TLS certificates have become a standard item on the audit agenda — and not just in ISO 27001 assessments. NIS2 supervisory reviews, ISAE 3000 reporting, internal audits, and supplier evaluations are all starting to ask specific questions about how organisations manage their certificates.

Many IT managers and CISOs discover this too late: the question auditors ask is not "do you have TLS?" but "can you demonstrate that you manage your TLS systematically?"

What ISO 27001 requires

ISO 27001:2022 Annex A Control 8.24 explicitly addresses the use of cryptography and key management. Control 8.20 covers network security including TLS configuration. Controls 5.9 and 5.10 address asset inventory and acceptable use.

Auditors will typically ask:

  • Do you have a policy governing the use of cryptography and certificates?
  • Are all certificates inventoried — who owns them, when do they expire?
  • Is there a defined renewal process with clear ownership?
  • Can you demonstrate that renewals are completed on time?
  • What happens to certificates that are no longer in use?

What NIS2 supervisors look for

NIS2 supervision is more process-oriented than ISO 27001. Supervisors will examine whether the organisation has a functioning risk management system — and certificates are a measurable, concrete part of that picture. Our guide to NIS2 certificate management maps the directive's Article 21 measures to specific certificate controls.

Questions that commonly come up:

  • Do you have a complete asset register covering your information systems and the certificates they use?
  • Have you documented the risks associated with certificate expiry and TLS configuration?
  • What controls ensure that certificates are renewed before they expire?
  • Can you show an incident history and what actions were taken?
  • What is your procedure for reporting a certificate-related incident?

The questions organisations struggle to answer

Based on audit conversations, there are typically three questions that organisations find hardest to answer convincingly:

"Are you confident your certificate inventory is complete?" — "We think it's complete" is not a satisfactory answer. Auditors want to understand the process: how do you know there are no certificates you are unaware of? Automated scanning and Certificate Transparency log monitoring are the only answers that hold up.

"What happened the last time a renewal failed or ran late?" — If you do not have a system that logs this, you cannot answer. A blank response signals that you do not know — not that nothing happened.

"Who is responsible for certificate X?" — For certificates on systems hosted by vendors or provisioned by teams outside IT, the answer is often unclear. That is a red flag for any auditor.

What actually impresses auditors

The experience from organisations that consistently do well on this topic is remarkably consistent:

  • They can pull a current report of all certificates — with status and expiry dates — in a few clicks
  • They can show a time series demonstrating that monitoring has run continuously
  • They have a documented, named owner for each certificate
  • They can show that alerts are working — for example by pulling up recent notification logs
  • They have a written certificate incident procedure — short and operational

None of these requirements are difficult to meet with the right tooling. They are very difficult to meet with spreadsheets and calendar reminders. The guide on ISO 27001 and TLS certificates covers the specific control requirements in more detail.

Preparing for an audit: checklist

  • Complete certificate inventory with expiry dates, owners, and associated systems
  • Documented monitoring status — when did the last scan run?
  • Alert configuration — who receives notifications, and at what thresholds?
  • Incident procedure for certificate expiry and compromise
  • List of vendor certificates on your domains
  • Report on expired certificates over the past 12 months and what action was taken
  • Cryptography policy with references to TLS standards and certificate requirements

What CertControl delivers for the audit

The checklist and the three hard questions above are precisely what CertControl addresses — not as audit preparation, but as a side effect of running normal operations:

  • "Are you confident your certificate inventory is complete?" — CertControl queries Certificate Transparency logs and runs active network scanning continuously. The inventory updates automatically when new certificates are issued. The answer to the auditor's question is a report, not an apology.
  • "What happened the last time a renewal failed or ran late?" — CertControl logs every event with a timestamp: when alerts fired, who they were sent to, when certificates were renewed or expired. This audit log cannot be reconstructed after the fact and is difficult to dispute.
  • "Who is responsible for certificate X?" — Every certificate in CertControl has a named owner assigned in the system. The answer is in the platform, not in someone's head.
  • Complete certificate overview with expiry dates and status in a few clicks. The executive report in CertControl shows certificate status, expiry forecasts, and compliance scores. It can be generated on demand and exported — not pieced together from disparate systems the night before an audit.
  • TLS configuration scanning across all endpoints. Cipher suites, protocol versions, and security headers are checked automatically. Weak configurations on staging environments and internal systems — the classic audit red flag — surface as findings in CertControl without any manual scanning.

Frequently asked questions

What is the single question auditors care most about for certificates?

The question is not whether you have TLS, but whether you can demonstrate that you manage it systematically. Auditors want to see a defined process, a complete inventory, named ownership, and evidence that renewals happen on time, rather than a one-off assertion that everything is fine.

Which ISO 27001 controls cover certificates?

ISO 27001:2022 Annex A Control 8.24 addresses the use of cryptography and key management, Control 8.20 covers network security including TLS configuration, and Controls 5.9 and 5.10 address asset inventory and acceptable use. Together they require a documented cryptography policy and an accurate certificate inventory.

How is NIS2 supervision different from an ISO 27001 audit?

NIS2 supervision is more process-oriented. Supervisors examine whether a functioning risk management system exists, asking for a complete asset register, documented certificate risks, controls that ensure timely renewal, an incident history, and a procedure for reporting certificate-related incidents.

Which audit questions do organisations struggle with most?

Three recur: whether you are confident the certificate inventory is complete, what happened the last time a renewal failed or ran late, and who is responsible for a specific certificate. A vague answer to any of these signals an absence of systematic control rather than that nothing went wrong.

What should I have ready before a certificate audit?

Have a complete inventory with expiry dates and owners, documented monitoring status, alert configuration and thresholds, an incident procedure, a list of vendor certificates on your domains, a 12-month report of expired certificates and actions taken, and a cryptography policy referencing TLS standards and certificate requirements.