Information security policies
ISO/IEC 27099

Search this site

Security awareness content

ISO/IEC 27099 — Information technology — Security techniques — Public key infrastructure Practices and policy framework [DRAFT]


The standard will identify information security management requirements for PKI Trust Service Providers and Certification Authorities through one or more Certificate Policies, Certification Practice Statements and (if applicable) Information Security Management Systems, according to the information risks.

The standard will describe a PKI management framework, building on and generalising ISO 21188 on PKI for financial services.


Scope of the standard

The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and encryption.

It will not address authentication methods, non-repudiation or key management protocols, nor attribute certificates. 

It will distinguish PKI systems used in closed, open and contractual environments.

It will facilitate the implementation of operational, baseline controls and practices in a contractual environment, and potentially open or closed environments also. 

It will be applicable to root and intermediate CAs, not just those issuing certificates directly to users.


Content of the standard

Over 100 pages.


The project started in 2018.  The standard is due to be published at the end of 2021.

It is currently at Committee Draft stage.


Personal notes

It will be interesting to see whether the standards project team elaborates on a broad range of information risks in this context, or is fixated on ICT. Either way, there are many!


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2020 IsecT Ltd.