Home · Synthesis · cl-cloud-key-management

Cloud cryptographic key management — CMK/BYOK/HYOK

DPDPAISO 27001ISO 27017SEBI Cloud

Primary statement

Cloud key management per ISO A.8.24 + A.5.23 + ISO 27017 + SEBI cloud + DPDPA. CMK/BYOK/HYOK for cloud-stored sensitive data. Key custody segregation between cloud provider and customer.

Audit-fatigue payoff

A unified cloud key approach — CMK/BYOK + custody segregation + lifecycle — satisfies cloud key management across all 4 contributing frameworks.

Strictness matrix

Scope
Scope: rules for cryptography use INCLUDING key management. Comprehensive crypto + key scope. Ceiling source: iso27001:A.8.24 Rationale: ISO A.8.24 is the foundational scope.
Threshold
Threshold: documented key management rules. Without procedures, key management is ad-hoc. Ceiling source: iso27001:A.8.24 Rationale: ISO A.8.24 documentation threshold is binary.
Method
Method: cryptography policy + key procedures (generation, distribution, rotation, archive, destruction) + cloud-specific CMK/BYOK/HYOK selection + custody segregation. Ceiling source: iso27001:A.8.24 Rationale: ISO A.8.24 + A.5.23 combined are most prescriptive.
Frequency
Key rotation per cryptoperiod. Procedure review annual. Ceiling source: iso27001:A.8.24 Rationale: Per-cryptoperiod rotation is the floor.
Evidence
Evidence: cryptography policy + key procedures + cloud key selection + custody segregation + inventory + rotation records. Ceiling source: iso27001:A.8.24 Rationale: ISO A.8.24 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect cryptography policy. Step 2: Verify cloud key management (CMK/BYOK/HYOK). Step 3: Verify custody segregation. Step 4: Inspect key inventory + rotation.

Common findings

Common findings: (1) CSP-managed keys (no customer control); (2) Custody co-located; (3) Rotation unexercised; (4) HSM claimed but escrow co-located.