ISO/IEC 27099 — Information technology — Security techniques — Public key infrastructure — Practices and policy framework [DRAFT]
The standard will identify information risk and security management requirements for Public Key Infrastructure Trust Service Providers and Certification Authorities through one or more Certificate Policies, Certification Practice Statements and (if applicable) Information Security Management Systems.
The standard will describe a PKI management framework, building on and generalising ISO 21188:
“This document is derived from the earlier standard ISO 21188 on Public key infrastructure for financial services — Practices and policy framework, which has been generalised in this document to be applicable to any application domain and to take into account general standards for information security.” [quoted from the 2nd CD]
Scope of the standard
The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and encryption.
It will not address authentication methods, non-repudiation or key management protocols, nor attribute certificates.
It will distinguish PKI systems used in closed, open and contractual environments.
It will facilitate the implementation of operational, baseline controls and practices in a contractual environment, and potentially open or closed environments also.
It will be applicable to root and intermediate CAs, not just those issuing certificates directly to users.
Content of the standard
Over 120 pages!
The 2nd CD has 3 main sections and 6 informative annexes:
5 Public key infrastructure (PKI) general concepts
6 Certificate policy (CP), certification practice statement (CPS) and information security management system (ISMS) requirements for PKI service providers
7 Certification authority [control] objectives and controls (~50 pages)
Annex A Management by certificate policy
Annex B Elements of a certification practice statement - Mapping of ISO/IEC 27099 to RFC 3647
Annex C CA key generation ceremony
Annex D Certification authority audit journal contents and use
Annex E Certificate and PKI roles
Annex F Changes to ISO 21188 to produce ISO/IEC 27099
The project started in 2018. The standard is due to be published during 2021.
To comply with an ISO rule that titles can have no more than 3 parts, the standard will be: “Information technology — Public key infrastructure — Practices and policy framework”.
It is currently at 2nd Committee Draft stage.
It will be interesting to see whether the standard addresses a broad range of information risks in this context, or is fixated on IT. Either way, there are many, hence the lengthy draft.
Use of the word “shall” in the controls in section 7 suggests that this standard may be used for compliance auditing, perhaps even accredited certification, of Certification Authorities etc., although that possibility or intent is not specified in the standard (at least I haven’t spotted it).
< Previous standard ^ Up a level ^ Next standard >