A cryptographic policy is a document describing your organization’s encryption strategy. It defines which cryptographic algorithms and key lengths are approved, how keys are generated, distributed, stored, rotated, and destroyed, and which data must be encrypted. The policy typically follows BSI recommendations (TR-02102) or NIST guidelines. In your ISMS, it forms the basis for all encryption-related Annex A controls. Keep the policy current — cryptographic recommendations evolve, especially regarding post-quantum cryptography. An outdated policy with weak algorithms is worse than no policy at all.