What the auditor wants to verify
Audit objective
Verify that rules for effective cryptography and cryptographic key management are defined, implemented, communicated, and operated.
Evidence to request
| Evidence | Purpose |
|---|---|
| Cryptographic controls policy | Shows rules and responsibilities |
| Risk assessment/use case register | Shows where crypto is required |
| Approved algorithm/key standard | Shows technical choices are controlled |
| Key management register | Shows key lifecycle ownership and status |
| KMS/HSM/access controls | Shows keys are protected |
| Certificate/CA review | Shows certificates and CAs are controlled |
| Legal requirements assessment | Shows crypto use is legally considered |
| Escrow/recovery records | Shows recovery is controlled |
| Rotation/revocation/destruction records | Shows lifecycle operation |
Strong evidence
- Cryptographic decisions trace to risk and classification.
- Algorithms, key lengths, and protocols are approved and current.
- Keys have owners, purpose, lifecycle status, and rotation/expiry dates.
- Secret/private keys are protected by approved mechanisms.
- Public keys and certificates are protected against unauthorized replacement.
- CA or third-party KMS trust is reviewed.
- Key escrow/recovery is authorized, tested, and monitored.
Weak evidence
- Encryption exists but no one can explain the rules.
- Algorithms are selected by individual developers.
- Keys are stored in code, tickets, spreadsheets, or shared drives.
- Certificates expire without warning.
- Key rotation and revocation are informal.
- Legal restrictions are not assessed.
Sample interview questions
- When must cryptography be used?
- Which algorithms and key lengths are approved?
- Who owns cryptographic keys?
- How are private keys protected?
- How are keys rotated, revoked, and destroyed?
- How are certificates and CAs reviewed?
- What happens if a key is lost or compromised?
- Are legal restrictions on cryptography assessed?
Common nonconformities
- No cryptographic policy or standard.
- Weak or deprecated algorithms are used.
- Key inventory is missing.
- Secret/private keys are inadequately protected.
- Key rotation, revocation, or destruction is not performed.
- Certificate authority trust is not reviewed.
- Key escrow exists without authorization or monitoring.
Related notes
- Audit
- Evidence
- A8 24
- Iso27001
Note Metadata
Aliases: A.8.24 Evidence
Source: 04 Audit Evidence Packs/A.8.24 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.24 - Use of Cryptography
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.24 Use of Cryptography
- A.8.24 Audit Checklist
- Certificate Authority and Certificate Review
- Cryptographic Controls Policy
- Cryptographic Key Management Register
- Cryptographic Legal Requirements Assessment
- Cryptographic Use Case and Algorithm Register
- Key Escrow and Emergency Recovery Checklist
- Audit Evidence Index