UnixTime

Research Note

A.8.24 Audit Checklist

Use this checklist during an internal audit of cryptographic policy, approved algorithms, key management, certificate handling, legal requirements, and escrow/recovery.

On this page

When to use this

Use this checklist during an internal audit of cryptographic policy, approved algorithms, key management, certificate handling, legal requirements, and escrow/recovery.

Audit checklist

  • Review cryptographic controls policy.
  • Trace cryptographic use cases to risk assessment.
  • Review approved algorithms, protocols, key lengths, and parameters.
  • Check for weak, deprecated, or internally designed algorithms.
  • Review key generation, storage, distribution, rotation, revocation, and destruction.
  • Check protection of secret and private keys.
  • Check protection of public keys and certificates from unauthorized replacement.
  • Review CA or third-party key service trust and agreements.
  • Review legal/regulatory assessment.
  • Review key escrow or emergency recovery governance.
  • Interview relevant users/admins on cryptographic procedures.

Findings table

Crypto area Expected evidence Observed evidence Gap Finding type Action owner
TBD TBD TBD TBD NC / observation / conforming TBD