Assessment
The following document describes the methodology how the assessment can be performed based on the description of Categories and their associated requirements..
Assessment methods
The following assessment methods are available to assess the maturity of the PKI:
Methodology | Description | Trustworthiness |
---|---|---|
Self-assessment | Quickly determine the maturity level of PKI implementation and use case based on defined category maturity levels. | Low |
Formal assessment | Detailed assessment of the PKI implementation and use case based on assessment of every requirement, collecting information and evidence to determine the maturity level. | Medium |
Independent third-party assessment | Independent assessment provided by third-party organization to confirm the formal assessment or to conduct formal report on the PKI maturity. | High |
More details are provided in the following sections.
Self-assessment
Self-assessment can be used to quickly determine the maturity level of the PKI implementation. It does not provide detailed information and assessment of every requirement, but it can be a starting point to understand the maturity level of the PKI.
Self-assessment contains maturity levels for each category with descriptive explanation of every level, which are answered by the entity operating the PKI.
Levels are defined for each of the assessed categories and carefully tailored to provide valuable information leading to measure maturity level of the category. All responses are finally combined to provide category, module, and eventually PKI maturity level.
The self-assessment is typically performed by the entity operating the PKI, but it can be also performed by independent third-party organization to quickly understand the context of the PKI and its estimated maturity level.
Formal assessment
Formal assessment is a detailed assessment of the PKI implementation and use case based on assessment of every requirement, collecting information and evidence to determine the maturity level. Every requirement that is in scope is assessed according to the description and evidence is collected to support the assessment.
Formal assessment is typically performed by individual that has independent view on the PKI and is not directly involved in the PKI operation. This can be internal personnel or external third-party organization, id needed.
Assessment can be done through the interviews or workshops. The main purpose of this phase is to help entity understand the maturity assessment question and to provide correct response and collect evidence. During the interview/workshop the main focus is on moderating the discussion with relevant parties working for entity and filling the SAQs accordingly to achieve the consistent maturity assessment across all categories.
Independent third-party assessment
Using independent third-party assessment to collect information and provide response for the each requirement is important if the organization would like to provide reliable and trusted report to relying parties.
Independent assessment should provide high level of confidence that the achieved PKI maturity level is objective.