Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-8-4 – The cybersecurity requirements for cryptography must be reviewed periodically.
Understanding the Requirement
This control requires organizations to run scheduled, documented reviews of their cryptography requirements so encryption, key management, certificates and related identity/access controls remain effective and compliant. Under the Essential Cybersecurity Controls (ECC – 2 : 2024) guidance, reviews should follow an approved plan with a defined interval (for example, quarterly) or occur when relevant laws, regulations or business conditions change. Reviews must involve the cybersecurity function working with IT and other relevant departments, and results or changes must be documented and approved by senior leadership.
Technical Implementation
-
Create a documented cryptography review plan and schedule. Define scope (algorithms, key stores, HSMs, certificates, TLS configurations, disk/file encryption), frequency (quarterly or at minimum annually), participants (Cybersecurity owner, IT operations, application owners, legal/compliance), and approval workflow. Store the plan where change-control and audit trails exist.
-
Maintain a living inventory of crypto assets. Track where encryption is used (databases, backups, web services, VPNs, email, device storage), the algorithms and key lengths in use, certificate authorities, key custodians, key lifetimes and expiry dates. Use simple spreadsheets or a CMDB until a dedicated key management tool is affordable.
-
Perform periodic cryptographic health checks. On each review run automated scans and manual checks for weak ciphers, expired/weak certificates, insecure TLS configurations, and deprecated algorithms (e.g., SHA-1, small RSA keys). Validate key rotation and backup procedures, and test the ability to recover keys from backups and HSMs.
-
Align identity and access controls to key usage. Ensure key access is limited by role (least privilege), implement multi-person approval for high-value keys, and log/administer key usage through IAM integration. Review and update access lists during each cryptography review and revoke access when roles change.
-
Document and approve changes. Record review findings, risk decisions, remediation actions, and any policy changes. Submit revisions to the head of the organization or their deputy for formal approval; keep signed or recorded approvals to satisfy auditors and regulators.
-
Trigger out-of-cycle reviews on change events. Define triggers that force an immediate re-evaluation—new regulation, merger/acquisition, discovery of a crypto vulnerability, key compromise, or major software upgrade—and ensure the review plan describes the fast-track process.
Example in a Small or Medium Business
Acme Tech, an SMB with 80 employees, builds customer-facing web apps and stores sensitive customer data. The IT manager and a part-time CISO create a documented quarterly cryptography review plan that lists all systems using encryption, responsible owners, and checklists for certificates, TLS settings, and key lifecycles. Each quarter the cybersecurity lead runs automated TLS scans, reviews the key inventory, verifies certificate expiry dates, and checks backups of key material stored in the company’s cloud KMS. When their legal counsel flags a new regional data-protection rule that tightens encryption requirements, the team triggers an out-of-cycle review, upgrades affected algorithms, updates the encryption policy, and records the changes. The updated policy and technical remediation are summarized and signed off by the company director. Logs from IAM and the KMS confirm that only authorized roles retained key access and that key rotations occurred as scheduled, giving the business an auditable trail for compliance.
Summary
Periodic reviews that combine a clear, documented schedule with technical checks (inventory, automated scans, key lifecycle validation) and governance (role-based access, documented approvals) ensure cryptography remains effective and compliant. For SMBs, a practical mix of simple tooling, defined responsibilities, and an approval workflow gives leaders confidence that encryption and key management are actively maintained and that any regulatory or threat-driven changes are handled quickly and traceably.
