Compliance / ISO/IEC 27001:2022
ISO 27001 Cryptography Audit Tool
ISO/IEC 27001:2022 Annex A control 8.24 requires rules for the effective use of cryptography, including key management. Korthex produces the evidence side: a complete cryptographic inventory (CBOM) of the algorithms, key sizes, certificates and protocols actually in use, with weaknesses flagged and mapped, exported as PDF or CycloneDX for the audit file. 100% on-premise.
What auditors ask for under A.8.24
The 2022 revision folded the 2013 A.10 cryptography controls into control 8.24 (use of cryptography). Auditors want two things: a documented policy on cryptographic controls, and evidence that reality matches it: which algorithms run where, how keys are handled, and what the exceptions are.
The gap is almost always on the reality side. The policy says AES-256 and SHA-256; the codebase says MD5 in a password path, a 1024-bit RSA key in a forgotten service, and a hardcoded API token from 2023. Korthex closes exactly that gap.
Policy versus reality: what Korthex finds
- Primitives that violate a typical crypto policy: MD5, SHA-1, DES, 3DES, RC4, Blowfish, AES-ECB and CBC-without-integrity misuse
- Certificates and TLS configurations that do not match the policy: weak signatures, short keys, expired or near-expiry certificates
- Hardcoded keys and secrets in source, configuration and git history: a key-management violation by definition
- Quantum-vulnerable cryptography where long-term confidentiality is classified: RSA, ECC, Diffie-Hellman with their PQC successors
- A compliance status per finding, mapped to ISO 27001 alongside NIST FIPS, BSI and PCI-DSS
Evidence generation
The CBOM exports as PDF for the audit file and as CycloneDX or JSON for GRC tooling. Because a scan finishes in under two minutes, evidence generation is repeatable: run it per commit in CI and the annual audit stops being an archaeology project. Every entry carries file, line, severity and a taint verdict, so sampled findings survive auditor scrutiny.
Honest scope
Korthex covers the cryptography controls of an ISMS, not the whole ISO 27001 management system. Risk treatment, scope statements and organizational controls remain yours; Korthex supplies the technical inventory and the recurring proof for the cryptography slice.
Frequently asked questions
Does ISO 27001 require a cryptographic inventory?
Not in those words. Control 8.24 requires rules for the effective use of cryptography and their implementation. In practice, auditors accept a current inventory of cryptographic assets as the core evidence that the rules are implemented, and a CBOM is the standard machine-readable form of that inventory.
What changed between ISO 27001:2013 and 2022 for cryptography?
The 2013 controls A.10.1.1 (policy on the use of cryptographic controls) and A.10.1.2 (key management) were merged into the 2022 control 8.24 (use of cryptography). The expectations are unchanged: documented rules plus evidence of implementation.
Can I use Korthex during certification preparation?
Yes. A first scan shows the gap between your crypto policy and your codebase; the migration plan orders the fixes; re-scans document progress. The same CBOM then serves as evidence during the certification and surveillance audits.
Does the tool run on-premise?
Yes. 100% on-premise or air-gapped, as a CLI or in CI/CD. Source code never leaves your infrastructure.
Which export formats does the audit evidence support?
PDF for the audit file, CycloneDX, SARIF and JSON for tooling, plus the native .kxr format. All exports carry file:line evidence and per-finding compliance status.