Cryptography and Data Encryption Policy

1. Purpose and Scope

This policy defines how the organisation protects information assets through cryptographic controls and encryption to ensure confidentiality, integrity, and availability. It applies to all employees, contractors, suppliers, and partners handling sensitive or regulated data.

Policy Statements:

• Cryptographic controls are documented and enforced, consistent with ISO/IEC 27001:2022 Annex A.10.1 (Cryptographic Controls).
• Encryption requirements align with NIST CSF v2.0 PR.DS (Data Security).
• Vendor and partner encryption obligations are integrated into contracts (GDPR Article 32, HIPAA Security Rule §164.312(a)(2)(iv)).
• Where PCI DSS applies, version 4.0 mandates encryption of cardholder data (Req. 3–4).
• Governance oversight is provided by the board, consistent with ISO/IEC 38500:2015 Clause 5.1–5.6 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes.

2. Governance and Accountability

Cryptography responsibilities are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to cryptography governance (ISO 27001 Clause 5.1).
• A formally appointed Cryptography Officer is accountable for encryption standards (Clause 5.3).
• Department heads ensure compliance within their teams.
• Quarterly cryptography performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King IV Principle 12, and equivalent national codes.
• Collaborative cryptography responsibilities with suppliers and partners are documented and reviewed annually (ISO 44001 Clause 5.2).
• Cryptography governance aligns with the COSO Internal Control — Integrated Framework (Principle 1: Governance & Culture) or equivalent internal-control framework adopted by the organisation.

3. Risk Management

Cryptography risks are identified, assessed, and treated systematically.

Policy Statements:

• Risk assessments include cryptography risks quarterly (ISO 27001 Clause 6.1.2).
• Risk treatment plans are documented and approved (Clause 6.1.3).
• Encryption risks are integrated into enterprise risk registers (ISO 22301 Clause 8.2).
• Shared risk registers with strategic partners include cryptography risks (ISO 44001 Clause 6.3).
• Cryptography risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6: Risk Identification & Assessment), ISO 31000:2018, or equivalent ERM framework adopted by the organisation.

4. Cryptography Standards

Approved cryptographic standards are enforced across the organisation.

Policy Statements:

• Only approved algorithms (AES‑256, RSA‑2048, SHA‑256) are permitted (ISO 27001 Annex A.10.1.1).
• Encryption for sensitive data at rest and in transit follows the encryption requirements of applicable data protection law; representative references include EU GDPR Article 32 and POPIA Section 19(2).
• Key management lifecycle is documented, covering generation, storage, rotation, and destruction (ISO 27001 Annex A.10.1.2).
• Cloud encryption aligns with ISO/IEC 27017:2015 Clause 9.1 (Cloud Security Controls).
• Where PCI DSS applies, version 4.0 requires strong cryptography for cardholder data (Req. 3–4).
• Where HIPAA applies, encryption of electronic protected health information is mandated (§164.312(a)(2)(iv)); equivalent obligations exist under other health-data protection regimes.

5. Monitoring and Oversight

Cryptography compliance is monitored continuously.

Policy Statements:

• Encryption logs are retained for 12 months and reviewed weekly (ISO 27001 Annex A.12.4.1).
• Key management activities are audited quarterly.
• Vendor compliance is monitored through audits (SOC 2 Confidentiality Criteria).
• Corrective actions are tracked and verified (ISO 9001 continual improvement).
• Monitoring aligns with NIST CSF DE.CM (Detection & Monitoring).

6. Incident Response and Continuity

Cryptography integrates with incident response and continuity planning.

Policy Statements:

• Cryptographic failures trigger incident response procedures (ISO 27001 Annex A.16.1).
• Breach notifications include encryption status under applicable data protection law; representative references include EU GDPR Articles 33–34 and POPIA Section 22.
• Vendor encryption failures are escalated through contractual obligations (ISO 44001 Clause 7.4).
• Cryptography incidents integrate with enterprise risk reporting channels (COSO Principle 17, or equivalent).
• Continuity plans validate encryption effectiveness during recovery (ISO 22301 Clause 8.4).

7. Training and Awareness

Employees and partners are trained to comply with cryptography standards.

Policy Statements:

• Annual cryptography training is mandatory (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
• Role‑specific training is provided to administrators and developers.
• Awareness campaigns reinforce encryption culture.
• Vendors must provide evidence of cryptography training for their staff (SOC 2 CC6.3).

8. Compliance Obligations

Cryptography complies with applicable laws and standards.

Policy Statements:

• Obligations under applicable data protection and health-data law are integrated into encryption standards; representative regimes include EU GDPR, POPIA, HIPAA, and California CCPA/CPRA.
• Cross-border encryption obligations follows the lawful transfer mechanisms of applicable data protection law in each operating jurisdiction; representative references include EU GDPR Chapter V and Mauritius DPA Section 36.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation; representative reference points include Singapore PDPA, India DPDP Act, and Brazil LGPD.
• Cryptography obligations under the AU Convention on Cybersecurity (2014) are observed where the organisation operates in signatory states.

9. Audit and Assurance

Independent audits validate cryptography effectiveness.

Policy Statements:

• Internal audits of cryptography are conducted annually (ISO 27001 Clause 9.2).
• Management reviews cryptography performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: SOC 2 Confidentiality Criteria (AICPA).
• Corrective actions are tracked and verified (ISO 9001 continual improvement).

10. Appendices

• Appendix A: Approved Cryptographic Algorithms List.
• Appendix B: Key Management Lifecycle Procedures.
• Appendix C: Encryption Standards for Databases, Files, and Communications.
• Appendix D: Vendor Encryption Obligations Checklist.
• Appendix E: Cryptography Incident Escalation Flowchart.
• Appendix F: Cryptography Training Curriculum.
• Appendix G: Cryptography Audit Schedule.

Enterprise and Conglomerate implementation content will be added here.