ISO/IEC 27099 — Information technology — Security techniques — Public key infrastructure — Practices and policy framework [DRAFT]
The standard will identify information security management requirements for PKI Trust Service Providers (essentially, Certification Authorities) through one or more Certificate Policies, Certificate Practice Statements and (if applicable) ISMSs, according to the information risks.
Scope of the standard [as proposed]
The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and encryption.
It will not address authentication methods, non-repudiation or key management protocols, not attribute certificates.
It will distinguish PKI systems used in closed, open and contractual environments.
It will facilitate the implementation of operational, baseline controls and practices in a contractual environment, and potentially open or closed environments also.
It will be applicable to root and intermediate certification authorities, not just those issuing certificates directly to users.
Content of the standard
The standards project started in June 2018. It is unlikely to be published before 2021.
It will be interesting to see whether the standards project team elaborates on a broad range of information risks in this context, or is fixated on ICT. Seems to me there are
< Previous standard ^ Up a level ^ Next standard >