GRCWatch
Sign inStart free trial

ISO 27001 Control 8.24: Use of Cryptography

Cryptography is your technical backbone for protecting sensitive data in transit and at rest. ISO 27001 8.24 requires organizations to establish and enforce rules for cryptographic key management to ensure confidentiality, authenticity, and integrity across systems. Without proper implementation, you risk data breaches, regulatory fines, and loss of customer trust.

What this means

Control 8.24 mandates that your organization define, document, and implement cryptography policies covering algorithm selection, key generation, storage, rotation, and retirement. This includes protecting encryption keys with the same rigor as the data they protect—keys must be managed through secure lifecycle processes, accessible only to authorized personnel, and backed up for recovery purposes. The control applies to all systems handling sensitive information and requires periodic review to ensure cryptographic standards remain current against emerging threats.

How to comply

  1. 1.Document a cryptography policy defining approved algorithms, key lengths, and protocols aligned with industry standards (AES-256, TLS 1.2+, SHA-256+)
  2. 2.Implement key management procedures covering generation, distribution, storage, rotation, and secure deletion of cryptographic keys
  3. 3.Establish access controls restricting key material to only authorized personnel with demonstrated need
  4. 4.Deploy Hardware Security Modules (HSMs) or key management systems for storing and protecting master keys
  5. 5.Schedule automatic key rotation at defined intervals (annually for symmetric keys, per vendor guidance for asymmetric)
  6. 6.Create and test backup and recovery procedures for encrypted data and associated keys
  7. 7.Conduct annual cryptography audits to verify algorithm compliance and identify deprecated or weak implementations
  8. 8.Train relevant staff on cryptographic key handling, storage, and incident response

Evidence auditors look for

  • Cryptography and key management policy document with governance approval dates
  • Inventory of systems using encryption with algorithm, key length, and implementation details
  • Key generation and rotation logs with timestamps and authorized personnel records
  • Configuration screenshots showing TLS versions, cipher suites, and encryption settings in production systems
  • Hardware Security Module (HSM) access logs and key backup procedures documentation
  • Encryption certificate inventory with expiration dates and renewal schedules
  • Audit reports validating cryptographic strength and compliance with approved standards
  • Incident response records demonstrating key compromise procedures and remediation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates cryptography policy enforcement and key rotation tracking, generating audit-ready reports on algorithm compliance and key lifecycle management across your entire infrastructure—eliminating manual spreadsheets and reducing key exposure risk.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 8.1 — Cryptographic ControlsISO 27001 8.23 — EncryptionISO 27001 A.10.1.1 — Access Control PolicyISO 27001 A.12.2.1 — Security of Network ServicesISO 27001 A.14.2.5 — Secure Development, Acceptance, Release