If you use encryption, you need a real process for creating, storing, rotating, and retiring the keys.
What it actually means
Encryption is only as strong as its key management. Establish and manage cryptographic keys: generate them properly, store them securely, control who can access them, and rotate or retire them. For small shops this often means leaning on managed services — your cloud KMS, BitLocker or FileVault recovery-key escrow — and documenting how keys are handled.
Pass or fail — an assessor needs a "yes" to each
- Do you have a documented process for generating, storing, and rotating keys?
- Is access to keys restricted to authorized admins?
What to have ready
- Key-management procedure, or your KMS configuration
- Evidence of key storage protection and access restriction
Where teams trip up
- Encryption keys or recovery keys stored in plaintext next to the data
- No rotation or ownership defined
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →