The ACSC Essential Eight and Website Certificate Management
The Australian Cyber Security Centre's Essential Eight framework addresses certificate management through patch management and application hardening. Here's how SSL monitoring fits in.
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It's the benchmark for organisations that need to demonstrate structured, auditable security to clients, partners, and regulators. And it has specific requirements for cryptographic controls — including SSL certificate management.
Disclaimer: This post is for informational purposes only and does not constitute legal or compliance advice. Control numbers and requirements referenced are from ISO/IEC 27001:2022 (the current version of the standard) — verify against your specific version and consult a qualified ISO 27001 auditor for certification guidance.
This post is written for security managers, IT managers, and compliance teams at Australian organisations that are either ISO 27001 certified or working toward certification.
Where SSL Certificates Appear in ISO 27001
ISO 27001:2022 addresses cryptographic controls through Annex A Control 8.24: Use of cryptography.
The control states:
"Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented." — ISO/IEC 27001:2022, Annex A, Control 8.24
SSL/TLS certificates are cryptographic credentials. They are the mechanism by which your organisation authenticates its web services to users and establishes encrypted connections. They fall squarely within the scope of Control 8.24.
Additionally, Control 8.9 (Configuration management) and Control 8.8 (Management of technical vulnerabilities) are relevant — the TLS configuration of your web servers and the patching of SSL/TLS libraries must be managed as part of these controls.
What Auditors Expect for Certificate Management
When an ISO 27001 certification audit covers your cryptographic controls, auditors will look for:
1. A Cryptographic Policy or Procedure
You need a documented policy that addresses:
- Which cryptographic algorithms and key lengths are approved for use
- The approved TLS versions (1.2 minimum; 1.3 recommended)
- Approved Certificate Authorities
- Minimum certificate validity periods
- The certificate renewal process
- Who is responsible for certificate management
This doesn't need to be a lengthy document — a clear, concise procedure with defined ownership is what auditors want to see.
2. A Certificate Inventory
Auditors will ask: "How many SSL certificates does your organisation have, and can you account for all of them?"
Your certificate inventory should record:
- Domain/service name
- Certificate type (DV, OV, EV)
- Issuing CA
- Issue date
- Expiry date
- Renewal method (auto/manual)
- Owner (who is responsible for renewal)
- Location (which server, hosting account, or CDN)
This inventory should be kept current. A certificate that exists but isn't in your inventory is a control gap — auditors will find it if they do their own scan.
3. Evidence of Active Monitoring
A certificate inventory that isn't monitored is a static snapshot that becomes inaccurate over time. Auditors at higher-maturity organisations will expect to see evidence that certificate status is actively monitored, including:
- Monitoring tool configuration (showing all certificates are being checked)
- Alert history (showing notifications were sent before expiry)
- Response records (showing alerts were acted upon)
This is the difference between a control that exists on paper and a control that's operating effectively. ISO 27001 requires evidence of effectiveness, not just existence.
4. A Defined Renewal Process
Auditors will walk through your renewal process. Questions include:
- Who receives the renewal alert?
- What is the procedure when an alert fires?
- Who has access to the hosting/CDN accounts to perform renewal?
- What is the escalation path if the primary owner is unavailable?
- Is the renewal tested before the old certificate expires?
A common gap: the renewal process is understood by one person and not documented. When that person is unavailable (holiday, illness, resignation), the process fails.
5. Access Controls to Certificate Management
Control 5.15 (Access control) and Control 8.2 (Privileged access rights) require that access to systems and credentials is controlled. This extends to:
- Hosting account credentials used for certificate renewal
- Private keys (must not be shared unnecessarily)
- CA account credentials
- CDN control panels where certificates are installed
Document who has access to each system in your certificate management workflow.
Building an ISO 27001-Aligned Certificate Management Program
Step 1: Inventory
Scan all your public-facing domains using a tool or manually with openssl. Include:
- Production domains and subdomains
- Staging and test environments accessible from the internet
- API endpoints
- Email server certificates (SMTP, IMAP)
- VPN endpoints
- Any internal systems with externally accessible interfaces
Step 2: Classify by Risk
Not all certificates carry equal risk. Classify them:
Critical: Production customer-facing systems, payment processing, authentication services. These require the most stringent controls and monitoring.
Important: Internal systems with external access, API services, staging environments used for customer demos. Require monitoring but may have longer alert lead times.
Low: Development environments, internal-only services. Require inventory tracking but less intensive monitoring.
Step 3: Define Ownership
Every certificate in your inventory must have a named owner — a person or team responsible for renewal. The owner is responsible for:
- Receiving expiry alerts
- Initiating the renewal process
- Verifying successful renewal
- Updating the inventory
Without named ownership, responsibility is diffuse and gaps occur.
Step 4: Implement Monitoring
Set up automated monitoring for all Critical and Important certificates. Monitoring should:
- Check certificate status at a defined interval (hourly or 6-hourly for critical systems)
- Alert the certificate owner at defined thresholds (30, 14, 7, 1 days before expiry)
- Generate logs that can be exported as evidence for auditors
Step 5: Define and Test the Renewal Process
Document the step-by-step renewal process for each certificate type. Then test it:
- Can the owner complete the renewal independently?
- Are all required credentials accessible?
- Is there a backup owner if the primary is unavailable?
- How long does renewal take from start to finish?
Step 6: Establish Review Cadence
Quarterly: Review certificate inventory for accuracy. Confirm all certificates are present and correctly attributed.
Annually: Review the cryptographic policy for continued relevance. Assess whether approved TLS versions and cipher suites remain current with industry guidance.
After significant changes: Any infrastructure change (new hosting provider, CDN change, new domain) should trigger a certificate inventory update.
Integrating with Your ISMS
Certificate management shouldn't exist as a standalone process — it should be integrated with:
Change management (Control 8.32): Certificate renewals and configuration changes should go through your change management process for critical systems.
Incident management (Control 5.26): An expired certificate causing downtime is a security incident. Document it, conduct root cause analysis, and implement corrective action.
Supplier management (Control 5.19): Your Certificate Authority and hosting providers are suppliers whose security practices affect your certificate management.
Risk management: Expired certificate risk should be documented in your risk register with the controls (monitoring) that mitigate it.
Common ISO 27001 Audit Findings for Certificate Management
The following are illustrative examples of certificate-related gaps commonly identified during ISO 27001 audits. Specific findings vary by organisation and certifying body:
Finding: Certificate inventory is incomplete — not all domains are documented. Corrective action: Automated scanning of all IP ranges and DNS records to discover unmanaged certificates.
Finding: No evidence of proactive monitoring — certificates are only checked manually. Corrective action: Implement automated monitoring with documented alert history.
Finding: Certificate renewal process has a single point of failure (one person with access). Corrective action: Cross-train a backup owner; store credentials in a team-accessible password manager.
Finding: Staging environment has self-signed or expired certificate, accessible from internet. Corrective action: Either secure with valid certificate or restrict internet access.
CertGuard provides the monitoring infrastructure and exportable logs that support ISO 27001 Control 8.24 evidence requirements. For organisations building a certificate management program, it provides continuous checking, alert history, and a certificate inventory view across all monitored domains.
Contact us to discuss how CertGuard can support your ISO 27001 certification.
Monitor Your SSL Certificates Automatically
CertGuard monitors your certificates automatically and alerts you before anything expires. Free for up to 3 domains.
Start Free →Related Articles
Certificate Transparency Logs: What They Reveal About Your Domain's Security
Certificate Transparency logs are public records of every SSL certificate ever issued for your domain. Here's what they reveal and how to use them to spot security threats.
What Is a Certificate Authority and Why Should You Trust It?
Certificate authorities are the backbone of web security — but not all of them carry the same weight. Here's what Australian businesses need to know before buying or issuing an SSL certificate.