Change Keying Material When Compromised
Change encryption keys if they are compromised to maintain security.
Plain language
If someone gets their hands on the keys to your safe, they can take whatever is inside. In the digital world, encryption keys protect your sensitive information, just like a safe does. If these keys are compromised, you need to change them immediately to prevent unauthorised access to your data.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
Keying material is changed when compromised or suspected of being compromised.
Why it matters
Failure to replace compromised encryption keys promptly can lead to unauthorised data access, resulting in data breaches and loss of sensitive information.
Operational notes
Monitor for key compromise indicators and, when suspected, revoke and rotate affected keys immediately; re-encrypt data and update dependent systems to prevent continued unauthorised access.
Implementation tips
- The IT team should regularly monitor for signs of compromised encryption keys. They can do this by setting up alerts for unusual access patterns or failed login attempts, which can indicate that someone is trying to use stolen keys.
- System administrators should have a plan in place for quickly changing encryption keys if they suspect compromise. This involves knowing which systems use the keys and how to update them without interrupting business operations.
- Managers should ensure that staff are aware of the importance of reporting suspected key compromises immediately. They can educate staff by organising regular training sessions that explain the risks and demonstrate what to do if a compromise is suspected.
- The IT security officer should ensure that old keys are securely destroyed once new ones are issued. This can be done by using a secure data erasure tool that overwrites the old keys, making them impossible to recover.
- Business owners should coordinate with their IT provider to perform regular security reviews. This involves checking if encryption keys are stored securely and if proper procedures are in place for changing them when needed.
Audit / evidence tips
-
Askthe incident response procedure: Request documentation that outlines the steps for responding to compromised encryption keys. Look to ensure it includes who to contact, how quickly to respond, and the steps to change the keys
Goodincludes a clear, step-by-step plan with named responsible parties
-
Askevidence of recent key changes: Request logs or reports showing when encryption keys were last changed
Goodincludes records of timely key changes with documented reasons
-
Asktraining records on key compromise protocols: Request records from recent staff training sessions focused on recognising and reporting key compromises
Goodcontains up-to-date training records with full participation
-
Aska log of security alerts: Request logs that demonstrate the monitoring of signs that could indicate compromised keys
Goodincludes regular alerts and a clear incident handling process
-
Askthe encryption key management policy: Request the policy document detailing how encryption keys are managed, including how often they are rotated and how compromise is addressed
Goodis a comprehensive policy that aligns with best practices
Cross-framework mappings
How ISM-1091 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.24 | Annex A 8.24 requires rules for cryptographic key management to be defined and implemented, including responding to key compromise | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.