1 · Purpose
This policy establishes the requirements for cryptography and data encryption policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.
2 · Scope
This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.
3 · Policy statements
3.x · CAO-430 Policy Controls
The organisation shall establish, implement and maintain a coherent and effective approach to cryptography and data encryption, giving effect to the organisational control objectives set out below.
3.1 · CAO-431 Cryptographic Controls
The organisation shall establish, implement and maintain effective Cryptographic Controls, giving effect to the organisational controls set out below.
3.1.x · CAO-431 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.2 · CAO-432 Cryptographic Key Management
The organisation shall establish, implement and maintain effective Cryptographic Key Management, giving effect to the organisational controls set out below.
3.2.x · CAO-432 Organisational Controls
3.3 · CAO-433 Data Encryption at Rest
The organisation shall establish, implement and maintain effective Data Encryption at Rest, giving effect to the organisational controls set out below.
3.3.x · CAO-433 Organisational Controls
3.4 · CAO-434 Data Protection in Transit
The organisation shall establish, implement and maintain effective Data Protection in Transit, giving effect to the organisational controls set out below.
3.4.x · CAO-434 Organisational Controls
3.5 · CAO-435 Data Masking and Minimisation
The organisation shall establish, implement and maintain effective Data Masking and Minimisation, giving effect to the organisational controls set out below.
3.5.x · CAO-435 Organisational Controls
3.6 · CAO-436 Data Leakage Prevention
The organisation shall establish, implement and maintain effective Data Leakage Prevention, giving effect to the organisational controls set out below.
3.6.x · CAO-436 Organisational Controls
3.7 · CAO-437 Data Retention and Secure Deletion
The organisation shall establish, implement and maintain effective Data Retention and Secure Deletion, giving effect to the organisational controls set out below.
3.7.x · CAO-437 Organisational Controls
3.8 · CAO-438 Data Security Management
The organisation shall establish, implement and maintain effective Data Security Management, giving effect to the organisational controls set out below.
3.8.x · CAO-438 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
4 · Roles & responsibilities
- Governing body — approves this policy and oversees its effectiveness.
- Executive management — allocates resources and assigns control ownership.
- Control owners — implement, operate and evidence the controls in their area.
- All personnel & third parties — comply with this policy within their role.
5 · Compliance, monitoring & review
Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.
