This policy defines the mandatory requirements for using cryptographic controls to protect the confidentiality, integrity, and authenticity of sensitive information. It establishes a formal governance structure for encryption, digital signatures, and key management, aligning with ISO 27001 and GDPR.
-
Protect Data At Rest & In Transit: Enforce strong encryption (e.g., AES-256) for all sensitive data on servers, endpoints, backups, and across networks.
-
Govern the Full Key Lifecycle: Implement secure procedures for generating, storing, using, rotating, and destroying cryptographic keys in line with best practices.
-
Meet Strict Compliance Mandates: Satisfy the cryptographic requirements of GDPR, DORA, NIS2, and ISO 27001 with a single, comprehensive policy.
-
Prevent Use of Weak Cryptography: Maintain an approved list of strong, current algorithms and protocols, and prohibit the use of deprecated or insecure methods.
Read Full Overview
The Cryptographic Controls Policy provides a comprehensive framework to enhance security by enforcing robust cryptographic methods. The policy outlines critical requirements for secure key management, ensuring data confidentiality, integrity, and authenticity. Aligned with international standards like ISO/IEC 27001:2022 and legal mandates such as GDPR and DORA, it provides a structured approach to managing cryptographic controls effectively.
What's Inside
- Purpose and Scope
- Roles and Responsibilities
- Approved Algorithms & Protocols
- Key Management Lifecycle
- Public Key Infrastructure (PKI)
- Risk Treatment and Exceptions
- Enforcement and Compliance
Built for Leaders, By Leaders
This policy was authored by a security leader with 25+ years of experience deploying and auditing ISMS frameworks for global enterprises. It's designed not just to be a document, but a defensible framework that stands up to auditor scrutiny.
Authored by an expert holding:
Framework Compliance
🛡️ Supported Standards & Frameworks
This product is aligned with the following compliance frameworks, with detailed clause and control mappings.
| Framework | Covered Clauses / Controls |
|---|---|
| ISO/IEC 27001:2022 | Clause 8.1 |
| ISO/IEC 27002:2022 | Controls 8.24, 8.25, 8.27 |
| NIST SP 800-53 Rev.5 | SC-12 to SC-17, SC-28, SC-28(1), SC-12(3) |
| EU GDPR | Article 32, Articles 33–34, Recital 83 |
| EU NIS2 | Article 21(2)(d) |
| EU DORA | Articles 6(2)(d), 11(1)(c) |
| COBIT 2019 | DSS05.01, DSS06.06, MEA03 |
Part of a Complete ISMS Toolkit
This policy is one of 37 documents in our complete toolkit. When implemented as a set, our framework helps you achieve comprehensive compliance across major standards.
100%
ISO 27001
95%
NIST
88%
NIS2
75%
DORA
70%
GDPR
Related Policies
This policy provides foundational governance for all security measures and is supported by the following documents.
Access Control Policy (P4)
Ensures logical access to cryptographic material is strictly limited.
Risk Management Policy (P6)
Supports the risk assessment of cryptographic controls and key compromise scenarios.
Asset Management Policy (P12)
Mandates classification of assets, which determines encryption requirements.
Data Classification & Labeling Policy (P13)
Defines the classification levels that trigger specific encryption controls.
Incident Response Policy (P30)
Outlines the response strategy for key compromise or certificate misuse.
About This Policy
The Clarysec Cryptographic Controls Policy establishes an authoritative framework for the use of encryption and key management within your organization. It directly addresses ISO 27001 Annex A control 8.24 and aligns with the technical requirements of GDPR, DORA, and NIS2, ensuring that your data protection strategy is both compliant and robust. The policy provides a list of approved algorithms, protocols, and key lengths to prevent the use of weak or outdated cryptography.
By implementing this policy, you create a structured governance model for the entire cryptographic lifecycle—from key generation and storage to rotation and destruction. It mandates secure practices for Public Key Infrastructure (PKI) and the use of technologies like TLS to protect data in transit. This policy is essential for any organization committed to maintaining the confidentiality and integrity of its most sensitive information assets.
