Encryption Policy Template

Introduction

Purpose and Use

Encryption is a fundamental control for protecting the confidentiality and integrity of data, particularly when stored on devices or transmitted across networks. This policy template sets out requirements for the use of encryption within the organisation to ensure sensitive information is appropriately protected. It aligns with standards and legislation such as Cyber Essentials, ISO/IEC 27001, UK GDPR and industry-specific guidance (e.g. NCSC).

Use this template to create an Encryption Policy that matches your organisation’s systems, data sensitivity, and regulatory obligations. It should be tailored to reflect your technology stack (e.g. on‑premises, cloud) and to specify acceptable algorithms, key management practices and implementation guidance.

Who This Template Is For

• IT and security teams implementing encryption solutions.
• Data owners and stewards responsible for sensitive information.
• Organisations seeking compliance with ISO/IEC 27001, Cyber Essentials Plus and UK GDPR.

Alternative Names You Might See

• Cryptography Policy
• Data Encryption Policy
• Encryption and Key Management Policy

Encryption Policy Template

1. Document Management

• Organisation Name: [Insert organisation name]
• Document Owner: [Role/title responsible for the policy]
• Version: [e.g. 1.0]
• Classification: [e.g. Internal / Public / Confidential]
• Issue Date: [Date of current issue]
• Next Review Date: [Date for next review]
• Supersedes: [If applicable, previous versions]
• Approval: [Senior management approval]
• Change History: Include a table recording version, date, author and summary of changes.

2. Purpose

The purpose of this policy is to:

1. Define requirements for encrypting data at rest and in transit across organisational systems and devices.
2. Ensure that cryptographic controls meet recognised standards and are implemented consistently.
3. Support compliance with legal and regulatory obligations, including UK GDPR, Data Protection Act 2018, ISO/IEC 27001 and Cyber Essentials.

3. Scope

This policy applies to:

• All sensitive or confidential data processed, stored or transmitted by the organisation.
• All systems, applications and devices used to store or transfer data, including servers, workstations, mobile devices, removable media and cloud services.
• All employees, contractors and third parties handling organisational data.

4. Roles and Responsibilities

4.1 Senior Management / Board

• Approve the Encryption Policy and allocate resources for implementation.
• Ensure that encryption requirements are integrated into procurement and system development.

4.2 Information Security / IT Function

• Define approved encryption algorithms, protocols and key lengths in line with industry standards (e.g. AES‑256, TLS 1.2/1.3).
• Implement encryption solutions for data at rest (full-disk encryption, database encryption) and data in transit (TLS/SSL, VPN).
• Manage cryptographic keys securely, including generation, distribution, rotation and destruction.
• Monitor compliance with encryption requirements and remediate any gaps.

4.3 System Owners / Developers

• Ensure that applications and systems under their control implement approved encryption controls.
• Integrate encryption into system design and development processes.
• Obtain approval from the IT/security function for any deviations from approved standards.

4.4 All Users

• Use encrypted communication channels (e.g. VPN, HTTPS) for transmitting sensitive information.
• Do not circumvent or disable encryption controls.
• Report any issues with encryption implementations to IT/security.

5. Encryption Requirements

5.1 Data at Rest

• Sensitive data stored on servers, desktops, laptops, mobile devices and removable media must be encrypted using approved algorithms (e.g. AES‑256, XTS‑AES).
• Full-disk encryption should be enabled on company-owned laptops and portable devices.
• Database and file-level encryption should be used for particularly sensitive data (e.g. personal data, financial records).

5.2 Data in Transit

• Sensitive data transmitted over public or untrusted networks must be encrypted using secure protocols (e.g. TLS 1.2/1.3, SSH, IPSec).
• Email containing sensitive information should use encryption methods such as S/MIME, PGP or secure email gateways.
• Wireless networks must use strong encryption (e.g. WPA3) and be configured with strong authentication.

5.3 Key Management

• Cryptographic keys must be generated, stored and managed securely (e.g. using hardware security modules (HSMs) or secure key vaults).
• Access to keys must be restricted to authorised personnel on a need-to-know basis.
• Keys must be rotated periodically and upon suspected compromise.
• Keys must be destroyed securely when no longer needed.

5.4 Algorithm and Protocol Standards

• Only approved cryptographic algorithms and protocols may be used. Insecure or deprecated algorithms (e.g. DES, RC4, SSL 3.0) are prohibited.
• The IT/security function should periodically review and update the list of approved algorithms.

6. Implementation and Compliance

• Encryption should be implemented at the appropriate layer (e.g. application, transport, storage) depending on the sensitivity and context.
• Projects involving the development or procurement of new systems must include encryption requirements in their specifications.
• Compliance with this policy will be monitored through configuration reviews, vulnerability assessments and audits.

7. Exceptions

• Any exceptions to this policy must be documented, justified and approved by senior management.
• Compensating controls must be implemented where encryption cannot be applied.

8. Training and Awareness

• Staff must be trained on the importance of encryption and how to use encrypted services.
• Development teams should receive guidance on implementing cryptography securely and avoiding common pitfalls (e.g. insecure random number generation).

9. Policy Communication

• This policy must be communicated to all staff and relevant third parties. It should be accessible on the organisational intranet or Knowledge Base.
• Updates should be provided when encryption standards or regulatory requirements change.

10. Supporting Policies and Standards

• Password Policy – ensures strong passwords for encryption keys and related accounts.
• Access Control Policy – governs how encryption keys and encrypted data are accessed.
• Data Classification Policy – identifies which data requires encryption.
• Information Security Policy – overarching framework for protecting information assets.

11. Policy Add‑ons

Depending on your organisation’s needs, consider including:

• Encryption for Cloud Services – specific guidance on encrypting data stored or processed in cloud environments.
• Key Escrow Procedures – processes for securely storing copies of keys to allow recovery if primary keys are lost.
• Hardware Encryption – requirements for self-encrypting drives or dedicated encryption appliances.

Use this template as a starting point and customise it to your organisation’s technology landscape and regulatory requirements. Review and update the policy regularly to keep pace with changes in cryptography standards and best practice.