This document discusses encryption and secure communication. It explains that encryption encodes messages using algorithms and keys so that only authorized parties can decode it, preventing unauthorized access. The two main types of encryption algorithms are symmetric, for sending information, and asymmetric, for sending both information and keys. Standards like ISO/IEC 27001 provide requirements for establishing and maintaining an effective information security management system to address risks through controls like encryption. PECB offers training and certification services related to ISO standards to help organizations securely implement management systems.
2. What we all want is to have a secure communication between each other. Ensuring secure communication
means two entities communicating and not being disturbed by a third party.
While preservation of Information and Internet has enhanced, the importance of the security for private and
commercial communication using electronic protocols, which allows people to communicate, also enhanced.
Here is one of the most important issues regarding securing communication is the encryption process.
Encryption process use encryption methods implemented by technological capacities to encode the message
of the information from plaintext to ciphertext. This encoded message can be decoded only after the authorized
parties have the key or secret password to decode the message. This process does not prevent the attacker
to have the information, but using encryption algorithm prevent the disclosure of message content to the
attacker.
Two most often used encryption algorithms are symmetric and asymmetric (also called public-key encryption).
Symmetric algorithms are typically used to send the actual information, whereas asymmetric algorithms are
used to send both the information and the keys.
Encryption as a process itself is well-known since ancient period, and it is developed through years with
different approaches. It’s very difficult to determine whether one encryption method is unbreakable because
through years it has been proved that despite advanced levels of encryption methods there were also different
scenarios where these methods of algorithms were broken. Their security depends on the length of ciphrtext
and the duration of the time it takes to break that ciphertext.
In addition, in today’s world we hear more about breaches of secured communication, than about the
communication itself, that is why having access to data that are sensitive, for some people have become
almost a routine. We often hear that our data are monitored by government, internet service providers,
hackers, thieves, etc. This is why cryptography is illegal in many countries.
Nevertheless, by studying cryptography and encryption, or having specified systems within the organization
could increase the possibility to strengthen its protection. Moreover, understanding of encryption ideas will
also help individuals to secure private data and information.
The latest advances in data security attacks have led to compromise many high-profile enterprise networks
and to breaches in their data security. Solutions are available; they require actions by company officers and
administrators. Furthermore, these network security solutions should be part of continuing involvement on the
highest level of organizational management in its design, plan and implementation.
ISO/IEC 27001 is one of the most important standards which give a platform on how to achieve security. This
International Standard has been prepared to provide requirements for establishing, implementing, maintaining
and continually improving an information security management system.
Specifically, the standard specifies the requirements for forming, applying, operating, monitoring, reviewing,
maintaining, and improving ISMS that addresses to the root causes of information security risks. Organizations
2
3. that maintain ISO/IEC 27001-certified ISMS can help to protect information regarding confidentiality, integrity/
authenticity, non-repudiation and authentication.
In addition, ISO 27002 also gives a detailed explanation of controls that are mandatory to implement in
ISO 27001. According to one of these ISO 27001 controls, cryptographic controls across the organization,
including the general principles under which business information should be protected, should be part of
organization’s policy.
ISO 27002 gives guides on how to strengthen quality of the required encryption algorithm, how to use
encryption of information to protect sensitive or critical information, either stored or transmitted, how to use
encryption keys to resist brute force attacks, how to keep encryption keys confidential, etc.
Professional Evaluation and Certification Board (PECB) is a personnel certification body on a wide range of
professional standards. It offers ISO 27001, ISO 22002 and ISO 20000 training and certification services for
professionals wanting to support organizations on the implementation of these management systems. ISO
Standards and Professional Trainings offered by PECB:
• Certified Lead Implementer (5 days)
• Certified Lead Auditor (5 days)
• Certified Foundation (2 days)
• ISO Introduction (1 day)
Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.
Rreze Halili is the Security, Continuity, Recovery (SCR) Product Manager at PECB. She is in charge of
developing and maintaining training courses related to SCR. If you have any questions, please do not hesitate
to contact: scr@pecb.org.
For further information, please visit www.pecb.org/en/training
3