Requirement
Requirement lens
This control asks whether rules for cryptography and cryptographic key management are defined and implemented.
“Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.”
Plain-language meaning
The organization should define when cryptography is required, what approved cryptographic methods may be used, who manages keys, how keys are protected, and how cryptographic controls are operated throughout their lifecycle.
Cryptography is not just “turn on encryption”. Weak algorithms, poor key storage, unmanaged certificates, lost private keys, expired keys, missing revocation, or home-grown crypto can make an apparently secure system fail.
Why this matters
Cryptography can protect confidentiality, integrity, authenticity, and non-repudiation. It can also create serious operational risk if keys are lost, stolen, misused, expired, or generated without proper controls.
Strong cryptography depends on correct requirements, approved algorithms, appropriate key lengths and parameters, legal compatibility, secure key lifecycle management, and consistent implementation.
Implementation guidance
Implementer focus
Do not invent cryptography. Use approved industry-standard algorithms and focus your design effort on requirements, implementation choices, and key management.
1. Define cryptographic policy
Define approved and prohibited cryptographic uses, algorithms, protocols, key lengths, certificate practices, key storage methods, and responsibilities.
2. Link cryptography to risk
Use Risk Assessment to determine where confidentiality, integrity, authenticity, or non-repudiation require cryptographic controls. The decision should reflect information classification, business process need, legal requirements, performance impact, and operational resilience.
3. Use approved algorithms and parameters
Use industry-standard algorithms and protocols that are not known to be broken. Avoid internally designed algorithms unless cryptographic design is the organization’s specialized business and the design is independently reviewed.
4. Manage keys before production use
Key management should be designed before production keys are generated. Define key generation, distribution, storage, access, backup, escrow, rotation, expiry, revocation, destruction, and compromise handling.
5. Protect different key types appropriately
Secret and private keys require strong protection against disclosure, replacement, modification, and destruction. Public keys and certificates require protection against unauthorized replacement, modification, and destruction.
6. Address legal and third-party dependencies
Some jurisdictions regulate cryptographic algorithms, key escrow, cross-border encryption, digital signatures, or certificate use. Where certification authorities, key services, directory services, timestamping, cloud KMS, or HSM providers are used, define responsibilities and agreements.
Audit guidance
Auditor focus
Trace cryptographic decisions from risk need to policy, approved algorithm, implementation, key lifecycle control, legal review, and operational evidence.
Auditors should verify:
- cryptographic policy or standard is defined and communicated;
- cryptographic decisions trace to risk assessment and business need;
- algorithms, protocols, key lengths, and parameters are suitable;
- internally designed or weak algorithms are not used;
- legal and regulatory requirements are assessed;
- key-management lifecycle procedures exist before production use;
- secret/private keys are protected from disclosure, replacement, modification, and destruction;
- public keys and certificates are protected from unauthorized replacement, modification, and destruction;
- certification authorities or third-party key services are trusted and managed;
- key escrow or emergency recovery cannot be bypassed or abused;
- employees and administrators know the cryptographic procedures relevant to them.
Auditors may need specialist technical expertise. Cryptography details can be easy to misunderstand and difficult to assess from policy text alone.
Evidence examples
Evidence quality
Strong evidence proves cryptography is risk-based, policy-governed, technically appropriate, legally checked, and key-managed across its lifecycle.
| Evidence | What it proves |
|---|---|
| Cryptographic controls policy | Rules and responsibilities are defined |
| Cryptographic use case register | Crypto decisions trace to risk and business need |
| Approved algorithm/key standard | Technical choices are controlled |
| Key management register | Keys are inventoried and lifecycle-managed |
| KMS/HSM/access configuration | Keys are logically and physically protected |
| Certificate/CA review | Public key infrastructure is managed |
| Legal requirements assessment | Crypto use is legally appropriate |
| Key escrow/recovery record | Recovery is controlled and cannot be abused |
Strong evidence
- Cryptographic use cases trace to classification, risk, and legal requirements.
- Approved algorithms and key lengths are defined and current.
- Secret/private keys are stored in approved secure mechanisms.
- Key rotation, expiry, revocation, and destruction are recorded.
- Certificate authorities and third-party key services are reviewed.
- Key escrow or emergency recovery is authorized, tested, and monitored.
- Weak or deprecated algorithms are detected and remediated.
Weak evidence
- “We use encryption” with no standard or inventory.
- Developers choose algorithms independently.
- Keys are stored in source code, scripts, tickets, spreadsheets, or shared drives.
- Certificates expire unexpectedly.
- Private keys are copied without approval.
- No key rotation or revocation process exists.
- Legal restrictions on cryptography are not assessed.
Common failures
Implementation watchouts
A.8.24 fails when cryptography is treated as a checkbox instead of a lifecycle control.
| Failure | Why it matters |
|---|---|
| No crypto policy | Teams make inconsistent choices |
| Home-grown algorithms | Usually weak even if they look strong |
| No key inventory | Expiry, compromise, and ownership are unmanaged |
| Poor key storage | Compromise defeats encryption |
| No key rotation | Long-lived keys increase impact |
| No certificate review | Expiry or unauthorized replacement can disrupt or compromise services |
| No escrow governance | Recovery can fail or be abused |
| Legal issues ignored | Crypto use may breach law or contract |
Exam traps
Exam focus
A.8.24 is about rules and key management, not just the presence of encryption.
| Trap | Correct interpretation |
|---|---|
| Encryption automatically satisfies A.8.24 | Rules, approved methods, and key management are required |
| Stronger crypto is always better | Strength must fit risk, performance, legal, and operational needs |
| Public keys need no protection | Public keys/certificates need integrity and replacement protection |
| Home-grown algorithms can be acceptable if secret | Internally devised algorithms are normally a serious weakness |
| Key escrow is automatically bad or good | It depends on controlled authorization, awareness, monitoring, and abuse prevention |
Related controls and concepts
- A.8 Technological Controls MOC
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.32 Intellectual Property Rights
- A.5.34 Privacy and Protection of PII
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.8.5 Secure Authentication
- A.8.10 Information Deletion
- A.8.12 Data Leakage Prevention
- A.8.20 Networks Security
- Risk Assessment
- Statement of Applicability
- Cryptographic Controls Policy
- Cryptographic Use Case and Algorithm Register
- Cryptographic Key Management Register
- Certificate Authority and Certificate Review
- Key Escrow and Emergency Recovery Checklist
- Cryptographic Legal Requirements Assessment
- A.8.24 Audit Evidence Pack
- A.8.24 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.24 makes cryptography governed and recoverable. Strong implementation proves the organization knows where cryptography is needed, uses approved methods, protects keys, manages key lifecycle, checks legal issues, and controls third-party or CA dependencies.
- Define cryptographic policy and approved methods.
- Base cryptographic use on risk and legal requirements.
- Do not design custom algorithms.
- Manage keys across their full lifecycle.
- Protect private/secret keys and certificate integrity.
- Govern key escrow, recovery, third-party KMS, and CAs.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Cryptography
- Key management
- Audit
Note Metadata
Aliases: A.8.24, Use of Cryptography, Cryptographic Controls
Source: 05 Annex A Technological Controls/A.8.24 Use of Cryptography.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
13
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.34 - Privacy and Protection of PII
- A.8.24 Audit Evidence Pack
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.24 Use of Cryptography
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-037 - Use of Cryptography
- EXAM-038 - Secure Development and Architecture
- ISO 27002 Annex A Control Interpretation Map
- A.8.24 Audit Checklist
- Application Transaction Security Checklist
- Certificate Authority and Certificate Review
- Cryptographic Controls Policy
- Cryptographic Key Management Register
- Cryptographic Legal Requirements Assessment
- Cryptographic Use Case and Algorithm Register
- Key Escrow and Emergency Recovery Checklist
- Annex A Controls MOC