Application of controls A.10.1.1 and A.10.1.2

Answer: If your organization makes use of digital certificates, both controls A.10.1.1 (Policy on the use of cryptographic controls) and A.10.1.2 (Key management) should be stated as applicable.

The reason for application of A.10.1.1 is because you should have clear rules about when, how, and by whom these certificates should be used, and how they should be managed.

As for A.10.1.2, the adoption of practices for protection of cryptographic keys should be included as a clause in the service agreement with the provider, so you can ensure they will provide at least the same level of protection as if your organization was managing the keys itself.

Please note that when stating a control as applicable, you could use as justification results of risk assessment, top management decision, or compliance with a legal or cont ractual requirement.

This articles will provide you further explanation about providers and cryptographic controls:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

This material will also help you regarding about providers and cryptographic controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/