UnixTime

Research Note

A.8.24 Audit Evidence Pack

- Cryptographic decisions trace to risk and classification. - Algorithms, key lengths, and protocols are approved and current. - Keys have owners, purpose, lifecycle status, and...

On this page

What the auditor wants to verify

Audit objective

Verify that rules for effective cryptography and cryptographic key management are defined, implemented, communicated, and operated.

Evidence to request

Evidence Purpose
Cryptographic controls policy Shows rules and responsibilities
Risk assessment/use case register Shows where crypto is required
Approved algorithm/key standard Shows technical choices are controlled
Key management register Shows key lifecycle ownership and status
KMS/HSM/access controls Shows keys are protected
Certificate/CA review Shows certificates and CAs are controlled
Legal requirements assessment Shows crypto use is legally considered
Escrow/recovery records Shows recovery is controlled
Rotation/revocation/destruction records Shows lifecycle operation

Strong evidence

  • Cryptographic decisions trace to risk and classification.
  • Algorithms, key lengths, and protocols are approved and current.
  • Keys have owners, purpose, lifecycle status, and rotation/expiry dates.
  • Secret/private keys are protected by approved mechanisms.
  • Public keys and certificates are protected against unauthorized replacement.
  • CA or third-party KMS trust is reviewed.
  • Key escrow/recovery is authorized, tested, and monitored.

Weak evidence

  • Encryption exists but no one can explain the rules.
  • Algorithms are selected by individual developers.
  • Keys are stored in code, tickets, spreadsheets, or shared drives.
  • Certificates expire without warning.
  • Key rotation and revocation are informal.
  • Legal restrictions are not assessed.

Sample interview questions

  • When must cryptography be used?
  • Which algorithms and key lengths are approved?
  • Who owns cryptographic keys?
  • How are private keys protected?
  • How are keys rotated, revoked, and destroyed?
  • How are certificates and CAs reviewed?
  • What happens if a key is lost or compromised?
  • Are legal restrictions on cryptography assessed?

Common nonconformities

  • No cryptographic policy or standard.
  • Weak or deprecated algorithms are used.
  • Key inventory is missing.
  • Secret/private keys are inadequately protected.
  • Key rotation, revocation, or destruction is not performed.
  • Certificate authority trust is not reviewed.
  • Key escrow exists without authorization or monitoring.