Description of 21/30389093 DC 2021

This document sets out a framework of requirements to manage information security for PKI trust service providers through Certificate Policies, Certificate Practice Statements, and, where applicable, their internal underpinning by an ISMS. The framework of requirements includes the assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the certificate policy. This document is also intended to help trust service providers to support multiple Certificate Policies.

This document addresses the life-cycle of public key certificates that are used for digital signatures, authentication, or key establishment for data encryption. It does not address authentication methods, non-repudiation requirements, or key management protocols based on the use of public key certificates. For the purposes of this document, the term “certificate” refers to public key certificates. Attribute certificates are outside the scope of this document.

This document uses concepts and requirements of an ISMS as defined in the ISO/IEC 27000 family. It uses the code of practice for information security controls as defined in ISO/IEC 27002:2013. Specific PKI requirements (e.g. certificate content, identity proofing, certificate revocation handling) are not addressed directly by a ISMS such as defined by ISO/IEC 27001.

The use of an ISMS or equivalent is adapted to the application of PKI service requirements specified in the Certificate Policy as described in the present document.

A PKI trust service provider is a special class of trust service for the use of public key certificates. A PKI trust service provider consists of one or more Certification Authorities providing a trust service with coherent policies and practices.

This document draws a distinction between PKI systems used in closed, open and contractual environments. This document facilitates the implementation of operational, baseline controls and practices in a contractual environment. While the focus of this document is on the contractual environment, application of this document to open or closed environments is not specifically precluded.

The document is organised as follows: Clause 5 provides guidance on the concepts used in this document. Clause 6 specifies requirements on the management of policies and practices applied by CAs. Clause 7 specifies requirements on the operation of CA. The annexes are all informative.

About BSI

BSI Group, also known as the British Standards Institution is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.