ISO 27001:2022 updated and reorganised the Annex A controls significantly compared to the 2013 version. The cryptography and key management controls became more explicit, and the asset management requirements were strengthened. For organisations managing TLS certificates, several controls now have direct, testable implications for how certificates are inventoried, managed, and monitored.
The Annex A controls that cover certificates
Control 5.9 — Inventory of information and other associated assets. This control requires that an inventory of assets is developed, maintained, and kept accurate and consistent. TLS certificates are information assets. An auditor assessing this control will want to see evidence that certificates are included in the asset inventory — not just servers and software, but the certificates themselves, with ownership, classification, and lifecycle information.
Control 5.12 — Classification of information. Certificates and especially private keys require appropriate classification. Private keys for production certificates should be treated as confidential at minimum — with corresponding access controls and storage requirements.
Control 8.24 — Use of cryptography. This is the primary certificate control. It requires that rules for the effective use of cryptography are defined and implemented, covering key management throughout the lifecycle. For TLS specifically, this means documented policies covering which certificate types are approved, which CAs are authorised, acceptable key lengths and algorithms, and how certificates are renewed and retired. An auditor will check that the policy exists and that actual practice matches it.
Control 8.20 — Networks security. Requires that networks are managed and controlled to protect information. Weak TLS configuration — outdated protocol versions, deprecated cipher suites, missing security headers — is a network security finding under this control.
Control 5.30 — ICT readiness for business continuity. Certificate expiry causing service unavailability is a business continuity failure. The control requires that ICT readiness is planned and tested. Certificate monitoring and renewal processes should be documented as part of business continuity planning.
What auditors actually look for
A well-prepared auditor assessing certificate management will typically ask for:
The certificate inventory. Show me your list of certificates. Where are they? Who owns them? When do they expire? What are your alert thresholds? An inventory that exists only in someone's head, in a spreadsheet with a recent "last updated" date, or that notably omits entire categories of certificates (internal services, supplier systems, staging environments) will generate a finding.
Evidence of monitoring. Do you have evidence that alerts fired before recent certificate renewals? Were those alerts acted upon in a timely way? A renewal completed with hours to spare on an alert that fired 14 days ago suggests the process worked but was uncomfortably close. A renewal completed after expiry is a nonconformity.
Key management documentation. Where are private keys stored? Who has access? How are they protected? For certificates on cloud platforms, in HSMs, or in configuration management systems, the auditor will want to see that access is controlled and logged.
CA authorisation policy. Does your cryptography policy specify which CAs are authorised to issue certificates for your domains? Are there controls (CAA DNS records, CA pinning, purchase approval workflows) that enforce those restrictions? An organisation that claims to authorise only a specific set of CAs but has Let's Encrypt certificates scattered across shadow IT services has a gap between policy and practice.
Algorithm and key length requirements. Are all certificates using approved algorithms and key lengths? RSA-2048 is acceptable today; RSA-1024 and MD5-signed certificates are findings. A scan across all certificates for algorithm compliance is a reasonable audit step.
TLS configuration on externally facing services. Auditors with technical knowledge will check whether TLS 1.0 or 1.1 are enabled, whether weak cipher suites are offered, and whether security headers are present. These are testable in minutes with freely available tooling — auditors who do not check these themselves may use external assessment results as evidence.
Common findings in certificate management
Based on recurring patterns in ISO 27001 audits, the most frequent certificate-related findings are:
- Incomplete or unmaintained inventory. The inventory exists but has not been updated since the last audit. Certificates that have been added or removed since then are not reflected.
- No defined ownership. Certificates exist in the inventory without a clear owner or responsible team. When auditors ask who would act if the certificate expired tomorrow, the answer is unclear.
- Alert thresholds that are too short. Alerts configured to fire 7 or 14 days before expiry leave insufficient time for renewal processes that involve change management approvals or vendor coordination.
- Weak TLS configuration on non-primary services. Production services are often well-configured. Staging environments, internal tools, and partner integration endpoints are frequently running outdated TLS versions.
- Private key access not logged. Access to private keys should be logged. In many organisations, certificates and keys are stored in places — shared file systems, unmonitored vaults, configuration files — where access is not auditable.
- No evidence of testing the renewal process. The process is documented but has never been tested. Auditors looking for evidence of testing will not find it.
Building audit-ready certificate management
The goal is not just to pass an audit — it is to have a genuinely well-managed certificate estate that happens to be easy to demonstrate during an audit. The practical difference is that genuine management produces natural evidence: alert logs, renewal records, inventory updates, configuration scan results. An organisation that manages certificates well will have this evidence as a side effect of its normal operations. An organisation that manages certificates poorly will be scrambling to assemble evidence every audit cycle.
CertControl produces the evidence naturally. The inventory updates automatically. Alerts are logged with timestamps. Reports covering expiry status, TLS configuration compliance, and certificate chain health are available on demand. When an auditor asks for the certificate management evidence package, the answer is a few clicks rather than a weekend of spreadsheet work.