ISO 27001 Annex A 8.24 is a security control that mandates the establishment of rules for the effective use of cryptography and key management. It requires organizations to define policies for encryption to protect the confidentiality, integrity, and authenticity of information, ensuring data is secured at rest and in transit against unauthorized access.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.24 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 8.24 Use of Cryptography
ISO 27001 Annex A 8.24 does not require you to be a mathematician or write your own encryption algorithms. Instead, it requires you to define rules for how and when you use encryption to protect the confidentiality, integrity, and authenticity of your information. It ensures that you are using the right keys, keeping them safe, and following the law.
Core requirements for compliance include:
- Topic-Specific Policy: You must have a written policy for “Cryptography and Key Management.” This document defines what data must be encrypted (e.g., “All confidential data at rest”) and what standards to use (e.g., “AES-256”).
- Key Management: Encryption is only as secure as the keys. You need a lifecycle process for generating, storing, distributing, and crucially destroying keys when they are no longer needed.
- Legal Compliance: Cryptography is heavily regulated. You must check local laws (especially for export controls) to ensure you aren’t illegally using or exporting strong encryption software.
- Endpoint Protection: The standard expects you to encrypt end-user devices (laptops, mobiles) to protect data if a device is lost or stolen (e.g., using BitLocker or FileVault).
Audit Focus: Auditors will ask the “Lost Key” question:
- The Scenario: “If your Head of IT leaves the company tomorrow, do they take the encryption keys with them?” (You need a backup/recovery process).
- The Evidence: “Show me that your company laptops are actually encrypted.” (A screenshot from your MDM or BitLocker status).
- The Lifecycle: “How do you revoke a key if it is compromised?”
Key Management Lifecycle (The “Must-Have” Process):
| Stage | Action Required | ISO 27001 Expectation |
|---|---|---|
| 1. Generation | Creating the key. | Use strong, standard algorithms (AES, RSA). Do not invent your own. |
| 2. Distribution | Sending the key to users. | Send securely (never via plain email). |
| 3. Storage | Keeping the key safe. | Use a Hardware Security Module (HSM) or secure vault (e.g., Azure Key Vault). |
| 4. Usage | Encrypting/Decrypting. | Ensure the key is only accessible to authorized systems. |
| 5. Destruction | End of life. | Securely wipe the key so data can never be recovered (Crypto-shredding). |
Table of contents
- Key Takeaways: ISO 27001 Annex A 8.24 Use of Cryptography
- What is ISO 27001 Annex A 8.24?
- ISO 27001 Annex A 8.24 Explainer Video
- ISO 27001 Annex A 8.24 Podcast
- ISO 27001 Annex A 8.24 Implementation Guidance
- How to implement ISO 27001 Annex A 8.24
- Applicability of ISO 27001 Annex A 8.24 across different business models.
- Fast Track Annex A 8.24 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 8.24 FAQ
- Further Reading
What is ISO 27001 Annex A 8.24?
ISO 27001 Annex A 8.24 is about cryptography which means you need to implement and manage a process for the effective use of cryptography.
ISO 27001 Annex A 8.24 Use of Cryptography is an ISO 27001 control that requires us to define and manage the rules associated with cryptography, which in laymen’s terms is encryption.
ISO 27001 Annex A 8.24 Purpose
ISO 27001 Annex A 8.24 is a preventive control to ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
ISO 27001 Annex A 8.24 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.24 as:
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
ISO27001:2022 Annex A 8.24 Use of Cryptography
ISO 27001 Annex A 8.24 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 8.24 Use of Cryptography, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 8.24 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 8.24Cryptography. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 8.24 Implementation Guidance
The implementation of cryptography can be as simple or as difficult as you want to make it. Let us take a look at some of the considerations and guidance.
The Law
The main overriding factor of any implementation of this controls is the law. The laws around encryption and cryptography vary around the world and even within countries so it is paramount that what ever you are going to do, you get checked and signed of by a legal professional and keep evidence of the advice that you received.
Information Classification and Handling Policy
Information classification is a requirement of the standard and good practice. You will implement a topic specific information classification and handling policy, either with the template or writing it yourself, and the considerations for encryption will be captured within in. For simplicity, it is usual, that confidential data, or data of the highest classification, will be encrypted during transmission and at rest.
More information on the requirements of the standard is covered in ISO 27001 Annex A 5.12 Classification Of Information and there is a handy ISO 27001 Information Classification and Handling Policy Beginner’s Guide
Topic Specific Cryptography Policy
To meet the requirements of this particular ISO 27001 clause you are going to need a topic specific policy for cryptography and for key management.
The topic-specific policy on cryptography defined by the organisation will include the general principles for the protection of information. A topic-specific policy on the use of cryptography is necessary to reduce the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.
Standards
When using encryption it is likely that you will use default and off the shelf technology but you should consider and record that standards that you are following and include in that information on cipher strength, algorithms used.
Technical Implementation
You will implement the technology required to realise what you have set out in your topic specific policies. The best approach is the use of industry standard technologies and usually that means the built in product features of technology that you already have.
As part of the technical implementation you will implement endpoint encryption and this is, where feasible, for all endpoints including mobile devices.
Key Management
This is an important step as the keys are the things that can cause you a lot of problems if they are compromised or even if you forget what they are. The implementation of a robust key management process is therefore, pardon the pun, key.
There are many steps to consider in the management of keys so let us list out the common ones that you will need to address.
- Generating keys
- Issuing keys
- Obtaining Public Keys
- Distributing keys
- Storing keys
- Changing keys
- Updating keys
- Dealing with key compromise
- Dealing with key loss
- Revoking keys
- Recovering keys
- Backing up keys
- Destroying keys
- Logging key management activity
- Monitoring key management activity
- Responding to legal requests for keys
Practical Real World
This really is going to depend but for most small business this requirement really comes down to encrypting devices and this is usually with standard or built in technology. The management of keys is often built in and easy to implement. The advice would be that unless you need something overly sophisticated keep it simple. Have HTTPs on your website, encrypt traffic, rely on the network technology of the likes of Azure and AWS and the apps that use that all these days are connections over encrypted links. Be able to show how the keys are managed in line with the above key management process requirements which again is usually easy to do and built into the technology that you are using.
The questions most asked at audit is, what if you loose the key, who knows what the key is, where is the key stored and is the key stored securely.
Cryptographic Objectives
The objectives of cryptography may seem common sense but lets us examine them.
You are looking to ensure the confidentiality of data as the main objective. We want to reduce the risk of a data breach, of data being intercepted and if it is intercepted we want that data to be useless.
It can be the case that cryptography can ensure non-repudiation, which means that we can provide evidence of events or actions.
Finally it can be used to authentication, to grant access only to the right people or resources or entities.
How to implement ISO 27001 Annex A 8.24
Implementing a robust cryptographic framework is essential for protecting the confidentiality and integrity of sensitive data across your organisation. By following these technical steps, you can ensure that your use of encryption and digital signatures meets the rigorous requirements of ISO 27001 Annex A 8.24.
1. Formalise a Cryptographic Usage Policy
- Document a formal policy defining the types of information requiring cryptographic protection, including data at rest, in transit and in use.
- Specify the required encryption levels and approved algorithms (e.g. AES-256, RSA-4096) based on the sensitivity of the data and risk assessments.
- Result: A consistent organisational standard that ensures all cryptographic controls are applied uniformly and legally.
2. Provision a Centralised Key Management System (KMS)
- Deploy a dedicated Key Management System or Hardware Security Module (HSM) to automate the generation, storage and distribution of cryptographic keys.
- Establish clear technical procedures for key rotation, archival and destruction to prevent the use of compromised or outdated keys.
- Result: Reduced risk of unauthorised data access due to manual key handling errors or weak storage practices.
3. Enforce Encryption for Data in Transit and at Rest
- Mandate the use of TLS 1.3 or higher for all network communications and verify that all internal and external API endpoints require encrypted connections.
- Provision Full Disk Encryption (FDE) and database-level encryption for all storage media containing sensitive or personally identifiable information (PII).
- Result: Comprehensive protection of information assets against interception and physical theft of hardware.
4. Restrict Access to Cryptographic Keys via IAM and MFA
- Apply the Principle of Least Privilege by assigning specific Identity and Access Management (IAM) roles to users and services that require key access.
- Require Multi-Factor Authentication (MFA) for any administrative actions performed within the KMS or HSM environment.
- Result: Prevention of lateral movement and unauthorised decryption of sensitive data by malicious actors or compromised accounts.
5. Implement Digital Signatures and Integrity Checks
- Utilise digital signatures to verify the authenticity of software builds, legal documents and critical configuration files.
- Configure automated hashing algorithms (e.g. SHA-256) to perform periodic integrity checks on sensitive system files and databases.
- Result: Assurance that critical information and software have not been tampered with or modified by unauthorised parties.
6. Execute Regular Cryptographic Audits and Reviews
- Conduct periodic technical reviews of your cryptographic infrastructure to ensure that algorithms remain secure against modern brute-force attacks.
- Formalise an incident response plan specifically for “Compromised Key” scenarios, including immediate revocation and re-encryption procedures.
- Result: A dynamic and resilient cryptographic posture that evolves to meet new security threats and technological advancements.
Applicability of ISO 27001 Annex A 8.24 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on using standard, built-in encryption tools for devices and basic communications. The goal is to protect data if a laptop is lost and ensure website traffic is secure without complex custom solutions. |
|
| Tech Startups | Critical for product security and customer trust. Involves managing encryption keys via cloud providers and securing API endpoints to prevent data interception. |
|
| AI Companies | Applies to protecting high-value intellectual property (models) and sensitive training data. Focus is on maintaining confidentiality and integrity of large datasets. |
|
Fast Track Annex A 8.24 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 8.24 (Use of cryptography), the requirement is to define rules for the effective use of encryption and key management. The standard does not require you to buy a specialised SaaS tool to perform the encryption itself you likely already have the technology (e.g., BitLocker, AWS KMS, TLS). You just need the governance to prove you are using it correctly.
| Compliance Factor | SaaS Compliance Tools | High Table ISO 27001 Toolkit | Real-World Example |
|---|---|---|---|
| Data Ownership & Continuity | Encapsulates policies in a web interface. Leaving the platform risks losing the documented history of your key management procedures. | Permanent Ownership: You receive the “Cryptographic Control Policy” and “Key Management Procedures” in Word/Excel formats that are yours forever. | Retaining full ownership of encryption standards and key lifecycle definitions without relying on a third-party subscription. |
| Simplicity & Workflow | Often tries to “verify” encryption via complex API integrations, which is unnecessary for a governance control. | Governance for Existing Tech: Formalizes what you already do (e.g., BitLocker, AWS KMS) with a clear policy template. | Validating that laptops use BitLocker via a written policy rather than buying software to “discover” it. |
| Cost Structure | Requires a recurring subscription to manage a static policy, effectively charging you monthly just to say “We encrypt data.” | One-Off Fee: A single payment covers the entire documentation suite, eliminating recurring costs for stable policies. | Satisfying the auditor’s request for “Encryption Standards” without adding a new line item to your monthly budget. |
| Freedom & Tech Agnostic | Can be prescriptive or limited to specific cloud providers, struggling to cover hybrid or open-source setups (e.g., GPG). | Use Any Technology: The “Cryptography Policy” is fully editable, allowing you to cover HSMs, cloud vaults, or on-premise hardware equally. | Defining rules for a hybrid environment using both AWS CloudHSM and on-premise GPG keys in a single document. |
Summary: For Annex A 8.24, the auditor checks for a policy that defines how you use encryption and manage keys. The High Table ISO 27001 Toolkit gives you that policy instantly. It provides the governance framework to satisfy the requirement efficiently, allowing you to prove compliance without renting a tool to do so.
ISO 27001 Annex A 8.24 FAQ
What is ISO 27001 Annex A 8.24?
ISO 27001 Annex A 8.24 is a preventive information security control that requires organizations to define and implement rules for the effective use of cryptography. Its primary purpose is to protect the confidentiality, integrity, and authenticity of information by ensuring encryption is applied correctly and cryptographic keys are managed securely throughout their lifecycle.
What are the key requirements for complying with Annex A 8.24?
Compliance with Annex A 8.24 requires a formal policy on cryptography and a robust process for key management. Organizations must demonstrate that they do not use encryption ad-hoc, but rather follow a structured approach involving:
- Topic-Specific Policy: A documented policy defining what data must be encrypted and which standards to use (e.g., AES-256).
- Key Management: A defined lifecycle for generating, storing, distributing, and destroying keys.
- Legal Compliance: Adherence to local laws regarding encryption export controls and usage.
- Endpoint Protection: Implementation of encryption on devices (e.g., BitLocker, FileVault) to protect data at rest.
Does ISO 27001 mandate specific encryption algorithms?
No, ISO 27001 does not list specific required algorithms, but it mandates the use of “current, strong, and standard” algorithms. You should avoid proprietary or obsolete methods (like DES or MD5). Instead, align with industry best practices such as:
- Symmetric Encryption: AES-256 (for data at rest).
- Asymmetric Encryption: RSA 2048-bit or higher (for key exchange/signatures).
- Hashing: SHA-256 or better (for integrity checks).
What is the Key Management Lifecycle in ISO 27001?
The Key Management Lifecycle is a mandatory set of processes for handling cryptographic keys from creation to deletion. Auditors will verify that you manage keys securely at every stage to prevent data loss or compromise. The stages include:
- Generation: Creating keys using strong random number generators.
- Distribution: Sending keys securely to users or systems (never via plain email).
- Storage: Protecting keys in secure vaults (e.g., HSMs, Azure Key Vault).
- Usage: Ensuring keys are only accessible to authorized entities during encryption/decryption.
- Destruction: Securely wiping keys (crypto-shredding) at the end of their life.
What evidence do auditors look for regarding cryptography?
Auditors primarily look for your Cryptography Policy and evidence that encryption is active and managed. Common audit artifacts include:
- Policy Documents: A signed “Cryptography and Key Management Policy.”
- Configuration Screenshots: Evidence of BitLocker/FileVault status on laptops or TLS settings on servers.
- Key Logs: Records showing when keys were generated, rotated, or revoked (without revealing the keys themselves).
- Disposal Records: Proof that keys/data were securely destroyed when equipment was decommissioned.
Do I need to buy special software to implement Control 8.24?
No, you generally do not need to purchase specialized cryptography software; you likely already possess the necessary technology. Most modern operating systems and cloud providers include compliant encryption tools (e.g., Windows BitLocker, AWS KMS, SSL/TLS). Compliance focuses on the governance of these tools—having a policy that mandates their use—rather than buying new products.
What should be done if an encryption key is compromised?
If a key is compromised, you must immediately revoke the key and generate a new one, following your Incident Management process. Your Key Management Policy should outline specific steps for this scenario:
- Revocation: Mark the compromised key as invalid in your key management system.
- Re-keying: Generate new keys and re-encrypt the affected data if possible.
- Investigation: Determine how the key was compromised to prevent recurrence.
- Reporting: Document the event as an information security incident (Annex A 5.24).
Further Reading
