In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.24 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 8.24 Use of Cryptography
ISO 27001 Annex A 8.24 does not require you to be a mathematician or write your own encryption algorithms. Instead, it requires you to define rules for how and when you use encryption to protect the confidentiality, integrity, and authenticity of your information. It ensures that you are using the right keys, keeping them safe, and following the law.
Core requirements for compliance include:
- Topic-Specific Policy: You must have a written policy for “Cryptography and Key Management.” This document defines what data must be encrypted (e.g., “All confidential data at rest”) and what standards to use (e.g., “AES-256”).
- Key Management: Encryption is only as secure as the keys. You need a lifecycle process for generating, storing, distributing, and crucially destroying keys when they are no longer needed.
- Legal Compliance: Cryptography is heavily regulated. You must check local laws (especially for export controls) to ensure you aren’t illegally using or exporting strong encryption software.
- Endpoint Protection: The standard expects you to encrypt end-user devices (laptops, mobiles) to protect data if a device is lost or stolen (e.g., using BitLocker or FileVault).
Audit Focus: Auditors will ask the “Lost Key” question:
- The Scenario: “If your Head of IT leaves the company tomorrow, do they take the encryption keys with them?” (You need a backup/recovery process).
- The Evidence: “Show me that your company laptops are actually encrypted.” (A screenshot from your MDM or BitLocker status).
- The Lifecycle: “How do you revoke a key if it is compromised?”
Key Management Lifecycle (The “Must-Have” Process):
| Stage | Action Required | ISO 27001 Expectation |
| 1. Generation | Creating the key. | Use strong, standard algorithms (AES, RSA). Do not invent your own. |
| 2. Distribution | Sending the key to users. | Send securely (never via plain email). |
| 3. Storage | Keeping the key safe. | Use a Hardware Security Module (HSM) or secure vault (e.g., Azure Key Vault). |
| 4. Usage | Encrypting/Decrypting. | Ensure the key is only accessible to authorized systems. |
| 5. Destruction | End of life. | securely wipe the key so data can never be recovered (Crypto-shredding). |
Table of contents
What is ISO 27001 Annex A 8.24?
ISO 27001 Annex A 8.24 is about cryptography which means you need to implement and manage a process for the effective use of cryptography.
ISO 27001 Annex A 8.24 Use of Cryptography is an ISO 27001 control that requires us to define and manage the rules associated with cryptography, which in laymen’s terms is encryption.
ISO 27001 Annex A 8.24 Purpose
ISO 27001 Annex A 8.24 is a preventive control to ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
ISO 27001 Annex A 8.24 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.24 as:
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
ISO27001:2022 Annex A 8.24 Use of Cryptography
ISO 27001 Annex A 8.24 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 8.24 Use of Cryptography, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 8.24 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 8.24Cryptography. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex A 8.24
The implementation of cryptography can be as simple or as difficult as you want to make it. Let us take a look at some of the considerations and guidance.
The Law
The main overriding factor of any implementation of this controls is the law. The laws around encryption and cryptography vary around the world and even within countries so it is paramount that what ever you are going to do, you get checked and signed of by a legal professional and keep evidence of the advice that you received.
Information Classification and Handling Policy
Information classification is a requirement of the standard and good practice. You will implement a topic specific information classification and handling policy, either with the template or writing it yourself, and the considerations for encryption will be captured within in. For simplicity, it is usual, that confidential data, or data of the highest classification, will be encrypted during transmission and at rest.
More information on the requirements of the standard is covered in ISO 27001 Annex A 5.12 Classification Of Information and there is a handy ISO 27001 Information Classification and Handling Policy Beginner’s Guide
Topic Specific Cryptography Policy
To meet the requirements of this particular ISO 27001 clause you are going to need a topic specific policy for cryptography and for key management.
The topic-specific policy on cryptography defined by the organisation will include the general
principles for the protection of information. A topic-specific policy on the use of cryptography is
necessary to reduce the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.
Standards
When using encryption it is likely that you will use default and off the shelf technology but you should consider and record that standards that you are following and include in that information on cipher strength, algorithms used.
Technical Implementation
You will implement the technology required to realise what you have set out in your topic specific policies. The best approach is the use of industry standard technologies and usually that means the built in product features of technology that you already have.
As part of the technical implementation you will implement endpoint encryption and this is, where feasible, for all endpoints including mobile devices.
Key Management
This is an important step as the keys are the things that can cause you a lot of problems if they are compromised or even if you forget what they are. The implementation of a robust key management process is therefore, pardon the pun, key.
There are many steps to consider in the management of keys so let us list out the common ones that you will need to address.
- Generating keys
- Issuing keys
- Obtaining Public Keys
- Distributing keys
- Storing keys
- Changing keys
- Updating keys
- Dealing with key compromise
- Dealing with key loss
- Revoking keys
- Recovering keys
- Backing up keys
- Destroying keys
- Logging key management activity
- Monitoring key management activity
- Responding to legal requests for keys
Practical Real World
This really is going to depend but for most small business this requirement really comes down to encrypting devices and this is usually with standard or built in technology. The management of keys is often built in and easy to implement. The advice would be that unless you need something overly sophisticated keep it simple. Have HTTPs on your website, encrypt traffic, rely on the network technology of the likes of Azure and AWS and the apps that use that all these days are connections over encrypted links. Be able to show how the keys are managed in line with the above key management process requirements which again is usually easy to do and built into the technology that you are using.
The questions most asked at audit is, what if you loose the key, who knows what the key is, where is the key stored and is the key stored securely.
Cryptographic Objectives
The objectives of cryptography may seem common sense but lets us examine them.
You are looking to ensure the confidentiality of data as the main objective. We want to reduce the risk of a data breach, of data being intercepted and if it is intercepted we want that data to be useless.
It can be the case that cryptography can ensure non-repudiation, which means that we can provide evidence of events or actions.
Finally it can be used to authentication, to grant access only to the right people or resources or entities.
Fast Track Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 8.24 (Use of cryptography), the requirement is to define rules for the effective use of encryption and key management. The standard does not require you to buy a specialised SaaS tool to perform the encryption itself you likely already have the technology (e.g., BitLocker, AWS KMS, TLS). You just need the governance to prove you are using it correctly.
The High Table ISO 27001 Toolkit positions itself as the logical choice because it provides the policy layer, the documents that define your cipher strengths and key lifecycles, without trying to sell you a complex software solution for a problem you’ve already solved technically.
Here is why the Toolkit is the smarter choice for complying with Annex A 8.24:
1. Ownership: You Control Your Key Management Policy
SaaS platforms often encapsulate your policies in a web interface. If you decide to leave the platform, you risk losing the documented history of your key management procedures, which is critical for proving compliance during an audit.
- The Toolkit Advantage: You receive the Cryptographic Control Policy and Key Management Procedures in standard Word/Excel formats. These documents are yours forever. You maintain full ownership of your encryption standards and key lifecycle definitions, ensuring your compliance evidence is always accessible and under your control.
2. Simplicity: Governance for Existing Tech
Annex A 8.24 requires you to manage the use of cryptography, not replace it. You don’t need a SaaS tool to tell you that you are using HTTPS or AES-256; you just need a policy that states it.
- The Toolkit Advantage: Your IT team already knows how to enable encryption on laptops and servers. The Toolkit provides the Cryptographic Policy template that formalizes what they are already doing. It validates your current technical reality (e.g., “We use AWS Key Management Service”) without forcing you to learn a new piece of compliance software.
3. Cost: A One-Off Fee vs. Recurring Subscriptions
Buying a subscription-based tool to manage a static policy is an unnecessary expense. You shouldn’t have to pay a monthly fee just to say, “We encrypt our hard drives.”
- The Toolkit Advantage: You pay a single, one-off fee for the entire documentation suite. You get the Encryption Standards and Key Management Guidelines instantly. There are no recurring costs or per-user fees to maintain a policy document that rarely changes once established.
4. Freedom: Use Any Technology
SaaS compliance tools can sometimes be prescriptive or integrate only with specific cloud providers to “verify” encryption. If you use a mix of on-premise hardware, different clouds, or open-source tools, the SaaS platform may not fit.
- The Toolkit Advantage: The High Table Toolkit is technology-agnostic. You can write your Cryptography Policy to cover any mix of technologies you use, whether it’s hardware security modules (HSMs), GPG keys, or cloud-native vaults. You define the rules that fit your specific infrastructure, giving you the freedom to choose the best encryption tools for your business.
Summary: For Annex A 8.24, the auditor checks for a policy that defines how you use encryption and manage keys. The High Table ISO 27001 Toolkit gives you that policy instantly. It provides the governance framework to satisfy the requirement efficiently, allowing you to prove compliance without renting a tool to do so.
Further Reading
ISO 27001 Controls Ultimate Guide
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
