The international gold standard for Information Security Management Systems (ISMS), with Annex A control 8.24 mandating cryptographic key lifecycle management and certificate governance.
ISO/IEC 27001:2022 is the globally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive company information so that it remains secure.
The 2022 revision restructured Annex A controls, with control 8.24 (Cryptography) directly addressing cryptographic key management and certificate governance. Organizations certified to ISO 27001 must demonstrate robust processes for key generation, distribution, storage, rotation, revocation, and destruction.
The standard applies to any organization regardless of size or sector, making it the most widely adopted information security framework worldwide. With the growing importance of digital certificates in modern infrastructure, Annex A 8.24 has become a critical control for auditors and certification bodies.
Establish, implement, maintain, and continually improve an Information Security Management System using the PDCA cycle with clear scope, leadership, and objectives.
Define and implement rules for cryptographic key management including generation, distribution, storage, rotation, revocation, and destruction of keys and certificates.
Manage authentication information (including certificates and credentials) with controls for allocation, handling, and secure storage throughout their lifecycle.
Perform systematic risk assessments identifying threats to cryptographic assets, and define risk treatment plans that include appropriate certificate management controls.
Implement secure authentication mechanisms including certificate-based authentication, multi-factor authentication, and identity verification for system access.
Monitor, measure, and continually improve ISMS effectiveness through internal audits, management reviews, and corrective actions for nonconformities.
The original international standard for ISMS is published, establishing the foundational framework for information security management worldwide.
Significant restructuring of the standard with updated Annex A controls, improved alignment with other ISO management system standards.
The latest revision published in October 2022, restructuring Annex A controls and introducing control 8.24 for cryptographic key lifecycle management.
Organizations with existing ISO 27001:2013 certifications must transition to the 2022 version by the deadline set by certification bodies.
Continued evolution of cryptographic controls to address post-quantum readiness, with growing emphasis on crypto agility in ISMS frameworks.
ISO 27001:2022 places cryptographic controls at the heart of information security. Here are the critical areas where PKI is directly impacted:
Annex A 8.24 requires documented processes for the entire key lifecycle — generation, distribution, storage, rotation, revocation, and destruction — with full audit trails.
A comprehensive certificate inventory is essential for risk assessment (Clause 6) and serves as critical audit evidence during certification and surveillance audits.
ISMS controls demand policy-driven certificate governance including algorithm standards, validity periods, and approval workflows integrated into the management system.
PKI controls must be formally documented within the ISMS, including certificate policies, procedures, and records that demonstrate continuous compliance.
Annex A 8.24 compliance — Horizon maps directly to Annex A 8.24 cryptographic controls, providing the tooling auditors expect for key and certificate lifecycle management.
Complete certificate inventory — Discover every certificate across your infrastructure to build the comprehensive inventory needed for ISO 27001 risk assessment and audit evidence.
Automated key lifecycle — Automate the entire lifecycle from generation to destruction, eliminating manual processes and reducing the risk of non-conformities during audits.
ISMS-aligned policy enforcement — Built-in policy engine enforces certificate standards aligned with your ISMS risk treatment plans, ensuring continuous compliance.
