Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological Preventive Protect High Priority

A.8.24 Use of Cryptography

M365 Admin Path: Microsoft Intune admin center > Endpoint security > Disk encryption; Microsoft Entra admin center > Devices > BitLocker keys; Azure Portal > Key vaults

Evidence Source: Microsoft Graph - BitLocker, Key Vault

What is A.8.24 Use of Cryptography?

ISO 27001 control A.8.24 Use of Cryptography ensures proper and effective use of cryptography to protect confidentiality, authenticity, and integrity of information according to business, security, privacy, legal, and regulatory requirements. The control implements pervasive encryption using industry-standard strong algorithms including AES-256 for data at rest and TLS 1.2 or higher for data in transit with robust key management throughout the lifecycle.

How to implement A.8.24 in Microsoft 365

Implement A.8.24 by enforcing TLS 1.2 or higher

Implement A.8.24 by enforcing TLS 1.2 or higher on all web-based access to organisational resources. Disable older protocols including TLS 1.0 and 1.1 and weak ciphers at service configuration level.

Implement full disk encryption on all managed endpoints

Implement full disk encryption on all managed endpoints via Microsoft Intune using BitLocker for Windows or FileVault for macOS with 95% or higher coverage target. Deploy Azure Storage Service Encryption on all Azure Storage Accounts with AES-256.

Enable Azure SQL Transparent Data Encryption on all

Enable Azure SQL Transparent Data Encryption on all databases. Configure Azure Disk Encryption on Azure VM disks.

Deploy Microsoft Purview sensitivity labels for persistent file-level

Deploy Microsoft Purview sensitivity labels for persistent file-level encryption of sensitive data.

What an auditor checks for A.8.24

  • Auditors will verify 95% or more of endpoints have BitLocker or FileVault encryption enabled with recovery keys escrowed.
  • They will check TLS 1.2 minimum is enforced on all Azure services with TLS 1.0 and 1.1 disabled.
  • Auditors will verify Azure Storage Service Encryption is enabled on all storage accounts with AES-256.
  • They will check database encryption shows Azure SQL TDE is enabled on all databases.
  • Auditors will verify Azure Key Vault configuration with access policies, soft delete, purge protection, and audit logging enabled.

What your auditor expects for A.8.24

  • cryptographic controls including BitLocker/FileVault encryption status
  • recovery key escrow
  • TLS configuration
  • Azure Key Vault usage
  • encryption policy deployment across the environment

See how your organisation scores against A.8.24 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Label-Based Encryption Info Gov

Configure sensitivity labels with encryption protection

Registered Email Encryption Info Gov

Court-admissible proof of encrypted delivery for external communications, closing the evidence gap for A.5.14 (Information Transfer) and A.5.31 (Legal/Regulatory Requirements)

Adaptive Encryption Info Gov

Dynamic TLS-first encryption with AES-256 PDF fallback, delivering securely to recipients' inboxes without portal friction — complementing Purview Message Encryption where external recipients lack Microsoft accounts

Proof of Delivery Info Gov

Registered Receipt records with immutable timestamps, content proof, and self-authenticating encryption evidence — directly addressing A.8.24 (Use of Cryptography) audit requirements