CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) are mechanisms for checking whether a digital certificate has been revoked. The CRL is a periodically published list of all revoked certificates from a certificate authority; OCSP provides the status of individual certificates in real time.
In an ISMS context, CRL and OCSP belong to the cryptography policy under ISO 27001 Annex A control A.8.24 (Use of Cryptography). Revoked certificates — for instance after a key compromise or employee departure — must be reliably detected so that encrypted connections and digital signatures remain trustworthy. OCSP stapling reduces dependency on external OCSP servers and improves performance. Regularly verify that your systems actually perform CRL/OCSP checks.