ISO 27099: Public Key Infrastructure (PKI) Trust Framework

Pacific Certifications
10 min read
ISO 27099: Public Key Infrastructure (PKI) Trust Framework

What Is ISO/IEC 27099?

ISO/IEC 27099:2022 is the international standard that sets out a framework of requirements to manage information security for Public Key Infrastructure (PKI) trust service providers - governing the policies, practices and procedures by which Certificate Authorities and other PKI trust service providers issue, manage and revoke digital certificates used for digital signatures, authentication and key establishment for data encryption. Published by ISO and IEC under ISO/IEC JTC 1/SC 27, it is the first comprehensive international standard specifically dedicated to PKI operations and trust service practices.

The standard governs PKI trust service provision through three interconnected instruments: the Certificate Policy (CP), which defines the requirements and obligations governing a class of certificates for a particular application and community; the Certification Practice Statement (CPS), which describes how the trust service provider implements the requirements of the Certificate Policy in its operations; and, where applicable, an Information Security Management System (ISMS) that provides the underpinning management system governance for the entire PKI operation.

It addresses the full lifecycle of public key certificates - issuance, renewal, suspension, revocation and expiration - and draws a clear distinction between PKI systems used in closed environments, open environments and contractual environments, with its primary focus on the contractual environment where trust relationships between parties are formally governed by documented policy and practice frameworks.

ISO/IEC 27099 helps PKI trust service providers turn digital certificate operations into a controlled, policy-driven and auditable trust framework - Pacific Certifications

PKI Trust Services

A PKI trust service provider is an organization that operates Public Key Infrastructure to issue digital certificates - cryptographic credentials that bind a public key to an identity, enabling the use of that key for digital signatures, authentication, or encryption. ISO/IEC 27099 defines the governance framework within which these trust services must be managed to be considered trustworthy by the parties that rely on the certificates issued.

Certificate Authority (CA) Operations

A Certificate Authority is the core component of a PKI trust service - the entity that issues, signs and manages digital certificates. ISO/IEC 27099 distinguishes between root CAs - which operate at the top of the certificate hierarchy and whose certificates are self-signed and embedded in relying-party software as trust anchors - intermediate CAs, which are issued certificates by a root CA and issue end-entity certificates to subscribers and issuing CAs that issue certificates directly to end users, systems and devices.

Registration Authority (RA) Operations

A Registration Authority is the component of a PKI that performs identity verification and vetting of certificate applicants before certificates are issued - confirming that the applicant is who they claim to be and is entitled to the certificate they have requested. ISO/IEC 27099 requires that RA operations are governed by documented procedures covering identity verification methods, vetting standards appropriate to the certificate class and the controls governing the delegation of RA functions to third parties.

Certificate Lifecycle Management

ISO/IEC 27099 addresses the full lifecycle of digital certificates - from initial application, vetting, issuance and delivery through renewal, key rollover, suspension, revocation and expiration. Certificate lifecycle management must be governed by documented procedures ensuring that certificates are issued only to eligible subscribers, that revocation is processed promptly when required and that certificate status information is made available to relying parties through Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) services.

Time-Stamping and Other Trust Services

Beyond certificate issuance, PKI trust service providers may operate additional trust services including time-stamping authorities - which provide cryptographically authenticated timestamps for digital signatures - and certificate validation services. ISO/IEC 27099 provides the framework for governing these additional trust services within the same policy and practice framework as the core certificate issuance operations.

Practical Tip: Treat every certificate as a trust asset, with clear controls for issuance, renewal, suspension, revocation and validation.

Certificate Authorities and Relying Parties

ISO/IEC 27099 defines the roles, relationships and obligations of all parties in the PKI trust ecosystem - establishing the governance framework that makes digital certificates trustworthy for relying parties.

The Certificate Policy

The Certificate Policy is the foundational document that defines the requirements governing a class of certificates - specifying the intended use of the certificates, the identity vetting requirements for subscribers, the technical and operational requirements for certificate issuance and management and the obligations of all parties in the PKI community. A single PKI trust service provider may operate multiple Certificate Policies.

The Certification Practice Statement

The Certification Practice Statement is the operational counterpart to the Certificate Policy - describing in detail how the trust service provider implements the requirements of each Certificate Policy in its infrastructure, processes and controls. The CPS covers all aspects of CA operations including physical and logical security of CA infrastructure, key generation and protection procedures, certificate issuance and revocation processes, audit logging, incident response and business continuity arrangements.

Subscriber Obligations

Subscribers - the individuals, organizations and systems to whom certificates are issued - have defined obligations under the Certificate Policy, including accurate representation of their identity and attributes during the vetting process, protection of their private key and prompt notification of key compromise or circumstances requiring certificate revocation.

Relying Party Obligations

Relying parties - organizations and systems that use certificates to authenticate identities, verify digital signatures, or establish encrypted communications - have the obligation to verify certificates appropriately before relying on them, including checking certificate validity, revocation status and policy compliance.

Writer’s view: A Certificate Authority’s credibility depends on how well its root, intermediate and issuing CA operations are protected, documented and monitored.

Governance and Assurance

Governance and assurance are the mechanisms by which PKI trust service providers demonstrate that their operations meet the requirements of their Certificate Policies and Certification Practice Statements - providing confidence to subscribers, relying parties, regulators and auditors that the trust service is operating as claimed.

Policy Authority

ISO/IEC 27099 requires that each PKI trust service operation is governed by a Policy Authority - the body responsible for approving the Certificate Policy, reviewing the Certification Practice Statement for conformance with the policy and overseeing the overall governance of the PKI program. The Policy Authority may be internal to the trust service provider organization or may be an external governance body representing the community of interest served by the PKI.

ISMS Integration

Where a trust service provider operates an Information Security Management System - as is recommended by ISO/IEC 27099 and required by many PKI audit schemes - the ISMS provides the risk assessment and control management framework within which PKI-specific security controls are governed. The ISMS risk assessment covers all significant threats to PKI operations - including CA key compromise, infrastructure attack, insider threat and supply chain risk - and the control selection and implementation process ensures that controls are proportionate to the identified risks and aligned to the Certificate Policy requirements.

Audit and Compliance

ISO/IEC 27099 requires that PKI trust service operations are subject to regular independent audits assessing conformance of actual operations against the Certification Practice Statement and the applicable Certificate Policy. Audit findings must be addressed through documented remediation activities and audit reports provide the basis for ongoing assurance to relying parties and regulators. Recognized PKI audit schemes - including WebTrust for CAs, ETSI EN 319 401 and national trust framework audits - reference ISO/IEC 27099 as part of their audit criteria.

Tip: PKI assurance depends on governance that connects policy approval, security controls, audit evidence and corrective action.

ISO 27099 vs ISO 27001

ISO/IEC 27099 and ISO/IEC 27001 are closely related and designed to be used together - ISO/IEC 27099 explicitly provides for an ISMS as the underpinning management system for PKI trust service operations.

Dimension

ISO/IEC 27099

ISO/IEC 27001

Scope

PKI trust services specifically - certificate policies, CPSs, CA operations

All information assets across all sectors

Type

Requirements standard for PKI trust service providers

Certifiable management system standard

Certification

No standalone certification

Third-party certification available

Focus

Certificate lifecycle, CA operations, PKI governance

Information security management system

ISMS relationship

Recommends or requires an ISMS as the underpinning governance framework

Provides the ISMS framework referenced by ISO 27099

Primary audience

CA operators, PKI managers, trust service providers

Any organization managing information security

Final Remark: ISO/IEC 27099 defines PKI trust governance, while ISO/IEC 27001 provides the certifiable ISMS structure that supports it.

ISO 27099 - Practical Use Cases

ISO/IEC 27099 is relevant across any context where digital certificates are used to establish identity, authenticate systems, or protect communications.

Public Trust CAs and TLS Certificate Issuance

Public trust CAs - organizations whose root certificates are included in browser and operating system trust stores - operate under strict Certificate Policies and CPSs that must satisfy the requirements of browser root programs operated by major platform vendors. ISO/IEC 27099 provides the international standard framework that public trust CAs reference when documenting and auditing their CP/CPS against internationally recognized requirements.

Government and National PKI Programs

National governments operating PKI infrastructure for citizen identity, electronic signatures and government service authentication apply ISO/IEC 27099 as the governance framework for their national PKI programs. The standard's support for multiple certificate policies within a single PKI framework makes it particularly suited to government PKI environments that must serve diverse communities - individual citizens, legal entities, government employees and automated systems - under a common governance structure.

Enterprise PKI for Internal Identity and Device Management

Organizations operating internal PKI infrastructure - for employee certificate issuance, machine and device authentication, code signing and email security - use ISO/IEC 27099 to formalize their Certificate Policies and CPSs, providing a structured governance framework for internal trust service operations that satisfies audit and compliance requirements.

Financial Services and Payment Systems

Financial institutions operating PKI for transaction authentication, payment system security and regulatory compliance apply ISO/IEC 27099 - building on the standard's origins in ISO 21188 for financial services PKI - to govern their trust service operations within the regulatory frameworks applicable to financial institutions.

IoT Device Identity and Authentication

For IoT platform operators issuing device identity certificates at scale - provisioning unique cryptographic identities to connected devices during manufacturing - ISO/IEC 27099 provides the CP/CPS governance framework for the device identity PKI, ensuring that device certificates are issued, managed and revoked in accordance with a documented, auditable policy framework.

ISO/IEC 27099 is most valuable where digital identity, authentication and encrypted communication must be trusted across systems or organizations - Pacific Certifications

Implementation Considerations

Implementing an ISO/IEC 27099-aligned PKI trust service program requires careful attention to several dimensions that go beyond technical PKI deployment:

  • Certificate Policy design: The CP must accurately reflect the intended use, assurance level and community served by the PKI - balancing the rigor of vetting and operational requirements against the practical needs of subscribers and relying parties

  • CPS development and alignment: The CPS must describe actual operations accurately - the most common PKI audit finding is a CPS that describes ideal operations rather than what the CA actually does, creating a gap between documented and actual practice

  • Key ceremony procedures: CA key generation must follow documented, witnessed and audited key ceremony procedures - with the key ceremony script and witness attestations forming part of the auditable evidence base for the PKI

  • HSM and physical security: CA private keys must be protected in Hardware Security Modules meeting appropriate security standards, housed in physically secured facilities with documented access controls and audit logging

  • Revocation infrastructure: CRL publication and OCSP responder infrastructure must be designed for high availability - revocation service unavailability is a significant operational risk for PKI trust service providers

  • Incident response: PKI-specific incident response procedures must cover CA key compromise - the highest-severity PKI incident - as well as misissuance events, infrastructure failures and supply chain security incidents

  • ISMS alignment: Where an ISMS is operated alongside the PKI, the risk assessment must explicitly address PKI-specific threat scenarios and the control selection must reflect the specific risk profile of CA operations

Practical Tip: The most reliable ISO/IEC 27099 implementation starts by aligning the Certificate Policy, CPS, key ceremony controls and ISMS risk assessment.

ISO 27099 Certification Cost

ISO/IEC 27099 does not carry a standalone certification body audit fee. The primary management system certification for PKI trust service providers is ISO/IEC 27001 and audit cost is determined by the number of employees in scope, the number of CA operational sites and the complexity of the PKI infrastructure and service portfolio covered.

PKI trust service operations are typically highly concentrated - a small number of highly secured facilities with a relatively small but highly specialized workforce - which means ISO/IEC 27001 audit scope is often narrower in headcount terms than the high-risk, high-consequence nature of the operations would suggest.

Where ISO/IEC 27701 is added to address subscriber personal data obligations, the integrated program covering all three standards delivers comprehensive governance certification across security, continuity and privacy dimensions. Pacific Certifications provides transparent, fixed-fee proposals so your organization has full cost visibility before the process begins.

Cost planning should consider the PKI scope, number of secure sites, ISO/IEC 27001 audit needs and the complexity of certificate services.

ISO 27099 Certification Timeline

Implementing an ISO/IEC 27099-aligned PKI trust service governance program - from Certificate Policy and CPS development through ISMS establishment, key ceremony procedure documentation, infrastructure security implementation and audit preparation - is one of the more technically demanding management system implementation programs, with a timeline that reflects the depth of specialized documentation and security infrastructure required.

For an organization with an existing PKI deployment and partial governance documentation, the full implementation and certification program typically runs 4 to 7 months.

The ISO/IEC 27099 CP/CPS development and the ISO/IEC 27001 risk assessment work are closely interdependent - the certificate policy requirements directly inform the risk treatment decisions of the ISMS - meaning that the two programs should be developed in parallel by the same team rather than sequentially. Assigning dedicated PKI governance ownership, engaging specialist PKI policy expertise for CP/CPS development and scheduling the CA key ceremony well in advance of the Stage 2 audit are the most effective ways to keep the combined program on track.

A Practical Tip from Pacific Certifications: PKI trust service providers can avoid delays by developing CP, CPS, ISMS risk controls and audit evidence in parallel.

How Pacific Certifications Can Help?

Pacific Certifications is an independent certification body providing ISO certification services to PKI trust service providers, Certificate Authorities, government PKI programs, enterprise PKI operators, financial institutions and technology organizations deploying digital identity infrastructure globally. Accredited by ABIS, Pacific Certifications conducts impartial, evidence-based audits against applicable ISO standards in full conformance with ISO/IEC 17021.

Our services for PKI and trust service organizations include:

  • Independent certification audits for ISO/IEC 27001, ISO/IEC 27701, ISO 22301 and ISO 9001

  • Integrated management system audits covering multiple standards in coordinated, efficient audit visits

  • Stage 1 and Stage 2 audit execution across PKI operations, trust service providers and digital identity infrastructure organizations

  • Clear, transparent audit reports with conformity findings and certification decisions

  • Issuance of internationally recognized ISO certificates upon successful audit completion

  • Annual surveillance and triennial recertification audits to maintain certificate validity

Pacific Certifications does not provide consultancy - our role is strictly that of an independent auditor, ensuring your certificate carries full credibility with enterprise clients, government authorities, regulators and browser root program operators in every market you operate in.

Pacific Certifications’ View: As an ABIS-accredited certification body, Pacific Certifications provides independent audits for ISO/IEC 27001 and related standards supporting PKI trust service governance.

Contact Us

To get started with your PKI trust service certification program or initiate your audit, contact us at support@pacificcert.com or +91-8595603096. For training programs, contact us at trainings@pacificcert.com. Visit www.pacificcert.com for more information.

Strengthen PKI Security with ISO 27099
Protect digital trust, certificate management and public key infrastructure with ISO 27099 guidance for secure PKI governance and implementation.
Apply for ISO 27099 Certification
Pacific Certifications
ISO 27099: Public Key Infrastructure (PKI)

Read more: ISO 27011 Telecom Information Security Management Systems Guide

ISO/IEC 27099
PUBLIC KEY INFRASTRUCTURE
TRUST FRAMEWORK

Frequently Asked Questions

What is ISO/IEC 27099?
ISO/IEC 27099:2022 is the international standard providing the framework of requirements for managing information security in PKI trust service providers - governing Certificate Policies, Certification Practice Statements and the ISMS underpinning PKI operations for digital signatures, authentication and encryption.
Does ISO/IEC 27099 have its own certification?
No. ISO/IEC 27099 is a requirements framework standard for PKI policy and practice governance rather than a standalone certifiable management system standard. Organizations pursue ISO/IEC 27001 certification as the primary ISMS certification supporting their ISO/IEC 27099 implementation.
What is the difference between a Certificate Policy and a Certification Practice Statement?
A Certificate Policy defines the requirements and obligations governing a class of certificates - the what and why of PKI trust service. A Certification Practice Statement describes how the trust service provider implements those requirements in its operations - the how. The CP sets the standard; the CPS demonstrates conformance with it.
What is a PKI trust service provider?
A PKI trust service provider is an organization that operates Certificate Authority infrastructure to issue, manage and revoke digital certificates - providing cryptographic trust services used for digital signatures, identity authentication and encrypted communications.
Is ISO/IEC 27099 relevant to enterprise PKI programs?
Yes. ISO/IEC 27099 applies to any PKI operation - whether a public trust CA, a government national PKI, or an enterprise PKI operating entirely within a closed or contractual environment. Enterprise PKI operators benefit from applying the CP/CPS framework to formalize and audit their internal certificate governance.
Pacific Certifications

Pacific Certifications

Looking for ISO Certification? Get in touch now!

Pacific Certifications

Pacific Certifications is an independent, internationally recognized certification body providing third-party audit and certification services for management system standards such as ISO 9001, ISO 14001, ISO/IEC 27001, ISO 45001, and other ISO standards. We also provide product certification services and training and personnel certification programs designed to support organizational and professional competence.

Visit Site

Previous Post

ISO 27011 Telecom Information Security Management Systems Guide and Requirements
Pacific Certifications

Pacific Certifications

Looking for ISO Certifications? Get in touch now!