This policy establishes your company's rules for encryption. It defines how to protect sensitive data—whether it's stored on a laptop, sent over the internet, or saved in a backup—using strong, industry-standard cryptographic controls.
-
Protect Data At Rest & In Transit: Mandate encryption for all company laptops, servers, and backups, and for all data sent over external networks.
-
Secure Your Website & Communications: Require strong SSL/TLS certificates for all company websites and encrypted channels for email and VPNs.
-
Manage Cryptographic Keys Safely: Establish a secure process for the entire lifecycle of your encryption keys, from generation to storage and rotation.
-
Meet Critical Compliance Needs: Fulfill key requirements for GDPR, NIS2, DORA, and ISO 27001:2022, which all mandate the use of encryption as a primary security control.
Read Full Overview
The Cryptographic Controls Policy - SME is a comprehensive guideline designed to safeguard sensitive and regulated data through robust cryptographic measures. Tailored for small and medium enterprises, this policy ensures that cryptographic tools are applied appropriately across all systems, devices, and cloud services. It underpins data security operations by supporting secure communications, enforcing access control, and ensuring compliance with international standards such as ISO/IEC 27001:2022, GDPR, and NIS2. In a world where data is a critical asset, this policy provides the structure and assurance needed to protect it effectively. Implementing this policy not only enhances data security but also instills confidence and peace of mind, knowing that sensitive information is securely managed and compliant with regulatory requirements.
What's Inside
- Mandatory Encryption Use Cases
- Acceptable Cryptographic Algorithms
- Cryptographic Key Management
- Encrypted Backups & Archives
- Website (SSL/TLS) Certificate Management
- Roles & Responsibilities
- Risk Management & Exceptions
- Compliance & Enforcement
Built for Leaders, By Leaders
This policy translates complex cryptographic concepts into a practical and manageable framework, enabling your business to deploy strong data protection without needing to be encryption experts. It was authored by a security leader to be a practical framework that stands up to auditor scrutiny.
Authored by an expert holding:
Framework Compliance
🛡️ Supported Standards & Frameworks
This product is aligned with the following compliance frameworks, with detailed clause and control mappings.
| Framework | Covered Clauses / Controls |
|---|---|
| ISO/IEC 27001:2022 | 8.1 |
| ISO/IEC 27002:2022 | 8.248.25 |
| NIST SP 800-53 Rev.5 | SC-12SC-13SC-17SC-28 |
| EU GDPR | Art. 32(1)(a)Art. 34 |
| EU NIS2 | Art. 21(2)(d)Art. 21(2)(e) |
| EU DORA | Art. 6(2)(d)Art. 9(2)(f) |
| COBIT 2019 | DSS05.01APO13.02 |
Part of a Complete ISMS Toolkit
This policy is one of 37 documents in our complete toolkit. When implemented as a set, our framework helps you achieve comprehensive compliance across major standards.
100%
ISO 27001:2022
95%
NIST
88%
NIS2
75%
DORA
70%
GDPR
Related Policies
This foundational policy is directly linked to the following organizational security policies to ensure comprehensive alignment and traceability across the ISMS.
P12S - Asset Management Policy
Ensures encryption is applied to classified assets during storage and transfer.
P14S - Data Retention and Disposal Policy
Requires encrypted storage of data until it is securely deleted.
P17S - Data Protection and Privacy Policy
Aligns encryption with GDPR Article 32 data protection principles.
P22S - Logging and Monitoring Policy
Requires logging of key usage, encryption failures, and certificate events.
P30S - Incident Response Policy
Details procedures when encryption fails or keys are compromised.
About This Policy
A Cryptographic Controls Policy defines an organization's formal strategy for using encryption to protect its sensitive data. For a Small or Medium-sized Enterprise (SME), this policy is a critical technical control that makes data unreadable and unusable to unauthorized parties. It specifies where encryption must be used (e.g., on laptops, servers, backups, and data transmissions), what encryption standards are acceptable, and how the cryptographic keys that lock and unlock the data are securely managed.
Implementing this policy is a direct requirement for compliance with major regulations like GDPR, which recognizes encryption as a key safeguard for personal data, and frameworks like ISO 27001:2022, which mandate risk-based controls. This policy provides a clear, auditable framework for your SME to follow, ensuring that your most valuable information is protected against data breaches, whether at rest on a device or in transit across the internet.
