UnixTime

Research Note

ISO 27001 A.8.24 - Use of Cryptography

The organization should define when cryptography is required, what approved cryptographic methods may be used, who manages keys, how keys are protected, and how cryptographic co...

On this page

Requirement

Requirement lens

This control asks whether rules for cryptography and cryptographic key management are defined and implemented.

“Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.”

Plain-language meaning

The organization should define when cryptography is required, what approved cryptographic methods may be used, who manages keys, how keys are protected, and how cryptographic controls are operated throughout their lifecycle.

Cryptography is not just “turn on encryption”. Weak algorithms, poor key storage, unmanaged certificates, lost private keys, expired keys, missing revocation, or home-grown crypto can make an apparently secure system fail.

Why this matters

Cryptography can protect confidentiality, integrity, authenticity, and non-repudiation. It can also create serious operational risk if keys are lost, stolen, misused, expired, or generated without proper controls.

Strong cryptography depends on correct requirements, approved algorithms, appropriate key lengths and parameters, legal compatibility, secure key lifecycle management, and consistent implementation.

Implementation guidance

Implementer focus

Do not invent cryptography. Use approved industry-standard algorithms and focus your design effort on requirements, implementation choices, and key management.

1. Define cryptographic policy

Define approved and prohibited cryptographic uses, algorithms, protocols, key lengths, certificate practices, key storage methods, and responsibilities.

Use Risk Assessment to determine where confidentiality, integrity, authenticity, or non-repudiation require cryptographic controls. The decision should reflect information classification, business process need, legal requirements, performance impact, and operational resilience.

3. Use approved algorithms and parameters

Use industry-standard algorithms and protocols that are not known to be broken. Avoid internally designed algorithms unless cryptographic design is the organization’s specialized business and the design is independently reviewed.

4. Manage keys before production use

Key management should be designed before production keys are generated. Define key generation, distribution, storage, access, backup, escrow, rotation, expiry, revocation, destruction, and compromise handling.

5. Protect different key types appropriately

Secret and private keys require strong protection against disclosure, replacement, modification, and destruction. Public keys and certificates require protection against unauthorized replacement, modification, and destruction.

Some jurisdictions regulate cryptographic algorithms, key escrow, cross-border encryption, digital signatures, or certificate use. Where certification authorities, key services, directory services, timestamping, cloud KMS, or HSM providers are used, define responsibilities and agreements.

Audit guidance

Auditor focus

Trace cryptographic decisions from risk need to policy, approved algorithm, implementation, key lifecycle control, legal review, and operational evidence.

Auditors should verify:

  • cryptographic policy or standard is defined and communicated;
  • cryptographic decisions trace to risk assessment and business need;
  • algorithms, protocols, key lengths, and parameters are suitable;
  • internally designed or weak algorithms are not used;
  • legal and regulatory requirements are assessed;
  • key-management lifecycle procedures exist before production use;
  • secret/private keys are protected from disclosure, replacement, modification, and destruction;
  • public keys and certificates are protected from unauthorized replacement, modification, and destruction;
  • certification authorities or third-party key services are trusted and managed;
  • key escrow or emergency recovery cannot be bypassed or abused;
  • employees and administrators know the cryptographic procedures relevant to them.

Auditors may need specialist technical expertise. Cryptography details can be easy to misunderstand and difficult to assess from policy text alone.

Evidence examples

Evidence quality

Strong evidence proves cryptography is risk-based, policy-governed, technically appropriate, legally checked, and key-managed across its lifecycle.

Evidence What it proves
Cryptographic controls policy Rules and responsibilities are defined
Cryptographic use case register Crypto decisions trace to risk and business need
Approved algorithm/key standard Technical choices are controlled
Key management register Keys are inventoried and lifecycle-managed
KMS/HSM/access configuration Keys are logically and physically protected
Certificate/CA review Public key infrastructure is managed
Legal requirements assessment Crypto use is legally appropriate
Key escrow/recovery record Recovery is controlled and cannot be abused

Strong evidence

  • Cryptographic use cases trace to classification, risk, and legal requirements.
  • Approved algorithms and key lengths are defined and current.
  • Secret/private keys are stored in approved secure mechanisms.
  • Key rotation, expiry, revocation, and destruction are recorded.
  • Certificate authorities and third-party key services are reviewed.
  • Key escrow or emergency recovery is authorized, tested, and monitored.
  • Weak or deprecated algorithms are detected and remediated.

Weak evidence

  • “We use encryption” with no standard or inventory.
  • Developers choose algorithms independently.
  • Keys are stored in source code, scripts, tickets, spreadsheets, or shared drives.
  • Certificates expire unexpectedly.
  • Private keys are copied without approval.
  • No key rotation or revocation process exists.
  • Legal restrictions on cryptography are not assessed.

Common failures

Implementation watchouts

A.8.24 fails when cryptography is treated as a checkbox instead of a lifecycle control.

Failure Why it matters
No crypto policy Teams make inconsistent choices
Home-grown algorithms Usually weak even if they look strong
No key inventory Expiry, compromise, and ownership are unmanaged
Poor key storage Compromise defeats encryption
No key rotation Long-lived keys increase impact
No certificate review Expiry or unauthorized replacement can disrupt or compromise services
No escrow governance Recovery can fail or be abused
Legal issues ignored Crypto use may breach law or contract

Exam traps

Exam focus

A.8.24 is about rules and key management, not just the presence of encryption.

Trap Correct interpretation
Encryption automatically satisfies A.8.24 Rules, approved methods, and key management are required
Stronger crypto is always better Strength must fit risk, performance, legal, and operational needs
Public keys need no protection Public keys/certificates need integrity and replacement protection
Home-grown algorithms can be acceptable if secret Internally devised algorithms are normally a serious weakness
Key escrow is automatically bad or good It depends on controlled authorization, awareness, monitoring, and abuse prevention

KB-ready summary

Mentor takeaway

A.8.24 makes cryptography governed and recoverable. Strong implementation proves the organization knows where cryptography is needed, uses approved methods, protects keys, manages key lifecycle, checks legal issues, and controls third-party or CA dependencies.

  • Define cryptographic policy and approved methods.
  • Base cryptographic use on risk and legal requirements.
  • Do not design custom algorithms.
  • Manage keys across their full lifecycle.
  • Protect private/secret keys and certificate integrity.
  • Govern key escrow, recovery, third-party KMS, and CAs.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Cryptography
  • Key management
  • Audit

Note Metadata

Aliases: A.8.24, Use of Cryptography, Cryptographic Controls

Source: 05 Annex A Technological Controls/A.8.24 Use of Cryptography.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

13

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.