If you have been managing an Information Security Management System (ISMS) for a few years, you likely know that the jump from the 2013 version of ISO 27001 to the 2022 update was quite a journey. It wasn’t just a simple renumbering exercise; it was a total rethink of how controls should be grouped to reflect the modern tech landscape. One of the most critical areas for any technical team is the use of cryptography, now found in Annex A 8.24.
In the older 2013 standard, cryptography was its own dedicated domain (Domain 10). In the 2022 version, it has been consolidated into the “Technological” theme. While the science of encryption remains the same, the expectations for how you manage it have certainly levelled up.
Table of contents
The Shift from Domain 10 to Annex A 8.24
In ISO 27001:2013, cryptography was split into two distinct controls: 10.1.1 (Policy on the use of cryptographic controls) and 10.1.2 (Key management). When the 2022 update arrived, these were merged into a single, more streamlined control: Annex A 8.24.
This consolidation is part of the broader effort to reduce the total number of controls from 114 down to 93. According to Hightable.io, Annex A 8.24 is now classified as a “Preventive” control. The logic is simple: if your encryption is managed correctly, you prevent unauthorised parties from reading sensitive data, even if they manage to intercept it. By merging policy and key management, the standard now treats cryptography as a single, holistic process rather than two separate administrative tasks.
What is New in the 2022 Guidance?
The core requirement of Annex A 8.24 is to ensure that cryptography is used effectively to protect the confidentiality, authenticity, and integrity of information. However, the 2022 guidance provides a much more contemporary look at what “effective use” actually means.
One of the biggest shifts is the emphasis on the lifecycle of cryptographic keys. In 2013, many organisations treated key management as a “set and forget” task. The 2022 version, supported by the more detailed guidance in ISO 27002:2022, places a heavier focus on the generation, storage, retrieval, retirement, and destruction of keys. As highlighted by Hightable.io, the update reflects a world where cloud-based Key Management Systems (KMS) are the norm, requiring organisations to have much tighter technical grip on who has access to those keys.
Key Differences in Implementation
When you are moving your documentation from the 2013 version to the 2022 version, you will notice a few practical changes in how you need to approach this control:
- Consolidated Policy: You no longer need separate sections for “general use” and “key management.” Your cryptographic policy should now be a unified document that covers the entire lifecycle of encrypted data.
- Algorithm Strength: The 2022 version is more aligned with modern standards regarding “cryptographic agility.” This means your organisation should be prepared to update its algorithms as older ones (like SHA-1 or older versions of TLS) become vulnerable.
- Business Requirements: The 2022 standard reinforces that the level of protection should be based on a risk assessment. You shouldn’t just encrypt everything with the same setting; you should apply cryptography based on the sensitivity of the data and the specific regulatory requirements you face.
Why Does This Change Matter for Your Audit?
Between 2013 and 2022, the way we use the internet changed entirely. We moved from “encrypting some things” to “encrypting everything by default.” Auditors now expect to see that your use of cryptography isn’t just a checkbox, but a deeply integrated technical reality.
Annex A 8.24 requires you to prove that you aren’t just using encryption, but that you are managing it. If you lose your keys, you lose your data and in the eyes of the 2022 standard, that is a failure of availability. According to Hightable.io, auditors will now look closely at your backup and recovery procedures for cryptographic keys to ensure that a lost key doesn’t turn into a permanent data loss incident.
Practical Tips for a Smooth Transition
If you are currently updating your Statement of Applicability (SoA) to meet the ISO 27001:2022 requirements, here are three steps to ensure your cryptography is up to scratch:
- Audit Your Current Algorithms: Check that you aren’t using deprecated protocols. If your systems are still relying on outdated encryption, now is the time to plan an upgrade.
- Review Key Access: Ensure that only the people (or services) who absolutely need to access your cryptographic keys have the permission to do so. This ties into the new emphasis on the Principle of Least Privilege.
- Update Your Policy Numbering: Make sure your internal policies point to Annex A 8.24 rather than the old 10.1.1 and 10.1.2. This shows the auditor that you have truly embraced the new structure.
Conclusion
The transition from ISO 27001:2013 to the 2022 version for Annex A 8.24 is a move toward simplicity and technical relevance. By merging the various aspects of cryptography into a single control, the standard acknowledges that you cannot have good encryption without good key management. By following the updated guidance and utilising resources like Hightable.io, you can ensure that your organisation’s data remains both secure and accessible in an increasingly complex digital world.