What is ISO 27001:2022 Annex A 8.24 Use of cryptography in ISO 27001?
ISO 27001:2022 Annex A 8.24 requires a documented policy for cryptographic controls. Organisations must integrate these rules into standard SharePoint and Confluence repositories. This process ensures data confidentiality and integrity through managed encryption. It focuses on human oversight rather than reliance on automated software platforms.
Auditor’s Eye: The Shortcut Trap
Reliance on automated SaaS platforms leads to surface-level compliance for cryptography. These tools offer a generic “green tick” for encryption. They do not prove that your staff understand key management. I want to see your actual key rotation logs in SharePoint. I check Jira for manual tasks related to hardware security modules. Black box software decouples security from your daily operations. This lacks management ownership. Real evidence lives in your native document repositories.
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Nature of Change |
|---|---|---|
| A.10.1.1 & A.10.1.2 | Annex A 8.24 | Merged policy and key management into a single control. Emphasises overall use and risk. |
How to Implement ISO 27001:2022 Annex A 8.24 (Step-by-Step)
The bottom line for implementation is drafting a cryptographic policy in SharePoint. Define algorithms and key lifecycles. Use Jira to track key generation and destruction tasks. Ensure all technical staff follow these versioned procedures. This ensures security stays within your organisational document management system.
- Define encryption standards for all information assets in SharePoint.
- Identify which data requires encryption at rest and in transit.
- Document the key management lifecycle in your technical wiki.
- Create recurring Jira tasks for cryptographic key reviews.
- Appoint key custodians and record this in management minutes.
- Verify that technical configurations match your documented policy.
- Store all service reports from encryption providers in SharePoint.
ISO 27001:2022 Annex A 8.24 Audit Evidence Checklist
Focus on manual records and internal document versions. These prove human oversight and intent. Maintain these in your primary organisational tools.
- Cryptographic policy with SharePoint version history.
- Jira tickets for key rotation and destruction.
- Confluence key management procedures manual.
- Meeting minutes documenting the appointment of custodians.
- Inventory of cryptographic assets and their locations.
- Risk assessments for data requiring high-strength encryption.
Relational Mapping
Annex A 8.24 interacts with several core requirements:
- Clause 8.1: Operational planning and control.
- Annex A 5.15: Complements access control policies.
- Annex A 8.10: Information deletion and secure disposal.
Auditor Interview
Auditor: How do you manage your cryptographic keys?
Manager: We follow a lifecycle documented in Confluence. We use Jira to track generation and expiry dates.
Auditor: Where is the evidence of your last key destruction?
Manager: The destruction certificate is stored in our SharePoint compliance folder. You can see the manager’s sign-off there.
Common Non-Conformities
| Failure Mode | Description | Corrective Action |
|---|---|---|
| Automated Complacency | Relying on a SaaS platform’s green tick without having internal procedural evidence. | Draft a local policy and log key management in Jira. |
| Missing Key Inventory | The organisation cannot identify where encryption keys are stored. | Create a versioned asset register in SharePoint. |
| Weak Algorithms | Using outdated or deprecated encryption methods. | Update the SharePoint policy to reflect current industry standards. |
Frequently Asked Questions
What is ISO 27001 Annex A 8.24?
The bottom line: Annex A 8.24 requires a documented policy for cryptographic controls. Organisations must define how they use encryption to protect information. You should manage these rules within SharePoint. This ensures management retains control over sensitive technical procedures.
How does an auditor check for cryptographic compliance?
The bottom line: Auditors check for version-controlled policies and manual key logs. We look for evidence in your internal document repositories. This proves that you actively manage your cryptographic keys. We reject surface-level dashboards from automated platforms.
Why is key management important in ISO 27001?
The bottom line: Key management prevents unauthorised data access if encryption keys are lost or stolen. You must document key lifecycles in Confluence. This includes generation: storage: and destruction. Manual records prove that your staff follow the security process.