Checklist of ISO/IEC 27001-A.10.1.1 Policy on the use of cryptographic controls


Data is the lifeblood of organizations, and the need to protect it has never been more critical. 

Encryption is a vital tool in the fight against cyber threats and data breaches. 

The use of cryptographic controls can help prevent unauthorized access to sensitive data, ensuring confidentiality, integrity, and authenticity. 

This article focuses on A.10.1.1 – Policy on the use of cryptographic controls, as outlined in ISO 27001:2013, and provides a checklist to help organizations assess their cryptographic control policies.

Sample Checklist:

  • Determine if encryption is required and if so, for which information systems, networks, applications, etc.
  • Identify the general principles or circumstances under which information should be protected through cryptography.
  • Specify the standards to be applied for the effective implementation of cryptography.
  • Establish a risk-based process to determine and specify the protection required.
  • Ensure alignment with any documented requirements relating to IT equipment or services covered by contracts
  • Identify related security issues and trade-offs, such as the effects of encryption on content inspection for malware, information disclosure, etc.
  • Ensure adherence to applicable laws and regulations, such as export restrictions.


A.10.1.1 highlights the importance of having a policy on the use of cryptographic controls. 

It is essential to assess the need for encryption, identify the systems and information that require protection, and implement appropriate standards and processes. O

Organizations must also consider the trade-offs of encryption, such as the impact on content inspection and ensure compliance with applicable laws and regulations. 

By following the checklist outlined in this article, organizations can ensure that their cryptographic control policies are comprehensive and effective in protecting their sensitive data.

See also  Checklist of ISO/IEC 27001-A.12.6.1 Management of technical vulnerabilities

Leave a comment

Your email address will not be published. Required fields are marked *