Checklist of ISO/IEC 27001-A.10.1.2 Key management


As organizations rely more on digital information, securing data is becoming more important than ever. 

Cryptography is one of the most effective methods of protecting information by rendering it unreadable to anyone without the appropriate keys. 

However, cryptography is only as strong as its key management system. 

In this article, we will be discussing A.10.1.2 Key Management, which covers the entire lifecycle of key management.

Sample Checklist:

  • Is equipment used to generate, store and archive cryptographic keys protected from unauthorized access?
  • Are keys generated for different systems and applications? If so, are they generated using a strong source of randomness, and are weak keys avoided?
  • Are there rules in place around changing/updating keys, including authorizing, issuing, communicating and installing keys?
  • Are keys backed up or archived in case they are lost or corrupted? Is there a process in place for recovering lost keys, and is there a secure process for destroying keys that are no longer needed?
  • Are all key management activities logged and audited for accountability purposes?
  • Is there a process in place for handling official requests for access to cryptographic keys, such as court orders?


Key management is a crucial part of any cryptographic system, and the lack of proper key management can result in the compromise of sensitive information. 

As a result, it is important to ensure that the key management system meets all the requirements set out in A.10.1.2. 

By following the checklist outlined above, organizations can ensure that they are following best practices for key management and mitigating information risks.

See also  Checklist of ISO/IEC 27001-A.14.2.1 Secure development policy

Leave a comment

Your email address will not be published. Required fields are marked *