Your browser does not allow storing cookies. We recommend enabling them.

ISACA SSH Audit: Practitioner Considerations Guidance


ISACA and SSH Communications Security have partnered in an effort to bring visibility to an unknown access gap - SSH keys. Contributions for the guidance have come directly from practitioners, industry experts and SSH Communications Security to help the audit community be able to identify potential risks and then how to take action to address assurance considerations. The collective compliance and audit community have been able to leverage best practices in order to deliver a new guidance titled “SSH: Practitioner Considerations.”

SSH keys are everywhere in enterprises and they aren’t just an IT issue. Many organizations are unknowingly putting themselves at risk of not properly managing SSH keys and when combined with new compliance regulations such as GDPR the risks can easily be compounded.


Given the fact that organizations have their own unique infrastructure, SSH keys remains the common technology deployed across all regardless of industry or geography. As a result of years of unmanaged deployments, out of the box enabled access and proliferating from one infrastructure component to the next, it is now more critical than ever to bring awareness to SSH keys.

The guidance is designed to help bring about awareness and instructs auditors, practitioners, risk assessors and governance professionals to include SSH keys in their risk plans, audit plans and ongoing governance activities.

How the guidance can assist audit engagements

The guidance is a tool for audit and compliance professionals and it provides clear direction on why and how SSH keys need to be part of their compliance, audit and governance assessments. The document highlights, from an assurance point of view, the need to assess SSH keys and usage, associated privileged identity, complete logging and compliance. It also suggests controls, configuration options and other techniques to ensure robust and compliant management of SSH keys with actions to consider for the following:

  1. Usage procedures: Implement access periodic reviews, document and disseminate security policies and standards and implement required IT controls.
  2. Configuration Management: Create and Implement hardening configuration, periodically review the configuration, consider automated tools to manage configuration and apply integrity control checks and monitoring over critical files.
  3. Ownership and accountability: Who owns SSH key management? Defined roles and responsibilities.
  4. Deployment: Automation is critical for the success of SSH key deployments, standardization is required and access restrictions are required.
  5. Provisioning: Inventory of keys, usage tracking and make part of the overall provisioning of users and accounts.
  6. Governance: SSH keys are part of the overarching risk assessment process and part of IT audit plans.


The use of SSH keys is everywhere! It is a critical component but it is often overlooked and has created an “Unknown Access Gap”. SSH Communications Security is uniquely positioned to be able to address a potential customer’s compliance and security needs for SSH keys with our proven solutions. Our solutions provide practitioners with the steps needed to ensure SSH usage is not ignored and that sufficient controls are in place to ensure continuous compliance.

By using our solutions, compliance professionals are able to get ahead of auditors and regulators all while mitigating security and accessing risk. We can assure our customers and prospects that we are committed to support them every step of the way in addressing the “Unknown Access Gap” created by mismanaged SSH keys!

Download the official ISACA guidance

Download the ISACA guidance


As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

Read more about ISACA

Other sources of information

What are industry experts saying about the Guidance? Below are links to reputable and worthwhile articles by expert journalist in the audit and security industry:




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now