DATA-5 Key Management

What is this control about?

The Key Management control is about how your organization handles the generation, exchange, storing, using and replacement of keys and protection of keys. The keys must be managed and restricted to only authorized personnel. Typically, the key management system include key servers, user procedures and protocols, including cryptographic protocol design.

As far as managing keys, from SOC 2, there is no formal requirement.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them.

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A for this section

Control implementation

Note: This control is 100% automated by TrustCloud. Connect your system to enjoy the benefit of automation

For a manual implementation: 

Document the standard in place to ensure the security of cryptographic keys in the organization. This can include a key management system that includes:

• • Algorithms and key sizes
  • Key lifecycle management
  • Secure storage
  • Access controls
  • Key usage
  • Secure distribution
  • Availability
  • Audit logs

Ensure the keys are only accessible to authorized personnel

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the key management configuration settings

Evidence example

From the suggested action above, an example is provided below:

1. Provide the key management configuration settings

TrustCloud example of key management demonstrating that KMS is being used as a key management tool