Auto-renewal where possible
Demonstrate that critical digital assets subject to expiration are configured for automatic renewal and that renewal processes are monitored to prevent lapses in availability or trust.
Description
What this control does
This control ensures that digital certificates, domain registrations, software licenses, and subscriptions critical to security operations are configured to renew automatically before expiration. Auto-renewal prevents service disruptions, authentication failures, and trust relationship breakdowns that occur when certificates or entitlements lapse unexpectedly. Organizations implement this by enabling auto-renewal settings in certificate authorities, domain registrars, cloud service providers, and license management portals, coupled with monitoring to detect renewal failures.
Control objective
What auditing this proves
Demonstrate that critical digital assets subject to expiration are configured for automatic renewal and that renewal processes are monitored to prevent lapses in availability or trust.
Associated risks
Risks this control addresses
- Expired TLS/SSL certificates causing service outages, browser trust warnings, or API authentication failures
- Lapsed domain registrations allowing attackers to purchase expired domains for phishing, brand impersonation, or subdomain takeover attacks
- Expired code-signing certificates breaking software update mechanisms or triggering user-facing security warnings
- Interrupted endpoint security agent licensing disabling malware protection or compliance telemetry collection
- Expired SAML signing certificates breaking single sign-on authentication flows and locking users out of critical systems
- Failure of automated security scanning tools due to expired licenses, creating blind spots in vulnerability management
- Manual renewal workflows introducing human error, delays, or forgotten deadlines that result in emergency remediation efforts
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all digital certificates, domain registrations, software licenses, and security subscriptions in use across the environment
- Review certificate management platform configurations and identify which certificates are set to auto-renew versus requiring manual intervention
- Examine domain registrar account settings for each registered domain to verify auto-renewal status and payment method validity
- Select a representative sample of critical services (e.g., public-facing web applications, identity providers, API gateways) and inspect their certificate configurations
- Review monitoring and alerting configurations to confirm that certificate expiration warnings and renewal failures trigger notifications to responsible teams
- Interview IT and security operations personnel to understand the process for handling auto-renewal failures and validating successful renewals
- Examine records from the past 12 months for any instances of expired certificates or domains and evaluate whether auto-renewal was configured and why it may have failed
- Verify that payment methods associated with auto-renewal services are current and that billing failures are monitored to prevent silent renewal lapses
Where this control is tested