Topic-specific policies
ISO/IEC 27099

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27099:2022 — Information technology — Public key infrastructure Practices and policy framework (first edition)



“This document sets out a framework of requirements to manage information security for Public key infrastructure (PKI) trust service providers  through certificate policies, certificate practice statements, and,  where applicable, their internal underpinning by an information security management system (ISMS). The framework of requirements includes the  assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the  certificate policy. This document is also intended to help trust service providers to support multiple certificate policies ...”
[Source: ISO/IEC 27099:2022]


Since trustworthiness is an essential characteristic of any Public Key Infrastructure, strenuous efforts are required to minimise all risks that might lead to loss of trust in PKI.  The standard describes the use of an ISO/IEC 27001 Information Security Management System as a PKI management framework.


Scope of the standard

ISO/IEC 27099:

  • Identifies information risk and security management requirements for PKI Trust Service Providers and Certification Authorities through Certificate Policies and Certification Practice Statements.
  • Facilitates the implementation of operational, baseline controls and practices through an ISMS, building on and generalising the financial services PKI standard ISO 21188:2018 plus ISO/IEC 9594-8, ISO/IEC 19790 and RFC 3647.
  • Supports the lifecycle of public key certificates used for digital signatures, authentication, or encryption key establishment and exchange;
  • Primarily concerns PKI systems used in contractual relationships between organisations but also covers open (public) and closed (corporate/internal) PKIs;
  • Is applicable to root and intermediate CAs, not just those issuing certificates directly to users.

It does not address:

  • Attribute certificates;
  • Authentication methods;
  • Non-repudiation requirements;
  • Key management protocols based on the use of public key certificates;
  • Blockchain - at least, not explicitly.


Content of the standard

The ~100-page standard has 3 main sections and 6 informative annexes:

    Section 5: introduces PKI concepts.

    Section 6: CP, CPS and their relation to ISMS.

    Section 7: CA objectives and controls, plus other requirements concerning the operation of a CA, based on the ISO/IEC 27002:2013 structure (not the 2022 version).

    Annex A: Management by CP.

    Annex B: Elements of a CPS (mapping to RFC 3647).

    Annex C: CA key generation ceremony.

    Annex D: Content and use of the CA audit journal.

    Annex E: Certificate and PKI roles.

    Annex F: Changes from ISO 21188.



The first edition was published in 2022.


Personal notes

As with PKIs in general, this standard defines and uses 60 obscure terms of art plus 24 abbreviations, making it tough for non-specialists to comprehend - even tougher than PKI itself and cryptography in general. It is a detailed standard on an advanced, technical topic.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights