A.8.24 — Is the use of cryptography governed by a policy, with key management?
Demonstrate that the organization has established, documented, and operationalized a cryptography governance framework that defines approved cryptographic methods and controls the full lifecycle of cryptographic keys.
Description
What this control does
This control requires the organization to adopt and enforce a formal cryptography policy that defines approved algorithms, key lengths, use cases, and operational procedures for encrypting data at rest and in transit. The policy must be supported by a key management lifecycle covering generation, distribution, storage, rotation, escrow, and destruction of cryptographic keys. Without governance, cryptographic implementations may use weak ciphers, expose keys through poor handling, or create incompatible encryption schemes that lead to data inaccessibility or breach.
Control objective
What auditing this proves
Demonstrate that the organization has established, documented, and operationalized a cryptography governance framework that defines approved cryptographic methods and controls the full lifecycle of cryptographic keys.
Associated risks
Risks this control addresses
- Unauthorized personnel generate or access cryptographic keys, enabling insider threats or credential theft leading to decryption of sensitive data.
- Use of deprecated or weak cryptographic algorithms (e.g., DES, MD5, RC4) allows attackers to break encryption through brute force or known vulnerabilities.
- Lack of key rotation procedures results in long-lived keys that increase exposure window if compromised and amplify blast radius of a single key breach.
- Cryptographic keys stored in plaintext on file systems, code repositories, or configuration files enable trivial extraction by attackers gaining system access.
- Absence of key escrow or recovery procedures causes permanent data loss when keys are destroyed, corrupted, or become inaccessible due to personnel turnover.
- Inconsistent cryptographic implementation across systems creates interoperability failures, compliance gaps, and shadow IT workarounds that bypass security controls.
- Missing audit trails for key lifecycle events (generation, access, rotation, deletion) prevent detection of unauthorized cryptographic operations or forensic investigation after incidents.
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's cryptography policy document, verifying it specifies approved algorithms, minimum key lengths, permitted use cases, roles and responsibilities, and references to key management procedures.
- Interview the information security manager and system owners to confirm awareness of the cryptography policy and describe how it is communicated and enforced across departments.
- Inventory all systems and applications that perform encryption, including databases, file storage, network appliances, and cloud services, recording the cryptographic methods in use for each.
- Select a representative sample of at least five systems from the inventory and inspect their configurations to verify only approved algorithms and key lengths from the policy are deployed.
- Review key management procedures covering generation, distribution, storage, rotation schedules, backup/escrow, and destruction, confirming each phase has documented workflows and assigned ownership.
- Examine access control logs or identity management records to verify that cryptographic key access is restricted to authorized personnel and that separation of duties exists between key custodians and users.
- Request evidence of key rotation activities over the past 12 months, such as change tickets, automation logs, or certificate renewal records, and verify adherence to policy-defined intervals.
- Test key storage mechanisms by inspecting hardware security modules (HSMs), key vaults, or secrets management platforms to confirm keys are encrypted at rest and protected by authentication controls.