ISO/IEC 19790:2025—Security for Cryptographic Modules
According to the IBM/Ponemon Institute report, the average total cost of data breaches in 2024 was $4.88 million. Data breaches in the healthcare industry were the costliest at $9.77 million, on average, versus $6.08 million for financial services. A lack of security threatens to expose data and data models to breaches. Fortunately, when implementing cryptographic models, businesses can secure communication and information in transit, preventing it from being read by untrusted parties. ISO/IEC 19790:2025—Information security, cybersecurity and privacy protection – Security requirements for cryptographic modules establishes security requirements for cryptographic modules.
Importance of Cryptographic Mechanisms
In information technology, there is an ever-increasing need to use cryptography: the practice of coding information to ensure that only the person that the message was intended for can read and process that information. Cryptography uses algorithms and mathematical concepts to transform messages into difficult-to-decipher codes through techniques like cryptographic keys and digital signing to protect data privacy, credit card transactions, email, and web browsing.
Cryptographic mechanisms refer to methods that use encryption techniques to protect data and ensure secure communication by making information unreadable without the correct key. Cryptographic mechanisms are paramount in not only safeguarding the confidentiality, integrity, reliability, and authenticity of data from unauthorized access but also retaining customers. The “Hiscox Cyber Readiness Report 2024” showed that 43% of organizations lost existing customers because of cyberattacks.
The security and reliability of such mechanisms are directly dependent on the cryptographic modules in which they are implemented, and as such, ISO/IEC 19790:2025 provides the security requirements for implementing cryptographic modules.
What Is ISO/IEC 19790?
ISO/IEC 19790:2025 specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in Information and Communication Technologies (ICT). This international standard provides four increasing qualitative levels of security requirements intended to cover a wide range of potential applications and environments. The security requirements cover areas relative to the design and implementation of a cryptographic module. These areas include:
- Cryptographic module specification
- Cryptographic module interfaces
- Roles, services, and authentication
- Software/firmware security
- Operational environment
- Physical security
- Non-invasive security
- Sensitive security parameter management
- Self-tests
- Life-cycle assurance
- Mitigation of other attacks
Conformity with ISO/IEC 19790:2025 is not sufficient to assure that a module is secure or that the security provided by the module is sufficient and acceptable to the owner of the information that is being protected.
Information Security Requirements
Information security requirements include encryption, risk management, vulnerability management, and more. These requirements are intended to protect the confidentiality, integrity, and availability of data. Information security requirements vary for different applications. As such, organizations should identify their information resources and determine the sensitivity to and the potential impact of a loss by implementing appropriate controls.
ISO/IEC 19790:2025 specifies that controls include, but are not limited to:
- Physical and environmental controls
- Access controls
- System security maintenance and patch management
- Backup and contingency plans
- Information and data controls.
The standard notes that these controls are only as effective as the administration of appropriate security policies and procedures within the operational environment.
ISO/IEC 19790:2025—Information security, cybersecurity and privacy protection – Security requirements for cryptographic modules is available on the ANSI Webstore.
