Information security policies
ISO/IEC 27099

Search this site

Security awareness content

ISO/IEC 27099 — Information technology — Security techniques — Public key infrastructure Practices and policy framework [DRAFT]


The standard will identify information security management requirements for Public Key Infrastructure Trust Service Providers and Certification Authorities through one or more Certificate Policies, Certification Practice Statements and (if applicable) Information Security Management Systems, according to the information risks.

The standard will describe a PKI management framework, building on and generalising ISO 21188 on PKI for financial services.


Scope of the standard

The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and encryption.

It will not address authentication methods, non-repudiation or key management protocols, nor attribute certificates. 

It will distinguish PKI systems used in closed, open and contractual environments.

It will facilitate the implementation of operational, baseline controls and practices in a contractual environment, and potentially open or closed environments also. 

It will be applicable to root and intermediate CAs, not just those issuing certificates directly to users.


Content of the standard

Over 100 pages.


The project started in 2018.  The standard is likely to be published during 2021.

It is currently at 2nd Committee Draft stage.  A shorter title has been proposed: “Information technology Public key infrastructure Practices and policy framework”.


Personal notes

It will be interesting to see whether the standard addresses a broad range of information risks in this context, or is fixated on IT. Either way, there are many!


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2020 IsecT Ltd.