+CRY-14.01B

1. Overview

CRY-14.01B

The cloud service provider has documented and implemented procedures to deactivate cryptographic keys. These procedures ensure that:

1. Expired keys are no longer used for encryption purposes, but may still be used for decryption if necessary;
2. Expired keys are no longer used for signature creation, but may still be used for signature verification;
3. Deactivated keys are eventually destroyed when they are no longer required, with relevant metadata retained for auditing; and
4. All actions related to key deactivation and destruction are recorded in the key management system to maintain a detailed audit log.

Summary	Standard

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html