ISO27001A.8.24voice-validated
ISO27001 A.8.24: A.8.24
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.24.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1003.001 | 1. Weak key management can expose cryptographic keys or hashes in memory, enabling credential dumping. This directly undermines the 'cryptographic key management' requirement of ISO27001 A.8.24. | 90% |
| T1005 | 1. If data at rest on local systems is weakly encrypted or keys are compromised, adversaries can collect it. This violates the 'effective use of cryptography' mandated by ISO27001 A.8.24. | 80% |
| T1021.003 | 1. Poor cryptographic key management for SSH access can lead to unauthorized remote access. This directly contradicts the 'cryptographic key management' aspect of ISO27001 A.8.24. | 90% |
| T1027.011 | 1. Ineffective cryptographic rules allow adversaries to easily decrypt sensitive data or use weak encryption to hide their own activities. This compromises the 'effective use of cryptography' per ISO27001 A.8.24. | 90% |
| T1036.001 | 1. Weak cryptographic rules for code signing or certificate management can allow adversaries to forge signatures. This undermines the 'effective use of cryptography' for integrity, as per ISO27001 A.8.24. | 80% |
| T1040 | 1. Lack of or weak encryption protocols for network communications allows adversaries to capture and read sensitive data. This directly violates the 'effective use of cryptography' requirement of ISO27001 A.8.24. | 90% |
| T1041 | 1. If the Command and Control (C2) channel uses weak encryption or compromised keys, adversaries can exfiltrate data undetected. This indicates a failure in 'effective use of cryptography' as per ISO27001 A.8.24. | 80% |
| T1048.001 | 1. Data encrypted with weak or compromised keys can still be exfiltrated and decrypted by an attacker. This demonstrates a failure in the 'effective use of cryptography' outlined in ISO27001 A.8.24. | 90% |
| T1071 | 1. Adversaries may use encrypted application layer protocols for C2, which weak cryptographic rules might fail to detect or block. This impacts the 'effective use of cryptography' as per ISO27001 A.8.24. | 80% |
| T1078 | 1. Compromised cryptographic keys (e.g., API keys, certificates) due to poor management grant adversaries access via valid accounts. This directly relates to 'cryptographic key management' in ISO27001 A.8.24. | 90% |
| T1110.002 | 1. Weak cryptographic hashing of passwords makes them susceptible to cracking, leading to credential access. This indicates a failure in the 'effective use of cryptography' for protection, as per ISO27001 A.8.24. | 80% |
| T1133 | 1. Weak cryptographic configurations or keys for external remote services (e.g., VPN, RDP) enable unauthorized access. This directly relates to 'cryptographic key management' and 'effective use of cryptography' in ISO27001 A.8.24. | 90% |
| T1552 | 1. Insecure storage of cryptographic keys or credentials protected by weak crypto allows adversaries to access them. This directly violates 'cryptographic key management' requirements in ISO27001 A.8.24. | 90% |
| T1553.004 | 1. Weak cryptographic controls over certificate management can allow adversaries to install malicious root certificates, subverting trust. This impacts the 'effective use of cryptography' as per ISO27001 A.8.24. | 80% |
| T1573.001 | 1. Weak cryptographic rules can lead to the use of easily breakable symmetric encryption for C2, or fail to detect adversary use of such channels. This impacts the 'effective use of cryptography' as per ISO27001 A.8.24. | 80% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1015 | 1. Implementing robust encryption algorithms and protocols directly addresses the 'effective use of cryptography' part of ISO27001 A.8.24. | 100% |
| M1024 | 1. Encrypting data at rest and in transit protects against unauthorized disclosure, aligning with cryptographic use rules as specified in ISO27001 A.8.24. | 90% |
| M1027 | 1. Protecting cryptographic keys used for credentials prevents their compromise, supporting effective key management as required by ISO27001 A.8.24. | 90% |
| M1043 | 1. Measures preventing credential dumping often involve securing memory and storage where cryptographic keys or hashes reside, directly supporting ISO27001 A.8.24. | 80% |
| M1045 | 1. Enforcing code signing with strong cryptographic controls ensures software integrity and authenticity, as per cryptographic rules in ISO27001 A.8.24. | 80% |
| M1046 | 1. Configuring systems and applications with strong cryptographic settings and secure key management practices reduces attack surfaces, aligning with ISO27001 A.8.24. | 80% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-326 | 1. The control requires 'effective use of cryptography'; weak encryption strength directly violates this, making data vulnerable. This is a core failure of ISO27001 A.8.24. | 100% |
| CWE-327 | 1. Using deprecated or flawed cryptographic algorithms undermines the 'effective use of cryptography' mandated by ISO27001 A.8.24. | 100% |
| CWE-321 | 1. Hard-coding cryptographic keys bypasses proper 'cryptographic key management' practices, increasing compromise risk. This directly contradicts ISO27001 A.8.24. | 90% |
| CWE-338 | 1. Weak Pseudo-Random Number Generators (PRNGs) compromise the randomness of generated keys, violating 'effective use of cryptography' and key management as per ISO27001 A.8.24. | 80% |
| CWE-522 | 1. Credentials, often protected by cryptographic means, are vulnerable if cryptographic protection is inadequate, failing 'effective use of cryptography' as required by ISO27001 A.8.24. | 80% |
| CWE-347 | 1. Failure to properly verify cryptographic signatures undermines data integrity and authenticity, contradicting the 'effective use of cryptography' outlined in ISO27001 A.8.24. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0199 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation