Topic-specific policies
ISO/IEC 27099

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27099 — Information technology — Security techniques — Public key infrastructure Practices and policy framework [DRAFT]



The standard will identify information risk and security management requirements for Public Key Infrastructure Trust Service Providers and Certification Authorities through one or more Certificate Policies, Certification Practice Statements and (if applicable) Information Security Management Systems.

The standard will describe a PKI management framework, building on and generalising ISO 21188:

“This document is derived from the earlier standard ISO 21188 on Public key infrastructure for financial services — Practices and policy framework, which has been generalised in this document to be applicable to any application domain and to take into account general standards for information security.” [quoted from the 2nd CD]

Scope of the standard

The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and encryption.

It will not address authentication methods, non-repudiation or key management protocols, nor attribute certificates.

It will distinguish PKI systems used in closed, open and contractual environments.

It will facilitate the implementation of operational, baseline controls and practices in a contractual environment, and potentially open or closed environments also.

It will be applicable to root and intermediate CAs, not just those issuing certificates directly to users.


Content of the standard

Over 120 pages!

The 2nd CD has 3 main sections and 6 informative annexes:

    5 Public key infrastructure (PKI) general concepts

    6 Certificate policy (CP), certification practice statement (CPS) and information security management system (ISMS) requirements for PKI service providers

    7 Certification authority [control] objectives and controls (~50 pages)

    Annex A Management by certificate policy

    Annex B Elements of a certification practice statement - Mapping of ISO/IEC 27099 to RFC 3647

    Annex C CA key generation ceremony

    Annex D Certification authority audit journal contents and use

    Annex E Certificate and PKI roles

    Annex F Changes to ISO 21188 to produce ISO/IEC 27099



The project started in 2018.

To comply with an ISO rule that titles can have no more than 3 parts, the standard will be: “Information technology — Public key infrastructure — Practices and policy framework”.

May update It is currently at Draft International Standard stage and is due to be published towards the end of 2022.


Personal notes

It will be interesting to see whether the standard addresses a broad range of information risks in this context, or is fixated on IT. Either way, there are many, hence the lengthy draft.

Use of the word “shall” in the controls in section 7 suggests that this standard may be used for compliance auditing, perhaps even accredited certification, of Certification Authorities etc., although that possibility or intent is not explicit in the standard (at least I haven’t spotted it).


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.