What does regulation of cryptographic controls in ISO 27001 mean? The standard talks of the use of cryptographic controls in accordance with relevant laws, legislation and regulations. But in reality, what does this mean? And how can we identify and define this for our ISMS?
Firstly, it is important to understand that the regulation of cryptographic controls in ISO 27001 is viewed differently in various geographical regions across the globe. For instance, some countries may have certain restrictions on the use of cryptography, whereas others may prohibit its use altogether. For example, in France cryptographic controls may only be used under certain criteria i.e. for the use of authentication and integrity purposes.
It is important that organisations understand where these restrictions are, especially if operating in those countries. In addition to the use of cryptographic controls in those countries, there are also restrictions on the import and export of computer hardware used to perform those functions. It is important to understand this where, for example, end to end encryption is to be used in all countries that the organisation operates. If this is not possible, then the organisations security policy to encrypt all traffic cannot be realized.
Additional considerations such as regulatory requirements also need to be understood. For example, card holder data must be encrypted in transit and at rest at all times under the Payment Card Industry Data Security Standard (PCI-DSS). This should be understood and data both in motion and at rest encrypted to fulfill these requirements.
Understanding this forms part of understanding all legal, regulatory and business requirements that the organisation is subject to and should be formally understood, documented and tracked. Gaining an understanding of where cryptography must be used for regulatory purposes, and where it cannot be used due to legal restrictions in geographical regions, allows the organisation to use cryptographic controls appropriately across the organisation.
So in terms of regulation of cryptographic controls in ISO 27001, the key points are to understand where the business operates and the legal requirements of each country, in addition to the requirements to protect data under legal/regulatory requirements e.g. PCI-DSS and GDPR. Once this has been understood and documented, then the organisation has assurance that they are operating cryptographic controls in line with regulations, and that data is protected wherever possible in transit and at rest.
For more information, see resources for A.18 Compliance.