When to use this
Use this checklist during an internal audit of cryptographic policy, approved algorithms, key management, certificate handling, legal requirements, and escrow/recovery.
Related controls
- A.8.24 Use of Cryptography
- A.8.24 Audit Evidence Pack
- Cryptographic Controls Policy
- Cryptographic Use Case and Algorithm Register
- Cryptographic Key Management Register
- Certificate Authority and Certificate Review
- Key Escrow and Emergency Recovery Checklist
- Cryptographic Legal Requirements Assessment
Audit checklist
- Review cryptographic controls policy.
- Trace cryptographic use cases to risk assessment.
- Review approved algorithms, protocols, key lengths, and parameters.
- Check for weak, deprecated, or internally designed algorithms.
- Review key generation, storage, distribution, rotation, revocation, and destruction.
- Check protection of secret and private keys.
- Check protection of public keys and certificates from unauthorized replacement.
- Review CA or third-party key service trust and agreements.
- Review legal/regulatory assessment.
- Review key escrow or emergency recovery governance.
- Interview relevant users/admins on cryptographic procedures.
Findings table
| Crypto area | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 24
Note Metadata
Aliases: A.8.24 Cryptography Audit Checklist
Source: 90 Templates/A.8.24 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.24 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.24 - Use of Cryptography
- A.8 Technological Controls MOC
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- Certificate Authority and Certificate Review
- Cryptographic Controls Policy
- Cryptographic Key Management Register
- Cryptographic Legal Requirements Assessment
- Cryptographic Use Case and Algorithm Register
- Key Escrow and Emergency Recovery Checklist
- Audit Evidence Index
- Templates MOC