Cryptographic Controls Policy - SME

The P18S Cryptographic Controls Policy is a specialized policy constructed for small and medium-sized enterprises (SMEs), distinctly tailored for simplified roles and processes, most notably the 'General Manager' role, rather than enterprise-specific titles like CISO or SOC. It ensures these organizations implement robust cryptographic controls that protect the confidentiality, integrity, and authenticity of business and personal data. The core purpose of this policy is to define mandatory requirements for encryption and other cryptographic measures, aligning directly with ISO/IEC 27001:2022 certification needs and regulatory frameworks such as the GDPR, NIS2 Directive, and EU DORA. The scope of the policy spans all personnel, including employees, contractors, and third parties, handling company data, and covers every business system, endpoint, or cloud platform that stores, transmits, or accesses confidential information. It applies to all classified data according to the company's data classification policy, and covers cryptographic controls such as encryption methods, certificates, keys, passwords, and security modules. Its protection requirements extend to data at rest, in transit, and in use, encompassing encryption for backups, email, external transfers, and organizational websites. Policy objectives are straightforward: protect sensitive and regulated data with appropriate cryptographic measures; establish accountability and responsibility for tool selection, configuration, and key management; and ensure strong preventive controls against unauthorized access, tampering, or data loss. The policy stresses strict adherence to legal and regulatory obligations requiring encryption and maintains the importance of effective certificate and key management to operational security. Roles and responsibilities are streamlined for SME context: the General Manager (GM) takes ownership of the policy and oversees enforcement and approval of exceptions. The IT Support Provider or internal IT administrator handles daily operation and upkeep of encryption technologies, certificates, and backup protection. A Privacy or Security Coordinator ensures ongoing compliance with data protection obligations, risk management, and legal defensibility. All staff and contractors are required to adhere to approved encryption use and must not bypass any security mechanism. Key governance features include annual policy review (or upon major breach or change), full documentation of all encryption/key management activities, and stringent requirements for the use of industry-standard cryptographic algorithms (such as AES-256, RSA 2048, and TLS 1.2 or newer). Deprecated or insecure protocols must be blocked, and all keys must be securely stored with controlled, regularly reviewed access, never in plain text. Backup encryption, certificate management, risk scenario planning, and a well-documented exception process are central requirements. Violations incur defined consequences, and all cryptographic failures are logged, investigated, and responded to as part of breach handling procedures. This policy corresponds to the SME template, making it particularly suitable for organizations with fewer resources or security-specialized staff while still delivering full alignment with ISO/IEC 27001:2022 and relevant regulatory demands.