ISO27001 states that “Rules for the effective use of cryptography, including cryptographic key management shall be defined and implemented.” (A8.23 – Web filtering).
Note here that there are two aspects of this control, with the first concerned with the effective use of cryptography, and the second with key management.
You may recognise these two requirements, as the new version of ISO27001 combined two separate controls into one, more succinct requirement.
Don't forget that Cryptographic controls are used on websites, on laptops and on most email systems. So this is an important policy that clearly describes how you manage these technologies.
About our policies
This policy is written with the end-user in mind. It is not complicated, and it is written in 'plain english'. It's important to note that ISO27001 mandates key policies (where a control has been selected), but it does NOT mandate that the policies are BORING!
Keep the audience in mind. Don't reveal too much in your policies (i.e. don't mention specific technologies, as these may change over time.
Keep. It. Simple.
Cryptographic Policy
Hey, we're not going to go all 'legal' on you here... that's not our style. But this is our Intellectual Property, and we'd prefer it if you didn't go sharing this with other people who haven't spent the money and bought a copy.
Of course, we can't really stop you... But are you that kind of person? We don't think you are. So if you want to tell people about your new found super power of ISO27001-Awesomeness, great... just don't give it away for free!