Encryption
The process of converting data into an encoded format that can only be read by authorized parties who possess the correct decryption key. Encryption protects data confidentiality both at rest (stored data) and in transit (data being transmitted over networks).
Encryption is a core technical control for protecting the confidentiality of information. It ensures that even if data is intercepted or accessed by unauthorized parties, it remains unreadable without the corresponding decryption key.
Encryption at rest protects stored data — databases, file systems, backups, and removable media. Common implementations include full-disk encryption, database-level encryption (such as Transparent Data Encryption), and application-level encryption for specific sensitive fields. Encryption in transit protects data as it moves between systems, typically using TLS/SSL for web traffic, encrypted VPN connections for network access, and encrypted protocols for email and file transfer.
Key management is often the most challenging aspect of encryption. Organizations must decide where encryption keys are stored, who has access to them, how they are rotated, and what happens if keys are lost. Cloud providers offer key management services (AWS KMS, Azure Key Vault, Google Cloud KMS) that simplify key lifecycle management, but organizations should understand the shared responsibility model and whether they need customer-managed keys for regulatory compliance. All major compliance frameworks require encryption. ISO 27001 Annex A includes specific controls for cryptographic policies and key management. SOC 2 addresses encryption under Security and Confidentiality criteria. GDPR references encryption as a recommended technical measure, and it can serve as a safe harbor in breach notification — if breached data was properly encrypted, notification to individuals may not be required.
Related terms
Access Control
The set of policies, procedures, and technical mechanisms that govern who can access which information assets, systems, and resources. Access control ensures that only authorized individuals can view, modify, or interact with sensitive data and systems.
Audit Trail
A chronological record of system activities that provides documentary evidence of the sequence of events — including who accessed what, when, and what actions were taken. Audit trails are essential for security monitoring, incident investigation, and compliance evidence.
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Data Processor
Under GDPR, an entity that processes personal data on behalf of a data controller. The processor acts on the controller's instructions and must not process data for its own purposes. A Data Processing Agreement (DPA) governs the relationship between controller and processor.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment