to gain access to your data so if you lose your keys or they get destroyed then you won't have access to your data anymore. Also, if a thief gets your keys and they have access to your encrypted files, they can easily steal or alter your data.
Therefore, an organization has to create an effective key management policy that's going to force them to decide how keys will be generated, backed up, stored, protected, retired, and deleted. They can use key management solutions and implement their policy themselves or they can outsource this process to another specialized organization.