Cryptographic Controls Policy

The Cryptographic Controls Policy (P18) establishes the mandatory controls that govern the use of cryptographic mechanisms throughout the organization to ensure the confidentiality, integrity, and authenticity of all sensitive and regulated information. Recognizing that cryptography is foundational to secure communications, regulatory compliance, and data protection, this policy describes detailed requirements aligned with leading global standards and evolving regulatory mandates. The primary purpose is to guarantee that appropriate cryptographic methods are consistently applied wherever sensitive data is transmitted, processed, or stored, building organizational trust and supporting secure operations across all business domains. The policy applies organization-wide, encompassing all business functions, personnel, and relevant third-party service providers engaged in cryptographic operations. Coverage extends across production, development, staging, backup, and disaster recovery environments, with explicit reference to systems handling Confidential, Highly Confidential, or Regulated data. Cryptographic use cases range from symmetric and asymmetric encryption, digital signatures, secure hashing, and API-level encryption to robust key generation, distribution, and destruction, including technologies such as Hardware Security Modules (HSMs), Trusted Platform Modules (TPMs), and Key Management Systems (KMS). A strong governance framework is established, led by the Information Security Manager or CISO, who owns the policy and ensures its compliance with ISO/IEC 27001:2022 Annex A Control 8.24, among others. The Cryptographic Operations Lead maintains the Approved Cryptographic Methods List (ACML) and Key Management Register, leading the review and integration of new technologies. Line managers, system administrators, asset owners, developers, and third-party providers are all given clear responsibilities for the approval, configuration, enforcement, and review of cryptographic controls within their areas. Annual reviews and Cryptographic Design Reviews (CDRs) are mandated for all new or modified deployments, ensuring alignment with current threats and regulatory requirements. Policy implementation requirements are comprehensive. Only organization-approved algorithms and protocols, including AES-256 for symmetric encryption, RSA 2048+/ECC for asymmetric, SHA-256/SHA-3 for hashing, and TLS 1.2+ for transport, may be used. A formal, centrally-managed key management process is defined, covering secure key generation, storage, usage, rotation, revocation, destruction, and certificate renewal. Role segregation and dual custody for sensitive operations ensure accountability and reduce insider risk, while continuous monitoring identifies certificate expiry, deprecated cipher use, and unauthorized key access. The treatment of risk, exceptions, and enforcement is rigorous. Deviation from standard algorithms requires a documented approval process, including risk assessment and compensating controls. Annual auditing of cryptographic controls, strict escalation for non-compliance or key compromise, and formal disciplinary or contractual remedies are all standard procedure. The policy is regularly reviewed and updated in response to new cryptographic vulnerabilities, regulatory change, operational audits, or significant tool upgrades, with centralized communication and version control through the ISMS Document Control Register.