Certificate Audit Checklist: What Auditors Check — and What You Need Ready

TLS certificates have become a standard item on the audit agenda — and not just in ISO 27001 assessments. NIS2 supervisory reviews, ISAE 3000 reporting, internal audits, and supplier evaluations are all starting to ask specific questions about how organisations manage their certificates.

Many IT managers and CISOs discover this too late: the question auditors ask is not "do you have TLS?" but "can you demonstrate that you manage your TLS systematically?"

What ISO 27001 requires

ISO 27001:2022 Annex A Control 8.24 explicitly addresses the use of cryptography and key management. Control 8.20 covers network security including TLS configuration. Controls 5.9 and 5.10 address asset inventory and acceptable use.

Auditors will typically ask:

• Do you have a policy governing the use of cryptography and certificates?
• Are all certificates inventoried — who owns them, when do they expire?
• Is there a defined renewal process with clear ownership?
• Can you demonstrate that renewals are completed on time?
• What happens to certificates that are no longer in use?

What NIS2 supervisors look for

NIS2 supervision is more process-oriented than ISO 27001. Supervisors will examine whether the organisation has a functioning risk management system — and certificates are a measurable, concrete part of that picture.

Questions that commonly come up:

• Do you have a complete asset register covering your information systems and the certificates they use?
• Have you documented the risks associated with certificate expiry and TLS configuration?
• What controls ensure that certificates are renewed before they expire?
• Can you show an incident history and what actions were taken?
• What is your procedure for reporting a certificate-related incident?

The questions organisations struggle to answer

Based on audit conversations, there are typically three questions that organisations find hardest to answer convincingly:

"Are you confident your certificate inventory is complete?" — "We think it's complete" is not a satisfactory answer. Auditors want to understand the process: how do you know there are no certificates you are unaware of? Automated scanning and Certificate Transparency log monitoring are the only answers that hold up.

"What happened the last time a renewal failed or ran late?" — If you do not have a system that logs this, you cannot answer. A blank response signals that you do not know — not that nothing happened.

"Who is responsible for certificate X?" — For certificates on systems hosted by vendors or provisioned by teams outside IT, the answer is often unclear. That is a red flag for any auditor.

What actually impresses auditors

The experience from organisations that consistently do well on this topic is remarkably consistent:

• They can pull a current report of all certificates — with status and expiry dates — in a few clicks
• They can show a time series demonstrating that monitoring has run continuously
• They have a documented, named owner for each certificate
• They can show that alerts are working — for example by pulling up recent notification logs
• They have a written certificate incident procedure — short and operational

None of these requirements are difficult to meet with the right tooling. They are very difficult to meet with spreadsheets and calendar reminders.

Preparing for an audit: checklist

• Complete certificate inventory with expiry dates, owners, and associated systems
• Documented monitoring status — when did the last scan run?
• Alert configuration — who receives notifications, and at what thresholds?
• Incident procedure for certificate expiry and compromise
• List of vendor certificates on your domains
• Report on expired certificates over the past 12 months and what action was taken
• Cryptography policy with references to TLS standards and certificate requirements