A.8.24 Use of Cryptography

What is this control?

ISO 27001 control A.8.24 Use of Cryptography ensures proper and effective use of cryptography to protect confidentiality, authenticity, and integrity of information according to business, security, privacy, legal, and regulatory requirements. The control implements pervasive encryption using industry-standard strong algorithms including AES-256 for data at rest and TLS 1.2 or higher for data in transit with robust key management throughout the lifecycle.

How to implement in Microsoft 365

Implement A.8.24 by enforcing TLS 1.2 or higher on all web-based access to organisational resources. Disable older protocols including TLS 1.0 and 1.1 and weak ciphers at service configuration level. Implement full disk encryption on all managed endpoints via Microsoft Intune using BitLocker for Windows or FileVault for macOS with 95% or higher coverage target.

Deploy Azure Storage Service Encryption on all Azure Storage Accounts with AES-256. Enable Azure SQL Transparent Data Encryption on all databases. Configure Azure Disk Encryption on Azure VM disks.

Deploy Microsoft Purview sensitivity labels for persistent file-level encryption of sensitive data.

What an auditor looks for

Auditors will verify 95% or more of endpoints have BitLocker or FileVault encryption enabled with recovery keys escrowed. They will check TLS 1.2 minimum is enforced on all Azure services with TLS 1.0 and 1.1 disabled. Auditors will verify Azure Storage Service Encryption is enabled on all storage accounts with AES-256.

They will check database encryption shows Azure SQL TDE is enabled on all databases. Auditors will verify Azure Key Vault configuration with access policies, soft delete, purge protection, and audit logging enabled.