In this ultimate how to audit guide to ISO 27001 Control 8.24 Use of Cryptography, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Cryptographic Policy and Standard Formalisation Verified
- 2. Data-at-Rest Encryption Enforcement Confirmed
- 3. Data-in-Transit Encryption Strength Validated
- 4. KMS Integrity Verified
- 5. Cryptographic Key Rotation Records Identified
- 6. Separation of Duties for Key Management Confirmed
- 7. Digital Signature and Integrity Verification Validated
- 8. PKI Certificate Governance Verified
- 9. Cryptographic Erasure (Crypto-Shredding) Capability Confirmed
- 10. Cryptographic Algorithm Review and Threat Analysis Recorded
ISO 27001 Annex A 8.24 Use of Cryptography Audit Checklist
Auditing ISO 27001 Annex A 8.24 Use of Cryptography is the technical verification of encryption protocols and key management lifecycles protecting data integrity. The Primary Implementation Requirement is the enforcement of strong algorithms and centralised KMS management, providing the Business Benefit of ensuring confidentiality and meeting regulatory data protection requirements.
This technical verification tool is designed for lead auditors to establish the efficacy of cryptographic controls in protecting data at rest and in transit. Use this checklist to validate compliance with ISO 27001 Annex A 8.24.
1. Cryptographic Policy and Standard Formalisation Verified
Verification Criteria: A documented policy exists defining the mandatory cryptographic algorithms, key lengths, and usage requirements across the organisation.
Required Evidence: Approved “Cryptographic Policy” or “Encryption Standard” specifying algorithms (e.g., AES-256) and protocols (e.g., TLS 1.3).
Pass/Fail Test: If the organisation cannot produce a formal policy defining its cryptographic baselines, mark as Non-Compliant.
2. Data-at-Rest Encryption Enforcement Confirmed
Verification Criteria: Technical controls ensure that sensitive data stored on disk, databases, and portable media is encrypted using approved algorithms.
Required Evidence: Database configuration screenshots showing TDE (Transparent Data Encryption) or MDM reports confirming 100% Full Disk Encryption (FDE).
Pass/Fail Test: If any laptop or production database containing sensitive information is found unencrypted at rest, mark as Non-Compliant.
3. Data-in-Transit Encryption Strength Validated
Verification Criteria: Cryptographic protocols protect data traversing untrusted networks, with legacy protocols (e.g., SSL 3.0, TLS 1.0) disabled.
Required Evidence: SSL/TLS scan reports (e.g., Qualys SSL Labs) showing “A” ratings and the absence of deprecated cipher suites.
Pass/Fail Test: If any public-facing application allows connections via TLS 1.1 or lower, mark as Non-Compliant.
