What is Encryption?

Encryption is the process of converting readable data into ciphertext using a cryptographic algorithm and key, so only parties holding the correct key can decrypt and read it. It protects data in transit (such as TLS) and at rest (such as disk or database encryption), preserving confidentiality even if storage or networks are compromised.

Encryption matters because it is the last line of defense for confidentiality: if a laptop is stolen, a database is exfiltrated, or traffic is intercepted, properly encrypted data is unreadable without the key. It is why so many regulations treat encryption as a near-default expectation, and why a lost device that was fully encrypted often does not trigger the same breach-notification obligations as an unencrypted one.

For example, a clinic transmitting patient records uses TLS so the data is encrypted in transit, and stores those records in an encrypted database so a stolen backup tape is useless to a thief. The protection only holds, though, if keys are managed well, weak or outdated algorithms are retired, and access to the keys is itself controlled.

A documented encryption (or cryptographic controls) policy speeds up audit readiness because ISO 27001, SOC 2, HIPAA, and GDPR all ask how you encrypt data and manage keys, and an examiner wants to see the standard written down, not just configured. A template gives you a defensible policy covering algorithms, in-transit/at-rest requirements, and key management quickly, but it does not encrypt anything: you still have to deploy TLS, enable disk and database encryption, and operate your key management for real.

Related terms: Data Classification · Access Control · Security Control · Protected Health Information (PHI)

Frequently asked questions

Does encryption make us automatically compliant with HIPAA or GDPR?

No. Encryption is one safeguard among many. Under the HIPAA Security Rule it is an 'addressable' implementation specification you must implement or document why an equivalent is used, and GDPR cites it as an example measure, not a complete compliance solution. You still need policies, access controls, and governance around it.

What is the difference between encryption at rest and encryption in transit?

Encryption at rest protects stored data (on disks, databases, or backups) so it is unreadable if the storage is stolen or copied. Encryption in transit (such as TLS/HTTPS) protects data while it moves across networks so it cannot be intercepted and read en route. Most programs need both.

If data is encrypted, do we still have to report a breach?

Often not, if the encryption meets the relevant standard and the keys were not also compromised. Many breach-notification rules provide a safe harbor for properly encrypted data, which is a major reason encryption is so widely required. The exact threshold depends on the law that applies to you.

Toolkits that cover Encryption

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary