Develop and Maintain Cryptographic Key Management Processes
Ensure systems have established processes for managing cryptographic keys securely and efficiently.
Plain language
This control is about making sure your organisation properly manages the keys used in cryptography, which is the method of encoding and decoding information to keep it safe. If these keys aren't handled correctly, sensitive data can be exposed to unauthorised people, leading to data breaches, legal issues, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained.
Why it matters
Weak cryptographic key management can expose sensitive data, leading to severe breaches, financial loss, and reputational damage.
Operational notes
Define key lifecycle procedures: secure generation, storage (HSM/KMS), rotation, revocation, backups, access logging and regular recovery testing.
Implementation tips
- The IT team should set up a secure method for generating cryptographic keys. This involves using a reputable cryptographic tool to generate keys according to industry standards and ensuring these keys are kept confidential during the process.
- Managers must establish clear policies outlining who can access cryptographic keys and how this access is logged. This can be done by defining roles and responsibilities within a formal document and ensuring all staff are trained on these procedures.
- The system owner should implement a regular review of the key management process to identify any weaknesses. This can be done by scheduling quarterly check-ins where current practices are evaluated against the latest security standards issued by the Australian Cyber Security Centre (ACSC).
- The security team should ensure that all keys are stored securely and are backed up in a safe location. This involves using protected servers or dedicated hardware solutions designed for key storage, and maintaining an up-to-date inventory of all keys.
- IT staff should implement procedures for regular key rotation to reduce the risk of keys being compromised over time. This involves developing a schedule for replacing old keys with new ones and documenting these changes in a key management log.
Audit / evidence tips
- AskThe cryptographic key management policy document: This should detail how keys are generated, used, and stored GoodIncludes a comprehensive policy that aligns with ACSC guidelines and has been reviewed within the last year
- GoodShows logs with authorised access only and no suspicious activity
- AskTo see the latest key rotation records: Verify that key changes have been documented with dates and responsible personnel GoodIncludes a log showing routine key changes and notification of necessary stakeholders
- GoodIncludes confirmation that only authorised personnel have access to these storage solutions
- AskAbout training records for staff handling cryptographic keys: Ensure there is evidence of regular training sessions GoodConsists of documentation showing consistent and current training aligned with changes in key management practices
Cross-framework mappings
How ISM-0507 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.24 | ISM-0507 requires cryptographic key management processes and supporting procedures to be developed, implemented and maintained across the... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.