ISO/IEC ENCRYPTION CONTROLS
Most companies think of ISO compliance as adherence to standards and strategic tools created by a non-governmental entity to ensure that products and services can be uniformly utilized throughout the world in a safe and reliable way promoting ease of use and exceptional quality.
Companies use ISO standards compliance to help reduce costs, eliminate waste and to minimize manufacturing mistakes to increase productivity and revenue. ISO compliance ensures that new technologies use standards, compatible processes, and mechanisms, so that entry into new markets requiring integration with existing products or practices is possible without rework in developing and in developed countries.
Most companies do not consider cryptography when attempting ISO compliance but, it is included as a standard and could require a related certification and audit.
ENCRYPTION AND CRYPTOGRAPHY
Encryption technology is a process, or a mechanism used to protect data based on cryptographic coding to convert plaintext, that is, human-readable words and numbers used to communicate, to ciphertext, that is, human unreadable, scrambled data representing plaintext words. During transmission and at rest on a computer system or machine, plaintext is changed to unintelligible data, converted back to human-readable plaintext once received by the recipient’s computer.
Plaintext words and numbers are scrambled as they move throughout the internet on their way to the recipient so that an unauthorized person or entity cannot decipher and understand this text before it gets to the recipient. Encryption provides data protection as the data moves and also when the data is at rest residing on a computer or other machine.
Once the recipient receives this scrambled data, it is changed from cipher text (not readable by a human) to plaintext so that it is human-readable.
During the transfer of this data, unauthorized people or machines can only decrypt it to a readable form, if they have the cryptographic key, a seed which is used to start the decryption process. See Minutillo, “Data Protection by Encryption: Use a Random, Nondeterministic Seed,” The Computer and Internet Lawyer, Volume 31, Number 2.
WHY IS ENCRYPTION NECESSARY?
Companies throughout the world are forced to encrypt data in their possession or control by law of various government agencies, by their customers, partners or others for data safety, or by best practice standards to ensure that the wrong people do not obtain unscrambled information or develop code to easily unscramble it if encrypted. This is especially so in the financial world. Could you imagine if financial data was not protected as it moves throughout the internet?
How do encryption standards and compliance processes become standardized? The International Standards Organization (ISO) is the primary developer of standards throughout the world. Its membership includes national, governmental and quasi-governmental standards authorities of countries in the world.
These standards are developed through the tedious and uncompromising work of many of the best technical experts. Because of the long-lasting and far-reaching effect of these standards, each standard is scrutinized and revised to close to perfection after many revisions before publication. Once the standard is set, it is implemented by many companies and governments in the world, so each standard has a long reaching effect.
ISO 27001 AND 002
ISO 27001 is the result of an effort by these technicians to update a previous standard (BS 7799-2). The stated purpose of ISO 27001 is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (ISMS).
ISO 27002 details the components that make up a compliant ISMS. Companies can use the combined guidance of 001 and 002 to create a compliant ISMS system. Once a compliant ISMS system is created, then a company can certify its ISMS to the ISO 27000 guidance.
If a company is not ISO 27001 compliant, partners, customers, resellers, etc., may consider it risky to engage that company, particularly if it is a financial institution.
WHO CAN USE IO 27001 AND WHY CERTIFY?
Any business, government agency, academic institution, or other organization desiring to implement a data protection plan can apply the guidelines and certification requirements of the ISO 27001. Without such compliance, customers and partners may not want to do business with an entity.
The standards outlined in ISO 27001 can be used to create and implement data security requirements and security management processes and to implement information security systems reflecting this standard.
If a company must be compliant with ISO 27001, then it must have an operable system in place to protect information under its control using a cryptographic process. This is a formal specification with specific criteria mandated making the company subject to audit and certification to ensure compliance with the standards outlined in ISO 27001.
Certification helps prove compliance with high data safety standards. Many companies are asked by their customers and partners to certify that they are in compliance with ISO provisions, including implementation of an ISMS. Once a certification is signed indicating compliance, then, depending on the customer or partner, an audit might be requested or forced so that implementation and related compliance are ensured.
In many cases, if a company wants to do business with a certain customer, compliance with ISO provisions relating to the implementation of an ISMS is mandatory by contract or otherwise.