Understanding ISO 27001:2022 Annex A.10 – Cryptography

We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented.

Today we address ISO 27001:2022 Annex A.10, “Cryptography”, which plays a vital role in ensuring the confidentiality, integrity, and authenticity of sensitive information.

This annex provides guidelines for implementing cryptographic controls to protect data assets from unauthorized access, manipulation, and disclosure.



Importance of Cryptography

Cryptography is essential for securing data in transit, at rest, and in use. Annex A.10 underscores this importance by:

  1. Confidentiality: Encrypting data using cryptographic algorithms prevents unauthorized parties from accessing sensitive information.
  2. Integrity: Cryptographic hash functions help ensure the integrity of data by detecting any unauthorized alterations or tampering.
  3. Authenticity: Digital signatures and cryptographic certificates verify the authenticity of messages and the identity of parties involved in communication.

Implementing Annex A.10 in Practice

To effectively implement Annex A.10, organizations can follow these practical steps:

  1. Data Encryption: Identify sensitive data assets that require encryption, such as personally identifiable information (PII), financial records, or intellectual property. Implement encryption mechanisms to protect data both in transit and at rest.Example: Use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to encrypt data transmitted over the internet, such as web traffic or email communications.
  2. Key Management: Establish key management procedures for generating, storing, distributing, and revoking cryptographic keys. Ensure that keys are protected from unauthorized access and securely stored.Example: Implement a key management system to generate and store cryptographic keys securely, enforce access controls, and rotate keys periodically to enhance security.
  3. Digital Signatures: Use digital signatures to authenticate the origin and integrity of electronic documents, messages, or transactions. Implement digital signature algorithms and certificate authorities to verify signatures and ensure their validity.Example: Digitally sign important documents, such as contracts or legal agreements, using a digital signature certificate issued by a trusted certificate authority.
  4. Hash Functions: Apply cryptographic hash functions to generate unique fingerprints or checksums for data integrity verification. Use hash algorithms such as SHA-256 or SHA-3 to compute hashes of data and compare them to verify integrity.Example: Calculate the hash value of files or documents before transmission or storage and compare it to the hash value generated at the destination to ensure data integrity.
  5. Cryptographic Controls: Implement additional cryptographic controls, such as message authentication codes (MACs), key derivation functions (KDFs), or random number generators (RNGs), to enhance security and protect against cryptographic attacks.Example: Use HMAC (Hash-based Message Authentication Code) to verify the integrity and authenticity of messages transmitted over insecure channels, such as public networks.

Audit of Compliance with Annex A.10

Auditing compliance with Annex A.10 is essential for evaluating an organization’s adherence to cryptographic controls. Here’s how the audit process typically unfolds:

  1. Audit Preparation: Gather documentation related to cryptographic policies, procedures, and controls. Appoint an audit team to facilitate the audit process.
  2. Audit Planning: Define the audit scope, objectives, and criteria. Develop an audit plan outlining activities, timelines, and responsibilities of auditors and auditees.
  3. On-site Audit: Conduct on-site visits to assess implementation of cryptographic controls. Review documentation, interview personnel, and observe cryptographic practices. Use checklists or assessment tools to evaluate compliance.
  4. Audit Findings: Analyze findings and identify areas of non-compliance or improvement opportunities. Document observations, including strengths and weaknesses in cryptographic implementation.
  5. Reporting: Prepare an audit report summarizing findings, conclusions, and recommendations for corrective actions. Share with senior management and stakeholders for review and action.
  6. Follow-up: Address audit findings by implementing corrective actions and improvements as recommended. Conduct follow-up audits to verify effectiveness of corrective measures and ensure ongoing compliance.


ISO 27001:2022 Annex A.10 highlights the importance of cryptography in protecting sensitive information and ensuring data security. By implementing robust cryptographic controls, organizations can safeguard data confidentiality, integrity, and authenticity against unauthorized access and manipulation. Regular audits help assess compliance with Annex A.10 requirements and drive continuous improvement in cryptographic practices.

The post Understanding ISO 27001:2022 Annex A.10 – Cryptography first appeared on Sorin Mustaca on Cybersecurity.