Information security policies
ISO/IEC 27099

Search this site

Security awareness content

ISO/IEC 27099 — Information technology — Security techniques — Public key infrastructure Practices and policy framework [DRAFT]


The standard will identify information security management requirements for PKI Trust Service Providers (essentially, Certification Authorities) through one or more Certificate Policies, Certificate Practice Statements and (if applicable) ISMSs, according to the information risks.


Scope of the standard [as proposed]

The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and encryption.

It will not address authentication methods, non-repudiation or key management protocols, not attribute certificates. 

It will distinguish PKI systems used in closed, open and contractual environments.

It will facilitate the implementation of operational, baseline controls and practices in a contractual environment, and potentially open or closed environments also. 

It will be applicable to root and intermediate certification authorities, not just those issuing certificates directly to users.


Content of the standard



The project started in 2018.  The standard is due to be published at the end of 2021.

It is currently at 2nd Working Draft stage.


Personal notes

It will be interesting to see whether the standards project team elaborates on a broad range of information risks in this context, or is fixated on ICT. Either way, there are many!


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2019 IsecT Ltd.