Assessment Methodology

The following document describes the methodology how is the maturity assessment done based on the PKI Maturity Model.

Assessment methods

The assessment methods consist of:

  • Self-assessment questionnaires
  • Face-to-face interviews and workshops.

Self-assessment questionnaire (SAQ)

Questionnaires are initially the tool to perform and collect all relevant data about the capabilities and performance of the PKI.

The SAQ contains a set of questions with deterministic answers (list of possible answers), which are answered by the entity operating the PKI.

SAQ is defined for each of the assessed categories and carefully tailored to provide valuable information leading to measure maturity level of the category. Each question gives an output in the form of the partial assessed level and all ratings are finally combined to provide category maturity level or rating.

The category maturity level is calculated as average of all partial levels produced by the SAQ in the category.

F2F interview/workshop

The interview or workshop has the same basis as for the SAQ and the main purpose of this phase is to help entity understand the maturity assessment question and to provide correct answer. This will be mainly provided to entities which are not fully PKI-aware or does not have enough resources and skilled personnel, but would like to understand the process.

During the interview/workshop the main focus is on moderating the discussion with relevant parties working for entity and filling the SAQs accordingly to achieve the consistent maturity assessment across all categories.

Assessment types

(TBD) The following assessment types will be provided:

  • Self-assessment
  • Third-party assessment
  • Certified assessment


Collecting all information to provide answers for SAQs by internal members or personnel of the entity.

Third-party assessment

Using independent 3rd party to collect information and provide answers for SAQs, this will be used mainly by entities which do not have enough skilled resources to perform the self-assessment or would like to have independent view on the maturity of the PKI. (if such scenario can happen…)

Certified assessment

Provided by us as PKI maturity assessment practitioners. Purpose of the certified assessment is to give consistent, reliable output of the PKI maturity rating across all entities. Certificate can be issued to prove the maturity level to other entities or create a badge on the website providing assurance for the customers and relying parties.

Participate in our community discussions and/or join the consortium