Annex A 8.24 verified ISO/IEC 27001:2022
Effective Use of Cryptography and Key Management
Create and enforce rules for using cryptography and managing keys effectively.
record_voice_over
Plain language
This control is about setting up and following rules to properly use cryptography, which is a way to protect sensitive information by scrambling it. If done poorly, your private information could be exposed to hackers, leading to serious breaches of privacy and trust.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
verified ISO/IEC 27001:2022 Annex A 8.24
priority_high
Why it matters
Poor cryptography and key management can expose sensitive data to attackers, leading to costly data breaches and loss of customer trust.
settings
Operational notes
Audit key management; use approved current algorithms; protect keys (HSM/KMS); rotate and revoke keys; log and review crypto/key events.
02 — Implement
build
Implementation tips
- The IT manager should develop a clear policy on how to use cryptography within the organisation. This means creating a document that outlines why and when to use encryption, the types of encryption to be used, and how to manage encryption keys securely. Be sure to align this policy with ISO 27002:2022 and consider any legal requirements, such as the Privacy Act 1988.
- The IT department should classify all information to determine its sensitivity and decide what level of encryption is needed. This involves assessing each piece of data and categorizing it based on how critical or confidential it is, then choosing the encryption strength accordingly.
- IT staff should set up a secure system to generate, store, and manage encryption keys. This could involve using a key management service, ensuring that keys are not lost or accessed by unauthorized people, and routinely rotating them for security.
- Managers should assign clear roles and responsibilities regarding cryptography, ensuring everyone knows who is responsible for managing encryption keys and who is allowed to use encryption tools. Training sessions can help people understand these roles and the importance of cryptographic security.
- When using third-party cryptographic services, procurement teams should ensure contracts include terms about service reliability, liability, and compliance with Australian standards like CPS 234 and ASD Essential Eight. This means carefully reviewing service agreements to ensure they meet security needs.
03 — Audit
fact_check
Audit / evidence tips
-
Askthe cryptography policy document. Check whether it details the types, strength, and circumstances for using cryptography and aligns with ISO 27002:2022
Goodpolicy will comprehensively cover current and necessary practices
-
Askto see records of key management activities
Goodsystem will have detailed logs showing clearly managed processes
-
Askcontracts with third-party cryptographic services
04 — Mappings
link
Cross-framework mappings
How Annex A 8.24 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (61) expand_less | ||
| ISM-0232 | ISM-0232 requires telephone systems used for sensitive or classified conversations to encrypt all traffic when it traverses external syst... | |
| ISM-0233 | ISM-0233 requires that cordless telephone handsets and headsets are not used for sensitive or classified conversations unless the communi... | |
| ISM-0457 | ISM-0457 mandates the use of cryptographic equipment, applications or libraries that have completed a Common Criteria evaluation against ... | |
| ISM-0459 | ISM-0459 requires implementing full disk encryption, or partial disk encryption where controls ensure data can only be written to the enc... | |
| ISM-0460 | ISM-0460 requires that HACE is used when encrypting media that contains SECRET or TOP SECRET data | |
| ISM-0465 | ISM-0465 requires the use of Common Criteria evaluated cryptographic equipment, applications or libraries (against an ASD-endorsed Protec... | |
| ISM-0467 | ISM-0467 mandates HACE for SECRET and TOP SECRET data in transit over insecure networks | |
| ISM-0471 | ISM-0471 requires that only AACAs or other high assurance cryptographic algorithms are used by cryptographic equipment, applications and ... | |
| ISM-0472 | ISM-0472 requires that when Diffie-Hellman (DH) is used for session key agreement, the DH modulus is at least 2048 bits (preferably 3072 ... | |
| ISM-0474 | ISM-0474 requires organisations to use ECDH with a minimum 224-bit base point order/key size (preferably NIST P-384) when agreeing encryp... | |
| ISM-0475 | ISM-0475 requires organisations to use sufficiently strong ECDSA parameters for digital signatures (at least 224-bit order/key size, pref... | |
| ISM-0476 | ISM-0476 requires that RSA used for digital signatures and key transport uses a modulus of at least 2048 bits (preferably 3072 bits) to m... | |
| ISM-0479 | ISM-0479 requires that symmetric cryptographic algorithms are not used in Electronic Codebook (ECB) mode | |
| ISM-0481 | ISM-0481 requires that only approved high assurance cryptographic protocols (e.g | |
| ISM-0490 | ISM-0490 requires organisations to only use S/MIME version 3.0 or later, preventing weak/obsolete cryptographic message protection in email | |
| ISM-0496 | ISM-0496 requires the ESP protocol to be used to provide encryption and authentication for IPsec connections | |
| ISM-0572 | ISM-0572 requires the use of TLS for SMTP connections to provide encryption for email traffic traversing public networks | |
| ISM-0994 | ISM-0994 requires organisations to use ECDH in preference to classical DH for secure key exchange | |
| ISM-0998 | ISM-0998 mandates approved integrity/authentication algorithms for IPsec connections, with a preference for using NONE when AES-GCM provi... | |
| ISM-0999 | ISM-0999 requires organisations to use DH or ECDH for IPsec key establishment, with a preference for specific strong parameter groups (e.g | |
| ISM-1000 | ISM-1000 requires the use of PFS for IPsec connections to limit the impact of key compromise across sessions | |
| ISM-1085 | ISM-1085 requires mobile devices to encrypt sensitive or classified data when communicating over public network infrastructure | |
| ISM-1139 | ISM-1139 requires organisations to only use the latest version of TLS for TLS connections to protect confidentiality and integrity in tra... | |
| ISM-1233 | ISM-1233 mandates the use of IKE version 2 for IPsec key exchanges | |
| ISM-1277 | ISM-1277 requires encryption of data in transit specifically between web servers and database servers | |
| ISM-1324 | ISM-1324 requires certificates to be generated using an evaluated certificate authority or hardware security module, focusing on the secu... | |
| ISM-1332 | ISM-1332 requires a specific cryptographic protection for wireless communications by mandating WPA3-Enterprise 192-bit mode | |
| ISM-1370 | ISM-1370 requires TLS connections to permit only server-initiated secure renegotiation, reducing exposure to renegotiation-related weakne... | |
| ISM-1372 | ISM-1372 requires that TLS connections use DH or ECDH for key establishment during the TLS handshake | |
| ISM-1373 | ISM-1373 requires that TLS connections are configured so Anonymous Diffie-Hellman (ADH) cipher suites are not used | |
| ISM-1374 | ISM-1374 requires that SHA-2-based certificates are used for TLS connections to protect data in transit from eavesdropping | |
| ISM-1375 | ISM-1375 requires organisations to use SHA-2 for the HMAC and PRF in TLS connections to ensure strong cryptographic protection for secure... | |
| ISM-1446 | ISM-1446 mandates the use of elliptic curves from NIST SP 800-186 for encryption, focusing on selecting specific cryptographic parameters | |
| ISM-1453 | ISM-1453 requires Perfect Forward Secrecy (PFS) to be used for TLS connections so past sessions remain protected even if a server private... | |
| ISM-1454 | ISM-1454 requires encrypting RADIUS communications using RADIUS over TLS or RADIUS over IPsec to protect authentication/authorisation tra... | |
| ISM-1629 | ISM-1629 requires that when Diffie-Hellman (DH) is used to agree encryption session keys, the modulus and associated parameters are selec... | |
| ISM-1712 | ISM-1712 requires organisations to disable 802.11r Fast Transition unless authenticator-to-authenticator communications are secured using... | |
| ISM-1759 | ISM-1759 requires that when Diffie-Hellman is used to agree encryption session keys, a modulus of at least 3072 bits is used | |
| ISM-1761 | ISM-1761 requires that when ECDH is used to agree encryption session keys, organisations use specific NIST curves (P-256, P-384 or P-521)... | |
| ISM-1762 | ISM-1762 requires that when ECDH is used to agree encryption session keys, organisations should use NIST P-384 (preferred) or P-521 curves | |
| ISM-1763 | ISM-1763 requires that when an organisation uses ECDSA for digital signatures it uses approved NIST curves (preferably P-384) | |
| ISM-1765 | ISM-1765 requires that when RSA is used for digital signatures and for transporting encryption session keys, organisations use an RSA mod... | |
| ISM-1766 | ISM-1766 requires organisations to use SHA-2 hashing with an output size of at least 224 bits (preferably SHA-384 or SHA-512) to ensure s... | |
| ISM-1767 | ISM-1767 requires that when SHA-2 is used for hashing, organisations use an output size of at least 256 bits (preferably SHA-384 or SHA-512) | |
| ISM-1768 | ISM-1768 requires that when SHA-2 is used for hashing, the organisation selects an output size of at least 384 bits (preferably SHA-384 o... | |
| ISM-1770 | ISM-1770 requires that when AES is used for encryption, organisations select strong variants (AES-192 or preferably AES-256) | |
| ISM-1771 | ISM-1771 requires AES to be used for encrypting IPsec connections, preferably using ENCR_AES_GCM_16 | |
| ISM-1772 | ISM-1772 mandates the use of approved, strong PRFs for IPsec connections (PRF_HMAC_SHA2_256/384/512) to ensure robust cryptographic opera... | |
| ISM-1797 | ISM-1797 focuses on using digital signatures or cryptographic checksums to assure the integrity and provenance of software updates | |
| ISM-1802 | ISM-1802 requires organisations to use ASD-approved High Assurance Cryptographic Equipment (HACE) and operate it in accordance with the a... | |
| ISM-1984 | ISM-1984 requires a specific cryptographic use case: encrypt event log traffic while it is in transit to a centralised logging facility | |
| ISM-1990 | ISM-1990 requires that when implementing ML-DSA and ML-KEM, organisations should also follow the pre-requisite FIPS publications referenc... | |
| ISM-1991 | ISM-1991 requires organisations that use ML-DSA for digital signatures to select specific approved parameter sets (ML-DSA-65 or ML-DSA-87... | |
| ISM-1992 | ISM-1992 requires that when ML-DSA is used for digital signatures, organisations use the hedged variant wherever possible to reduce crypt... | |
| ISM-1993 | ISM-1993 requires that pre-hashed ML-DSA-65/87 variants are only used when the performance of the default ML-DSA variants is unacceptable | |
| ISM-1994 | ISM-1994 requires organisations to use specific minimum-strength hash functions (SHA-384 for ML-DSA-65 pre-hash and SHA-512 for ML-DSA-87... | |
| ISM-1996 | ISM-1996 requires that when using a post-quantum/traditional hybrid encryption scheme, at least one of the component algorithms is an AAC... | |
| ISM-2010 | ISM-2010 requires that Active Directory service accounts with SPNs use strong encryption (specifically AES) for Kerberos/service authenti... | |
| ISM-2017 | ISM-2017 requires organisations to encrypt DNS traffic where supported, typically via cryptographic protections at the transport or appli... | |
| ISM-2050 | ISM-2050 requires software to validate digital signatures using certificate trust chains and revocation checking (CRL/OCSP) | |
| ISM-2082 | ISM-2082 requires using a cryptographic bill of materials (CBOM) for imported third-party components during software development to verif... | |
| sync_alt Partially overlaps (6) expand_less | ||
| ISM-0142 | Annex A 8.24 requires rules for cryptography use and key management, including handling events that may impact key/material confidentiali... | |
| ISM-0455 | Annex A 8.24 requires rules for cryptographic use and cryptographic key management, including availability considerations for keys and en... | |
| ISM-0469 | ISM-0469 requires the use of ASD-Approved Cryptographic Protocols (or high assurance cryptographic protocols) to protect data communicate... | |
| ISM-0702 | Annex A 8.24 requires defined and implemented rules for cryptography and cryptographic key management across their lifecycle, including s... | |
| ISM-1080 | ISM-1080 requires that when encrypting media (data at rest), organisations use an ASD-Approved Cryptographic Algorithm (AACA) or other hi... | |
| ISM-1917 | Annex A 8.24 requires organisations to define and implement rules for the effective use of cryptography and for cryptographic key management | |
| handshake Supports (9) expand_less | ||
| ISM-0231 | ISM-0231 requires telephone systems using cryptographic equipment for multiple security levels to provide a visual indication of the conn... | |
| ISM-0263 | ISM-0263 requires that TLS traffic passing through gateways is decrypted and inspected to identify malicious or non-compliant content | |
| ISM-0554 | ISM-0554 requires video call authentication to use encrypted, non-replayable two-way authentication, which relies on strong cryptographic... | |
| ISM-0571 | ISM-0571 requires emails to traverse authenticated and encrypted channels via centralised email gateways | |
| ISM-0677 | ISM-0677 requires validation of digital signatures or cryptographic checksums for files imported or exported through gateways or CDSs | |
| ISM-0869 | ISM-0869 involves encrypting storage on mobile devices, a specific application of cryptography | |
| ISM-2027 | ISM-2027 mandates the use of digital signatures or secure hashes (and a secure channel) to verify software artefacts before use/import | |
| ISM-2073 | ISM-2073 requires an organisation to develop, implement and maintain a post-quantum cryptography (PQC) transition plan to manage quantum-... | |
| ISM-2083 | ISM-2083 requires software producers to produce and make available a cryptographic bill of materials (CBOM) listing cryptographic compone... | |
| extension Depends on (3) expand_less | ||
| ISM-0675 | ISM-0675 requires exported data from SECRET and TOP SECRET systems to be digitally signed by a trustworthy source, which relies on correc... | |
| ISM-1059 | ISM-1059 requires encryption for all data on media, implying the need for effective cryptographic key management | |
| ISM-1796 | ISM-1796 requires digitally signing executable content using a certificate with a verifiable chain of trust, which inherently relies on s... | |
| link Related (10) expand_less | ||
| ISM-0477 | Annex A 8.24 requires cryptographic rules and key management practices to be defined and implemented, including appropriate key use | |
| ISM-0507 | ISM-0507 requires cryptographic key management processes and supporting procedures to be developed, implemented and maintained across the... | |
| ISM-1091 | Annex A 8.24 requires rules for cryptographic key management to be defined and implemented, including responding to key compromise | |
| ISM-1402 | ISM-1402 requires secure protection of stored credentials, including the use of HSMs and cryptographic techniques such as salting, hashin... | |
| ISM-1448 | ISM-1448 requires that when DH or ECDH is used for TLS key establishment, the ephemeral variant (DHE/ECDHE) is used to provide forward se... | |
| ISM-1449 | Annex A 8.24 requires rules for cryptography and key management, including secure handling and protection of cryptographic keys | |
| ISM-1764 | Annex A 8.24 requires organisations to set and enforce rules for cryptography use and key management | |
| ISM-1769 | Annex A 8.24 requires defined and implemented rules for cryptography and cryptographic key management across the organisation | |
| ISM-1957 | Annex A 8.24 requires organisations to implement effective key management rules, including protection of private keys | |
| ISM-1995 | Annex A 8.24 requires organisations to define and implement rules for effective cryptography use and cryptographic key management | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.