The dedicated international standard for PKI certificate lifecycle management, directly mapping discovery, governance, and automation workflows for trust service providers and certificate-relying organizations.
ISO/IEC 27099 (PKI — Practices and policy framework) provides a comprehensive standard specifically for organizations operating PKI and trust services. Unlike ISO 27001 which covers information security broadly, ISO 27099 focuses exclusively on PKI practices: certificate policies, certification practice statements, key management, certificate lifecycle, and trust service operations.
The standard bridges the gap between high-level security management (ISO 27001) and operational PKI requirements (ETSI EN 319 standards). It provides a structured framework that CA operators, Registration Authorities, and Trust Service Providers can use to formalize and validate their practices.
As regulatory frameworks increasingly demand demonstrable PKI compliance, ISO 27099 has become the definitive reference for organizations seeking to prove their certificate management operations meet international best practices.
Define comprehensive certificate policies governing issuance, usage, suspension, and revocation for each type of certificate managed by the organization.
Maintain a detailed CPS describing how the CA implements its certificate policies, including operational procedures, security controls, and audit practices.
Implement end-to-end key management covering generation, distribution, storage, backup, recovery, rotation, archival, and secure destruction of cryptographic keys.
Manage the complete certificate lifecycle including registration, issuance, validation, renewal, re-keying, suspension, revocation, and status reporting (OCSP/CRL).
Establish operational practices for trust service providers including physical security, personnel vetting, incident management, and business continuity planning.
Conduct PKI-specific risk assessments addressing threats to CA operations, key compromise scenarios, and implement proportionate security controls.
Work begins within ISO/IEC JTC 1/SC 27 to create a dedicated standard for PKI practices and policy frameworks.
The standard is officially published, providing the first comprehensive international framework specifically for PKI operations and trust service practices.
Trust Service Providers and Certificate Authority operators begin adopting the standard to formalize their PKI practices and certificate policies.
Regulatory frameworks increasingly reference ISO 27099 as a benchmark for PKI compliance, strengthening its role in conformity assessments.
Ongoing evolution to address post-quantum cryptography requirements and alignment with emerging PKI standards for crypto agility.
As the dedicated standard for PKI operations, ISO 27099 has a direct and comprehensive impact on certificate management. Here are the critical areas:
ISO 27099 is purpose-built for PKI, providing specific requirements for certificate lifecycle operations that go far beyond generic information security controls.
All Certificate Authority operators must maintain formal Certificate Policies and Certification Practice Statements that meet the structured requirements of the standard.
The standard mandates comprehensive key management covering the entire lifecycle — from secure generation through distribution, storage, rotation, archival, and destruction.
Formal requirements for certificate validation services (OCSP, CRL) and revocation management, ensuring relying parties can always verify certificate status reliably.
Full certificate lifecycle implementation — Horizon implements the complete certificate lifecycle defined in ISO 27099, from registration and issuance through renewal, suspension, and revocation.
TSP practice alignment — Stream aligns with ISO 27099 trust service provider requirements, delivering CA/RA/VA/TSA capabilities with OCSP, CRL, and RFC 3161 timestamp services.
Automated CP/CPS enforcement — Built-in policy engine enforces Certificate Policy and CPS compliance automatically, ensuring every certificate issued meets your documented practices.
Comprehensive audit trails — Generate detailed audit trails and compliance reports for ISO 27099 conformity assessments, with full traceability across all PKI operations.
