Socket Inc. has implemented a control for the effective use of cryptography and cryptographic key management. Is this compliant with ISO/IEC 27001? Refer to scenario 3.
A.
No, the control should be implemented only for defining rules for cryptographic key management
B.
Yes, the control for the effective use of the cryptography can include cryptographic key management
C.
No, because the standard provides a separate control for cryptographic key management
Annex A.8.24 of ISO/IEC 27001 speaks to the "Use of cryptography" and highlights the following deliverables:
- Cryptographic Policy
- Key Management
- Legal and regulatory compliance
The scenario makes mention of the regulatory, legislative, key management and the company implementing rule for the effective use of cryptography (policy). This checks all the boxes making B the answer.
The answer here is B
B. Yes, the control for the effective use of the cryptography can include cryptographic key management
Notes
Cryptography is a Preventative control
Clause 8.2 Use of Cryptography
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
Should have a topic specific policy for cryptography which includes rules for key management (d)
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
VenomOfTheTri
2 weeks, 6 days agoAcrisius
2 months, 1 week ago