6. Cryptographic Controls

This category focuses on the effective use of cryptographic techniques to protect the confidentiality, integrity, and authenticity of information. It includes implementing cryptographic solutions, managing cryptographic keys, and ensuring the secure handling and storage of sensitive data.

Controls (A.10):

• A.10.1.1: Policy on the Use of Cryptographic Controls

• A.10.1.2: Key Management

Control A.10.1.1: Policy on the Use of Cryptographic Controls

Audit Questions:

• Is there a documented policy on the use of cryptographic controls?

• Does the policy specify when and how cryptographic controls should be used?

• How is the policy communicated to relevant stakeholders?

Common Non-Conformities (NC):

• Lack of a documented cryptographic control policy.

• Incomplete or unclear policy on the use of cryptographic techniques.

• Inadequate communication of the policy to relevant personnel.

Control A.10.1.2: Key Management

Audit Questions:

• Are there documented procedures for managing cryptographic keys?

• How are keys generated, distributed, stored, and retired?

• Is there a process for regularly reviewing and updating key management procedures?

• Can you provide evidence of recent key management activities?

Common Non-Conformities (NC):

• No documented key management procedures.

• Weak key generation, storage, or distribution practices.

• Inadequate processes for key revocation and retirement.

• Lack of regular reviews and updates of key management procedures.

• Insufficient logging and monitoring of key management activities.