Memory cue
Last-day cue
A.8.24 = define crypto rules and manage keys. Encryption without key management is not enough.
What the exam is likely testing
| Topic | Exam cue |
|---|---|
| Cryptographic policy | Defines when and how crypto is used |
| Risk traceability | Crypto choices should match confidentiality, integrity, authenticity, and non-repudiation needs |
| Approved algorithms | Use industry-standard methods, not home-grown crypto |
| Key management | Full lifecycle: generation, storage, distribution, rotation, revocation, destruction |
| Legal issues | Crypto may be affected by laws, contracts, jurisdictions, or digital signature rules |
| Escrow/recovery | Must be controlled, authorized, and protected from abuse |
Common wrong answers
- Assuming encryption alone satisfies the control.
- Ignoring key lifecycle management.
- Treating public keys and certificates as needing no integrity protection.
- Selecting stronger crypto without considering performance or operational impact.
- Accepting custom algorithms because they are secret.
Related notes
- Iso27001
- Exam
- Cryptography
Note Metadata
Aliases: EXAM-037
Source: 09-Exam-Preparation/EXAM-037-Use-of-Cryptography.md