ISO 27001:2022 Annex A 8.24 Checklist Guide •

ISO 27001:2022 Annex A 8.24 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Using a checklist for A.8.24 Use of Cryptography ensures systematic and thorough compliance, enhancing security and regulatory adherence. Achieving compliance mitigates risks associated with data breaches, ensuring robust protection for sensitive information.

Jump to topic

ISO 27001 A.8.24 Use of Cryptography Checklist

The control A.8.24 Use of Cryptography within ISO/IEC 27001:2022 is essential for protecting sensitive information through robust cryptographic techniques. This control ensures that data confidentiality, integrity, and authenticity are maintained during storage and transmission.

Proper implementation of cryptography helps safeguard information against unauthorised access and tampering, thereby meeting legal, regulatory, and contractual requirements. However, implementing cryptography effectively can present several challenges that need to be addressed comprehensively.

Purpose of Annex A.8.24

  • Protect Information: Safeguard sensitive information from unauthorised access and tampering during storage and transmission.
  • Compliance: Ensure adherence to relevant legal, regulatory, and contractual requirements regarding the use of cryptography.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.8.24? Key Aspects and Common Challenges

1. Encryption

Data at Rest

Use encryption to protect data stored on devices, servers, and storage media.

    Common Challenges:

    • Integration Issues: Difficulty integrating encryption tools with existing systems and applications.
    • Performance Impact: Potential performance degradation due to encryption processes.

  • Solutions:
    • Evaluate and select encryption tools that offer compatibility and minimal performance overhead.
    • Conduct thorough testing before full deployment.
  • Associated ISO 27001 Clauses: 6.1.2 Risk Assessment, 8.2 Information Security Risk Assessment, 8.3 Information Security Risk Treatment

Data in Transit

Implement encryption protocols (e.g., TLS, VPNs) to secure data being transmitted over networks.

    Common Challenges:

    • Protocol Compatibility: Ensuring compatibility of encryption protocols across different systems and networks.
    • Key Exchange Security: Securing the key exchange process to prevent interception.

  • Solutions:
    • Use standardised protocols and regularly update them to mitigate compatibility issues.
    • Implement robust key exchange mechanisms such as Diffie-Hellman key exchange.
  • Associated ISO 27001 Clauses: 6.1.2 Risk Assessment, 8.2 Information Security Risk Assessment, 8.3 Information Security Risk Treatment

2. Key Management

Key Generation

Ensure cryptographic keys are generated securely and are of sufficient strength to protect the data.

    Common Challenges:

    • Randomness Quality: Ensuring high-quality randomness in key generation to prevent predictability.
    • Resource Intensity: High computational resources required for generating strong keys.

  • Solutions:
    • Use certified hardware random number generators (HRNGs).
    • Ensure systems are optimised for key generation tasks.
  • Associated ISO 27001 Clauses: 7.2 Competence, 8.3 Information Security Risk Treatment

Key Storage

Store keys securely to prevent unauthorised access. This may involve using hardware security modules (HSMs) or encrypted key storage.

    Common Challenges:

    • Secure Storage: Finding and managing secure storage solutions that comply with standards.
    • Access Control: Implementing strict access controls to prevent unauthorised key access.

  • Solutions:
    • Deploy HSMs for key storage.
    • Implement multi-factor authentication (MFA) for key access control.
  • Associated ISO 27001 Clauses: 9.1 Monitoring, Measurement, Analysis and Evaluation, 7.5 Documented Information

Key Usage

Define and enforce policies on how cryptographic keys should be used within the organisation.

    Common Challenges:

    • Policy Enforcement: Ensuring consistent enforcement of key usage policies across all departments.
    • Awareness and Training: Educating staff on the importance and proper handling of cryptographic keys.

  • Solutions:
    • Regularly update and communicate key usage policies.
    • Provide mandatory training sessions for all relevant staff.
  • Associated ISO 27001 Clauses: 7.2 Competence, 7.3 Awareness, 7.5 Documented Information

Key Rotation

Implement key rotation policies to regularly change keys and reduce the risk of compromise.

    Common Challenges:

    • Operational Disruption: Minimising disruption to operations during key rotations.
    • Automating Rotation: Developing automated processes for seamless key rotation.

  • Solutions:
    • Schedule key rotations during low-activity periods.
    • Use automation tools to streamline the process.
  • Associated ISO 27001 Clauses: 8.1 Operational Planning and Control, 8.3 Information Security Risk Treatment

Key Revocation

Ensure mechanisms are in place to revoke keys when they are no longer needed or if they are compromised.

    Common Challenges:

    • Revocation Propagation: Ensuring the revocation of keys is propagated quickly and effectively across all systems.
    • Backup Key Management: Managing backups of revoked keys without compromising security.

  • Solutions:
    • Implement automated revocation lists.
    • Secure backup storage procedures.
  • Associated ISO 27001 Clauses: 8.1 Operational Planning and Control, 9.2 Internal Audit

3. Cryptographic Algorithms

Selection

Choose cryptographic algorithms that are appropriate for the level of protection required and are widely recognised as secure (e.g., AES, RSA).

    Common Challenges:

    • Algorithm Updates: Keeping up with advancements in cryptographic algorithms and their security.
    • Compliance with Standards: Ensuring selected algorithms comply with industry standards and regulations.

  • Solutions:
    • Regularly review and update cryptographic policies to incorporate the latest secure algorithms.
    • Use compliance tools to verify adherence to standards.
  • Associated ISO 27001 Clauses: 8.3 Information Security Risk Treatment, 9.1 Monitoring, Measurement, Analysis and Evaluation

Algorithm Strength

Ensure that the chosen algorithms have sufficient strength (e.g., key length) to resist current and foreseeable cryptographic attacks.

    Common Challenges:

    • Balance Performance and Security: Balancing the need for strong encryption with system performance.
    • Future-Proofing: Selecting algorithms and key lengths that will remain secure in the long term.

  • Solutions:
    • Conduct performance benchmarking to find optimal configurations.
    • Regularly reassess algorithm strengths against emerging threats.
  • Associated ISO 27001 Clauses: 8.3 Information Security Risk Treatment, 9.1 Monitoring, Measurement, Analysis and Evaluation

4. Implementation and Use

Policy and Procedures

Develop and implement policies and procedures governing the use of cryptography within the organisation.

    Common Challenges:

    • Policy Development: Creating comprehensive policies that cover all aspects of cryptographic use.
    • Consistency: Ensuring consistent application of policies across the organisation.

  • Solutions:
    • Involve cross-functional teams in policy development.
    • Use centralised policy management tools for consistency.
  • Associated ISO 27001 Clauses: 5.2 Information Security Policy, 7.5 Documented Information

Training

Provide training to staff on the proper use of cryptographic tools and the importance of protecting cryptographic keys.

    Common Challenges:

    • Engagement: Engaging staff in ongoing cryptographic training and awareness programmes.
    • Knowledge Retention: Ensuring that staff retain and apply the knowledge gained from training.

  • Solutions:
    • Use interactive training methods and periodic assessments to reinforce learning.
  • Associated ISO 27001 Clauses: 7.2 Competence, 7.3 Awareness, 7.5 Documented Information

Compliance Monitoring

Regularly monitor and audit the use of cryptographic controls to ensure they comply with the established policies and procedures.

    Common Challenges:

    • Resource Allocation: Allocating sufficient resources for continuous monitoring and auditing.
    • Timely Remediation: Addressing non-compliance issues promptly and effectively.

  • Solutions:
    • Leverage automated monitoring tools.
    • Establish a dedicated compliance team for prompt issue resolution.
  • Associated ISO 27001 Clauses: 9.1 Monitoring, Measurement, Analysis and Evaluation, 9.2 Internal Audit, 9.3 Management Review

5. Cryptographic Services

Digital Signatures

Use digital signatures to verify the authenticity and integrity of information.

    Common Challenges:

    • User Adoption: Encouraging widespread adoption of digital signatures within the organisation.
    • Integration: Integrating digital signature solutions with existing workflows and systems.

  • Solutions:
    • Promote the benefits of digital signatures.
    • Ensure seamless integration with business applications.
  • Associated ISO 27001 Clauses: 8.1 Operational Planning and Control, 9.1 Monitoring, Measurement, Analysis and Evaluation

Certificate Management

Manage digital certificates, including issuance, renewal, and revocation, to ensure the authenticity of entities within the organisation.

    Common Challenges:

    • Lifecycle Management: Managing the entire lifecycle of digital certificates effectively.
    • Certificate Sprawl: Avoiding an unmanageable number of certificates within the organisation.

  • Solutions:
    • Use centralised certificate management solutions.
    • Conduct regular audits to prevent certificate sprawl.
  • Associated ISO 27001 Clauses: 8.1 Operational Planning and Control, 9.1 Monitoring, Measurement, Analysis and Evaluation

6. Documentation and Records

Documentation

Maintain documentation of cryptographic policies, procedures, key management processes, and configurations.

    Common Challenges:

    • Documentation Overload: Managing large volumes of documentation and ensuring accuracy.
    • Accessibility: Ensuring documentation is accessible to authorised personnel when needed.

  • Solutions:
    • Use document management systems to organise and control access to cryptographic documentation.
  • Associated ISO 27001 Clauses: 7.5 Documented Information, 8.1 Operational Planning and Control

Audit Trails

Keep detailed logs and audit trails of cryptographic key usage and management activities.

    Common Challenges:

    • Log Management: Efficiently managing and storing large volumes of audit logs.
    • Log Analysis: Analysing logs to detect and respond to potential security incidents.

  • Solutions:
    • Implement log management solutions with automated analysis capabilities.
  • Associated ISO 27001 Clauses: 7.5 Documented Information, 9.1 Monitoring, Measurement, Analysis and Evaluation

Benefits of Compliance

  • Enhanced Security: Protect sensitive information from unauthorised access and tampering.
  • Regulatory Compliance: Meet legal, regulatory, and contractual requirements related to information security and cryptography.
  • Risk Management: Mitigate the risks associated with data breaches and unauthorised access to sensitive information.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.8.24

  • Policy Management

    • Policy Templates: Utilise pre-built policy templates to quickly establish comprehensive cryptographic policies.
    • Version Control: Keep track of policy changes and ensure that the latest versions are always in use.
    • Document Access: Control who can view and edit cryptographic policies, ensuring secure access.
  • Risk Management

    • Dynamic Risk Map: Visualise risks associated with cryptographic controls and track their status.
    • Risk Monitoring: Continuously monitor risks related to cryptographic key management and encryption practices.
  • Incident Management

    • Incident Tracker: Document and manage incidents involving cryptographic failures or breaches.
    • Workflow and Notifications: Automate incident response workflows and ensure timely notifications to relevant stakeholders.
  • Audit Management

    • Audit Templates: Use specific templates for auditing cryptographic controls and key management processes.
    • Corrective Actions: Track and manage corrective actions resulting from audits to ensure continuous improvement.
  • Training and Awareness

    • Training Modules: Provide training on cryptographic practices and key management to employees.
    • Training Tracking: Monitor and document training completion to ensure all staff are up-to-date on cryptographic procedures.
  • Documentation Management

    • Document Templates: Utilise document templates to maintain comprehensive records of cryptographic key management practices.
    • Version Control and Retention: Ensure all cryptographic documentation is version-controlled and retained according to policy.

Detailed Annex A.8.24 Compliance Checklist

1. Encryption

  • Ensure encryption for data at rest on all devices, servers, and storage media.
  • Verify integration of encryption tools with existing systems.
  • Monitor the performance impact of encryption processes and optimise as necessary.
  • Implement encryption protocols (e.g., TLS, VPNs) for data in transit.
  • Ensure compatibility of encryption protocols across different systems and networks.
  • Secure the key exchange process to prevent interception.

2. Key Management

  • Generate cryptographic keys securely with high-quality randomness.
  • Allocate sufficient computational resources for key generation.
  • Store keys securely using hardware security modules (HSMs) or encrypted key storage.
  • Implement strict access controls for key storage.
  • Develop and enforce policies on key usage.
  • Educate staff on proper key handling through regular training.
  • Implement key rotation policies to regularly change keys.
  • Minimise operational disruption during key rotations.
  • Automate key rotation processes where possible.
  • Ensure mechanisms are in place to revoke keys when needed.
  • Propagate key revocation quickly and effectively across all systems.
  • Manage backups of revoked keys securely.

3. Cryptographic Algorithms

  • Select cryptographic algorithms that are widely recognised as secure (e.g., AES, RSA).
  • Keep up-to-date with advancements in cryptographic algorithms.
  • Ensure selected algorithms comply with industry standards and regulations.
  • Ensure algorithms have sufficient strength to resist current and foreseeable attacks.
  • Balance the need for strong encryption with system performance.
  • Future-proof algorithms and key lengths to remain secure in the long term.

4. Implementation and Use

  • Develop comprehensive policies and procedures for cryptographic use.
  • Ensure consistent application of policies across the organisation.
  • Provide ongoing cryptographic training and awareness programmes to staff.
  • Engage staff in training and ensure knowledge retention.
  • Regularly monitor and audit cryptographic controls.
  • Allocate sufficient resources for continuous monitoring and auditing.
  • Address non-compliance issues promptly and effectively.

5. Cryptographic Services

  • Implement digital signatures to verify the authenticity and integrity of information.
  • Encourage adoption of digital signatures within the organisation.
  • Integrate digital signature solutions with existing workflows and systems.
  • Manage the entire lifecycle of digital certificates effectively.
  • Avoid an unmanageable number of certificates within the organisation.

6. Documentation and Records

  • Maintain documentation of cryptographic policies, procedures, key management processes, and configurations.
  • Ensure documentation is accessible to authorised personnel when needed.
  • Keep detailed logs and audit trails of cryptographic key usage and management activities.
  • Efficiently manage and store large volumes of audit logs.
  • Analyse logs to detect and respond to potential security incidents.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.8.24

Ready to enhance your organisation’s information security management with cutting-edge cryptographic controls?

Discover how ISMS.online can streamline your compliance efforts, simplify risk management, and ensure robust data protection. Our platform offers powerful features designed to help you achieve and maintain ISO/IEC 27001:2022 certification efficiently.

Empower your organisation with the tools and expertise to safeguard your information assets and achieve excellence in information security management. Book your demo today!

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now