Are policies and use of cryptography (encryption, key management) documented and applied (Art 21.2.h)?
Demonstrate that cryptographic policies are formally documented, specify implementation requirements for encryption and key management lifecycle activities, and are consistently applied across systems handling sensitive or critical data.
Description
What this control does
This control ensures that the organization maintains comprehensive written policies governing the use of cryptographic controls, including encryption algorithms, key lengths, key generation, distribution, storage, rotation, and destruction procedures. The policies must define where and how cryptography is applied across systems, data at rest, data in transit, and backups, along with roles and responsibilities for cryptographic key management. Under NIS2 Article 21.2.h, entities must document these cryptographic measures as part of their cybersecurity risk management framework, ensuring consistent application across the organization's infrastructure and alignment with current cryptographic standards.
Control objective
What auditing this proves
Demonstrate that cryptographic policies are formally documented, specify implementation requirements for encryption and key management lifecycle activities, and are consistently applied across systems handling sensitive or critical data.
Associated risks
Risks this control addresses
- Unauthorized access to sensitive data due to inconsistent or absent encryption implementation across systems and data stores
- Cryptographic key compromise resulting from undocumented or ad-hoc key generation, storage, and rotation practices
- Use of deprecated or weak cryptographic algorithms (e.g., MD5, SHA-1, DES) due to absence of policy-driven standards
- Loss of encrypted data accessibility when key management procedures are not documented and keys are lost or corrupted without recovery mechanisms
- Regulatory non-compliance and financial penalties under NIS2 for failing to document mandatory cryptographic risk management measures
- Insider threats exploiting uncontrolled access to cryptographic keys stored in plaintext or weakly protected key stores
- Data breaches during transmission when encryption policies fail to mandate TLS/SSL for sensitive communications channels
Testing procedure
How an auditor verifies this control
- Obtain and review the current cryptographic policy document(s), verifying they include encryption standards, approved algorithms, key lengths, and key management lifecycle procedures.
- Inventory all systems, applications, and data stores identified as requiring cryptographic protection per the organization's data classification scheme.
- Select a representative sample of at least 5-7 systems across different categories (databases, file servers, cloud storage, communication channels) from the inventory.
- For each sampled system, inspect configuration settings to verify encryption is enabled and matches policy specifications (algorithm type, key length, mode of operation).
- Review key management procedures documentation and verify evidence of key generation, secure storage (HSM, key vault), rotation schedules, and destruction processes.
- Interview personnel responsible for cryptographic implementation (system administrators, security engineers) to confirm awareness of policies and adherence to documented procedures.
- Examine access control logs for cryptographic key stores to verify that only authorized personnel have access and that access is logged and monitored.
- Review recent security assessments, vulnerability scans, or penetration test reports to confirm no findings related to weak cryptography or exposed keys in the last audit period.