DAT-005 Cryptographic Key Management
Description
Cryptographic keys are generated, stored, rotated, revoked and destroyed according to a documented key management policy. Keys are stored separately from the data they protect, and access to key material is restricted and logged. Key rotation periods are defined and enforced.
Rationale
Encryption is only as strong as the protection of its keys. Weak or unmanaged key lifecycle is a common failure mode that renders encryption ineffective.
Framework Mappings (6)
| CEK-01 | Encryption and Key Management Policy and Procedures | full |
| CEK-04 | Encryption Algorithm | partial |
| CEK-09 | Encryption and Key Management Audit | partial |
| 8.24 | Use of cryptography | full |
| SC-12 | Cryptographic Key Establishment and Management | full |
| SC-13 | Cryptographic Protection | partial |
Evidence (2)
Key management policy documenting lifecycle requirements for cryptographic keys including generation, storage, rotation schedules, revocation, and destruction.
Example: Cryptographic Key Management Policy (Confluence), approved by CISO, specifying KMS usage, key rotation periods per algorithm (e.g. AES-256 annual rotation), access restrictions, and prohibition on exporting key material outside approved HSM/KMS
Test: Request the key management policy. Verify: (1) covers all lifecycle stages: generation, storage, rotation, revocation, destruction, (2) specifies maximum rotation period per key type, (3) requires keys to be stored separately from the data they protect, (4) restricts access to key material to named roles or systems, (5) approved within 24 months.
KMS or key vault configuration and audit logs demonstrating active key rotation, separation of key custodianship, and logged access to key material.
Example: AWS KMS key rotation status report (all CMKs), AWS CloudTrail log excerpt showing key usage and access attempts, and key policy JSON showing restricted IAM principals — exported for audit period
Test: Query the KMS for all active customer-managed keys. Verify: (1) automatic key rotation is enabled for all CMKs, (2) key policies restrict access to approved IAM roles or principals only, (3) CloudTrail / KMS audit logs show no unauthorised key access events in the last 90 days, (4) key material is not exportable or is restricted to approved uses.
Questions (2)
Does your organisation have a documented cryptographic key management policy that covers the full key lifecycle: generation, storage, rotation, revocation and destruction?
The policy must specify key rotation periods, require keys to be stored separately from the data they protect, restrict and log access to key material, and be approved within the last 24 months.
How are encryption keys managed in your production environment?
Cloud KMS with automatic rotation is the baseline expectation for SaaS environments. Keys managed within the application without separation represent a significant control weakness.