ISO/IEC 27099

ISO/IEC 27099 – Information technology — Security techniques — Public key infrastructure — Policy framework and practices [Draft]

Introduction

In this standard, requirements will be outlined for Public Key Infrastructure Trust Service Providers, Certification Authorities, and Certification Practice Statements and, if necessary, Information Security Management Systems.

PKI management framework will be described in the standard, based on and generalising ISO 21188:

“This document is derived from the earlier standard ISO 21188 on Public key infrastructure for financial services — Practices and policy framework, which has been generalised in this document to apply to any application domain and to take into account general standards for information security.” [Extracted from the CD]

The scope of the standard

The standard includes support for the full lifecycle of digital certificates for use in digital signing, authentication, and encryption.

No authentication or non-repudiation techniques are addressed, nor are key management and attribute certificates addressed.

A PKI system used in a closed, open, or contractual environment will be distinguished.

It will allow for the implementation of operational, baseline controls and practices in both an open and closed environment.

In addition to CAs that issue certificates directly to users, it will also apply to root and intermediate CAs.

The content

There are over 120 pages!

The second CD contains three main sections and six informative annexes:

– Five general concepts of public key infrastructure (PKI)
For PKI service providers, there are six requirements relating to certificate policies (CPs), certification practice statements (CPSs) and information security management systems (ISMSs).
– 7 objectives for Certification Authority controls (~50-page document)
– Annex A: Management by certificate scheme
– Annex B: Certification Practice Statement Elements – ISO/IEC 27099 to RFC 3647 mapping
– Annex C: CA key generation ceremony
– Annex D: Certification authority audit journal contents and usage
– Annex E: PKI roles and certificates
– Annex F: Improvements to ISO 21188 to produce ISO/IEC 27099

The standard’s status

In 2018, the project began.

In compliance with ISO standards, the standard’s title will read: “Information technology – Public key infrastructure – Practices and policy framework”.

Currently, in the Draft International Standard phase, the publication is expected by the end of 2022.

Commentary

I look forward to seeing whether the standard covers a broad array of information risks in this context, or if it deals primarily with IT issues. Nonetheless, there are many, which is why the draft is lengthy.

Section 7 of the standard uses the word “shall” in the controls and suggests that this standard might be used for compliance auditing, perhaps even accredited certification, of Certification Authorities etc. However, this possibility or intent is not stated explicitly (at least not to my knowledge).