Proper use of encryption and key management.
A statement of what the organization should achieve. ISO/IEC 27002:2013
Reporting and learning from security events. Proper use of encryption and key management