Connect with us

Hi, what are you looking for?

Regulation

ISO/IEC 27099

ISO/IEC 27099 – Information technology — Security techniques — Public key infrastructure — Policy framework and practices [Draft]

Introduction

In this standard, requirements will be outlined for Public Key Infrastructure Trust Service Providers, Certification Authorities, and Certification Practice Statements and, if necessary, Information Security Management Systems.

PKI management framework will be described in the standard, based on and generalising ISO 21188:

“This document is derived from the earlier standard ISO 21188 on Public key infrastructure for financial services — Practices and policy framework, which has been generalised in this document to apply to any application domain and to take into account general standards for information security.” [Extracted from the CD]

The scope of the standard

The standard includes support for the full lifecycle of digital certificates for use in digital signing, authentication, and encryption.

No authentication or non-repudiation techniques are addressed, nor are key management and attribute certificates addressed.

A PKI system used in a closed, open, or contractual environment will be distinguished.

It will allow for the implementation of operational, baseline controls and practices in both an open and closed environment.

In addition to CAs that issue certificates directly to users, it will also apply to root and intermediate CAs.

The content

There are over 120 pages!

The second CD contains three main sections and six informative annexes:

– Five general concepts of public key infrastructure (PKI)
For PKI service providers, there are six requirements relating to certificate policies (CPs), certification practice statements (CPSs) and information security management systems (ISMSs).
– 7 objectives for Certification Authority controls (~50-page document)
– Annex A: Management by certificate scheme
– Annex B: Certification Practice Statement Elements – ISO/IEC 27099 to RFC 3647 mapping
– Annex C: CA key generation ceremony
– Annex D: Certification authority audit journal contents and usage
– Annex E: PKI roles and certificates
– Annex F: Improvements to ISO 21188 to produce ISO/IEC 27099

The standard’s status

In 2018, the project began.

In compliance with ISO standards, the standard’s title will read: “Information technology – Public key infrastructure – Practices and policy framework”.

Currently, in the Draft International Standard phase, the publication is expected by the end of 2022.

Commentary

I look forward to seeing whether the standard covers a broad array of information risks in this context, or if it deals primarily with IT issues. Nonetheless, there are many, which is why the draft is lengthy.

Section 7 of the standard uses the word “shall” in the controls and suggests that this standard might be used for compliance auditing, perhaps even accredited certification, of Certification Authorities etc. However, this possibility or intent is not stated explicitly (at least not to my knowledge).

 

 

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Compliance

The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Compliance

ISO/IEC 27034:2011+ – Information technology – Security techniques – Application security (all published except part 4) Introduction Business and IT managers, developers and auditors,...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...

Compliance

The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...