+CRY-14 Secure Deactivation of Cryptographic Keys
---+CRY-14.01B

1. Overview

CRY-14 Secure Deactivation of Cryptographic Keys

CRY-14.01B

The cloud service provider has documented and implemented procedures to deactivate cryptographic keys. These procedures ensure that:

1. Expired keys are no longer used for encryption purposes, but may still be used for decryption if necessary;
2. Expired keys are no longer used for signature creation, but may still be used for signature verification;
3. Deactivated keys are eventually destroyed when they are no longer required, with relevant metadata retained for auditing; and
4. All actions related to key deactivation and destruction are recorded in the key management system to maintain a detailed audit log.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html