WHAT IS <CODE>
Quantum computing is set to revolutionise technology, but it simultaneously poses a critical risk to the encryption methods protecting today’s global data.
The threat of "Harvest Now, Decrypt Later" (HNDL) means that intercepted confidential information remains vulnerable to future decryption, once competent quantum computers arrive, which according to Google could be as soon as 2029. The arms race moves on!
Led by Richard Brooks and Steven Kennedy CISSP our team of senior industry consultants has extensive experience delivering security projects for global enterprises and telcos at the highest level.
Together we have designed <CODE> : <cryptographic discovery for enterprise>, as a discovery and planning service reacting to the technical threat of quantum computing and the legislative requirements being rolled out in the UK, Europe and globally.
We identify your cryptographic position, by defining your Cryptographic Bill of Materials and we then create your roadmap to make your infrastructure and applications crypto-agile and PQC compliant.
As the financial risk of using older cryptography (such as RSA and ECC) gets transferred onto organisations through legislation, your organisation must undertake this discovery process to manage corporate risk, satisfy cyber insurers and maintain trust with your customers and supply chain.
QUANTUM THREAT
Future Encryption Risk from Quantum Computers
HARVEST NOW
DECRYPT LATER
Data stolen Today, decrypted and abused Tommorrow
_edited.jpg)
Cryptographic Compliance
The threat of non compliance is now your risk and liability with financial penalties.
Understanding Your Cryptographic Estate to prepare for Quantum Safe Computing
Led by Richard Brooks and Steven Kennedy CISSP our team of senior industry consultants has extensive experience delivering security projects for global enterprises and telcos at the highest level.
The Regulatory & Compliance Imperative
The new legislative landscape is placing the burden of liability directly onto the enterprise through fines and timely reporting of risk:
-
UK Cyber Security & Resiliency Bill (2026): This bill is expected to pass into UK law in 2026, becoming fully live with fines and liability through 2027. It specifically brings Managed Service Providers (MSPs) and critical services such as NHS into scope first. Key systems are in scope and must be crypto agile by 2030.
-
ISO 27001 Alignment: Our process supports ISO 27001 compliance by providing a detailed and specific risk audit for critical systems, ensuring that cryptographic policy statements and evidence are ISO 27001 audit ready.
-
NCSC / CAF 4.0: Meeting "Achieved" status for Principle B3 (Data Security) requires a deep understanding of your cryptographic environment and the ability to switch algorithms via configuration.
-
Global Mandates: By 2030, NIST will have deprecated vulnerable algorithms, and many global nation-states follow NIST and FIPS.
<CODE> a Three-Phase Methodology
Our Process
We manage the transition from "Quantum Vulnerable" to "Quantum Agile" through a professional consultancy framework.
1. The <CODE> Definition Workshop
A scoping stage designed to align stakeholders and map your organization's cryptographic readiness.
-
Regulatory Analysis: We map your requirements against 2026/2027 legislative dates and identify critical essential functions requiring immediate protection.
-
Domain Scoping: We conduct a high-level review of organisational domains including: cloud, on-prem services, source code, IoT, and Identity/Access.
-
Outcome: A prioritised list of domains based on a Domain Risk Matrix and a draft implementation roadmap.
2. Automated Cryptographic Discovery
Using cryptography discovery tooling, we automate the "Discovery" and "Assessment" phases of a cryptographic audit.
-
C-BoM Generation: We produce a Cryptographic Bill of Materials (C-BoM) including algorithms, key lengths, and protocols in use across hybrid multi-cloud environments.
-
PQC Readiness Score: Our tools correlate keys with the services they protect, identifying cryptographic blind spots.
3. Analysis & Strategic Roadmap
We synthesize discovery data into a ranked list of risks and required changes.
-
Quick Wins: a small number of actions likely to reduce your exposure significantly and quickly.
-
Strategic Transformations: the more complex projects necessary to achieve long-term quantum safety, such as transitioning key management to PQC-agile software layers, and ensuring applications are crypto-agile.
What do we leave you with ? … “Informed Governance"
At the conclusion of the programme, your leadership team will possess the tangible data required for informed governance:
Regulatory Compliance Report
An analysis of the legislation and financial liability risks impacting your organization.
_jfif.jpg)
Cryptographic Inventory
(C-BoM)
A detailed metadata inventory including algorithms, protocols, and expiry dates to satisfy CAF 4.0 status.
Detailed Consultancy Plan
A full execution roadmap including agreed timelines, costs, and a stakeholder RACI matrix.
Summative Board Presentation
A full execution roadmap including agreed timelines, costs, and a stakeholder RACI matrix.
How does <CODE> work with ISO 27001?
Is <CODE> a bottom up - or top down process?
<CODE> is a bottom up consultancy programme, a deductive process.
We have often been asked about how <CODE>, the NCSC Cyber Assessment Framework, and ISO 27001 work together?
The Cryptographic Bill of Materials (C-BoM) informs the Cryptographic Audit actions and roadmap, this is structured by the Cyber Assessment Framework, which then is the auditable inspection resource for your ISO 27001 Agile Cryptography policy.
The National Cyber Security Centre Cyber Assessment Framework (CAF) 4.0 is a key document that structures the <CODE> programme.
The most common question we get asked is, which parts of the CAF are related to cryptography and the quantum threat?
At the heart of the CAF is the need to understand which key assets are using what cryptography. If the cryptography is agile and up to date, or if it is static and outdated and needs an update or rip and replace plan.
In our opinion the following sections of CAF 4 are directly relevant to the CODE consultancy programme, specifically regarding cryptographic discovery, vendor engagement, and the transition to a crypto-agile position:
1. Cryptographic Discovery & Inventory
-
Principle A3: Asset Management (A3.a): This section is foundational for discovering your "cryptographic estate".
-
WHY? - Because an "Achieved" status requires that all assets relevant to secure operation—which include cryptographic keys, certificates, and HSMs—are identified and inventoried at a suitable level of detail.
-
-
Principle B3: Data Security (B3.a): Requires identifying and cataloging all data important to the operation of essential functions, as well as maintaining a current understanding of data links used for transmission.
-
WHY? - Because data in transit is the prime risk for Harvest Now Decrypt Later attacks. This is the primary driver for a Cryptographic Bill of Materials (C-BoM).
-
-
Principle C1: Security Monitoring (C1.a): Relevant for identifying policy violations, such as the use of unauthorized or weak cryptographic protocols within network traffic.
-
WHY? - because ‘legacy crypto’ is the target for quantum decryption. It's the attack surface.
2. Vendor Engagement & Crypto-Agility
-
Principle A4: Supply Chain (A4.a & A4.b): This is the core area for vendor engagement.
-
A4.a: Focuses on ensuring that critical suppliers demonstrate appropriate levels of cyber security.
-
WHY? Because your vendor's current cryptographic roadmap defines an update path or rip and replace, and this defines costs.
-
A4.b: Explicitly addresses Secure Software Development. An "Achieved" status requires that software suppliers can demonstrate a thorough understanding of the composition and provenance of their software, including third-party components.
-
WHY? Because your key applications must end up being "crypto-agile" for long term security by design.
-
-
Principle B4: System Security (B4.d): Covers Vulnerability Management. This is relevant for replacement roadmaps, as it requires "actively maximizing the use of supported software, firmware, and hardware" and promptly mitigating vulnerabilities in software packages (such as outdated cryptographic libraries).
WHY? Well longer term everything has to be crypto agile to ready to shift encryption method if compromised.
3. Validating Cryptographic Robustness
-
Principle B3: Data Security (B3.b & B3.c): These sections provide the success criteria for the CODE program.
-
B3.b (Data in Transit): To reach "Achieved," an organization must have "justified confidence in the robustness" of the cryptography protecting data on non-trusted carriers.
-
WHY? Because data in transit on TLS is the highest threat, and is the current threat too for HNDL attacks.
-
B3.c (Stored Data): Similarly requires justified confidence in the robustness of cryptographic protections for stored data.
-
-
WHY? Because data at rest is usually ‘long term’ important and if immutable will require an unbreakable cryptographic gate to pass through before being readable.
4. Configuration & Management
-
Ensuring that platforms conform to a "secure, defined baseline build".
-
WHY? Because once the cryptographic position is established a new baseline ‘acceptable’ must be defines to include Post-Quantum Cryptography (PQC) and crypto-agility.
Built For
Compliance and Global Standards
_edited.jpg)
