ISO/IEC 27099:2022 信息技术 公钥基础设施 实践和政策框架

标准编号：ISO/IEC 27099:2022

中文名称：信息技术 公钥基础设施 实践和政策框架

英文名称：Information technology — Public key infrastructure — Practices and policy framework

发布日期：2022-07

标准范围

ISO/IEC 27099:2022本文件规定了通过证书政策、证书实践声明以及（如适用）信息安全管理系统（ISMS）的内部基础来管理公钥基础设施（PKI）信任服务提供商的信息安全的要求框架。需求框架包括信息安全风险的评估和处理，旨在满足通过证书政策规定的用户商定的服务需求。本文档还旨在帮助信任服务提供商支持多种证书策略。本文档讨论了用于数字签名、身份验证或数据加密密钥建立的公钥证书的生命周期。它不涉及身份验证方法，非-抵赖要求，或基于公钥证书使用的密钥管理协议。出于本文档的目的，术语“证书”是指公钥证书。本文档不适用于属性证书。本文件使用ISO/IEC 27000系列标准中定义的ISMS的概念和要求。它使用ISO/IEC 27002中定义的信息安全控制实践准则。特定的PKI要求（例如，证书内容、身份证明、证书撤销处理）不是由ISO/IEC 27001[26]定义的ISMS直接解决的。ISMS或等效物的使用适用于本文档中描述的证书策略中指定的PKI服务要求的应用。PKI信任服务提供者是使用公钥证书的一类特殊信任服务。本文档区分了在封闭、开放和契约环境中使用的PKI系统。本文件旨在促进在合同环境中实施操作、基线控制和实践。虽然本文档的重点是合同环境，但并不明确排除将本文档应用于开放或封闭环境。

ISO/IEC 27099:2022 This document sets out a framework of requirements to manage information security for Public key infrastructure (PKI) trust service providers through certificate policies, certificate practice statements, and, where applicable, their internal underpinning by an information security management system (ISMS). The framework of requirements includes the assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the certificate policy. This document is also intended to help trust service providers to support multiple certificate policies.
This document addresses the life cycle of public key certificates that are used for digital signatures, authentication, or key establishment for data encryption. It does not address authentication methods, non-repudiation requirements, or key management protocols based on the use of public key certificates. For the purposes of this document, the term “certificate” refers to public key certificates. This document is not applicable to attribute certificates.
This document uses concepts and requirements of an ISMS as defined in the ISO/IEC 27000 family of standards. It uses the code of practice for information security controls as defined in ISO/IEC 27002. Specific PKI requirements (e.g. certificate content, identity proofing, certificate revocation handling) are not addressed directly by an ISMS such as defined by ISO/IEC 27001 [26].
The use of an ISMS or equivalent is adapted to the application of PKI service requirements specified in the certificate policy as described in this document.
A PKI trust service provider is a special class of trust service for the use of public key certificates.
This document draws a distinction between PKI systems used in closed, open and contractual environments. This document is intended to facilitate the implementation of operational, baseline controls and practices in a contractual environment. While the focus of this document is on the contractual environment, application of this document to open or closed environments is not specifically precluded.

标准预览图