Control 8.24 : Use of Cryptography

Summary

Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. This ensures that data remains confidential and authentic both at rest and in transit.

Applicability

In-Scope: Mandatory for all organizations. It is the final line of defense for data protection; if the physical or logical perimeter fails, encryption ensures the data remains useless to an attacker.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Data at Rest: Enforce BitLocker drive encryption for all endpoints via Microsoft Intune and ensure that Azure storage and databases use Transparent Data Encryption (TDE).
Data in Transit: Require the use of TLS 1.2 or higher for all communications and utilize Microsoft Purview Message Encryption (OME) for sensitive external emails.
Key Management: Use Azure Key Vault to securely store, manage, and rotate cryptographic keys, secrets, and certificates, ensuring they are never hard-coded in scripts or applications.

Evidence Checklist

Cryptography Policy: Documented standards for encryption algorithms, key lengths, and rotation intervals (e.g., AES-256).
Key Management Records: Evidence that cryptographic keys are stored securely and that access to them is strictly controlled and logged.
Compliance Reports: Logs from Intune or Azure showing that 100% of sensitive storage is currently encrypted.

Practical Audit Advice

Here are some questions the auditor might ask:

How does the organization ensure that the master keys used for data encryption are protected from unauthorized access or accidental loss?
What is the process for rotating encryption keys when a member of the technical team with access to the keys leaves the organization?
Can you demonstrate that your data is encrypted while in transit across the public internet?
What standard do you use to determine which information assets require encryption versus those that do not?