5.1.1 Policy on the use of cryptographic controls    

A policy on the use of cryptographic controls for protection of information should be developed and implemented.  

• Consider the following when developing a cryptographic policy:
  a) the management approach towards the use of cryptographic controls across the organization, including the general principles under which business information should be protected;
  b) based on a risk assessment, the required level of protection should be identified taking into account the type, strength and quality of the encryption algorithm required;
  c) the use of encryption for protection of information transported by mobile or removable media devices or across communication lines;
  d) the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
  e) roles and responsibilities, e.g. who is responsible for the implementation of the policy and the key management, including key generation.

5.1.2 Key management   

A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.

• Develop a policy that includes requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys. 
• Select cryptographic algorithms, key lengths and usage practices according to best practice. 
• Protect all cryptographic keys against modification and loss. In addition, secret and private keys need protection against unauthorized use as well as disclosure. 
• Protect physically the equipment used to generate, store and archive keys. 
• Implement a key management system based on an agreed set of standards, procedures and secure methods for: 
  a) generating keys for different cryptographic systems and different applications;
  b) issuing and obtaining public key certificates;
  c) distributing keys to intended entities, including how keys should be activated when received;
  d) storing keys, including how authorized users obtain access to keys;
  e) changing or updating keys including rules on when keys should be changed and how this will be done;
  f) dealing with compromised keys;
  g) revoking keys including how keys should be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves an organization (in which case keys should also be archived);
  h) recovering keys that are lost or corrupted;
  i) backing up or archiving keys;
  j) destroying keys;
  k) logging and auditing of key management related activities.
• In order to reduce the likelihood of improper use, define activation and deactivation dates for keys so that the keys can only be used for the period of time defined in the associated key management policy.