14 - Awareness


Providing awareness about the PKI and its purpose in the organization and outside ensures that each PKI participant understands it properly and is timely informed about any important events that may impact the participant.

The awareness is important for all PKI participants to know how to handle exceptional situations and how to react to them. It is also important to know how to communicate and when so as to not misunderstand any issues or incidents.


1Establish and maintain awareness plan2
2Disclose PKI information2
3Establish single point of contact1
4Timely communication of important information2


Establish and maintain awareness plan


Awareness plan should be established and maintained to ensure that the PKI participants are aware of all relevant events related to the PKI implementation and its purpose in the organization and outside. It should cover at lease the following information:

  • How the organization discloses information to PKI participants
  • Contact information
  • How are changes communicated
  • Who is responsible for accurate awareness
  • Resolving communication issues and incidents

Every PKI participant should receive information and relevant resource in a timely manner according to the awareness plan.


  • Documented awareness plan
  • Awareness plan is up-to-date
  • Review awareness content to ensure that it is contains relevant information
  • Awareness plan is approved and communicated to all PKI participants
  • Awareness plan is integrated in the organization


Disclose PKI information


Information about the policies, processes, and procedures that are maintained by the PKI should be disclosed to the PKI participants. This information should be available on a timely basis and in a form that is understandable to the PKI participants.

Organization maintaining the PKI implementation should disclose the following information on a website or other appropriate media that can be reached by the PKI participants:

  • Certificate Policy
  • Certification Practice Statement
  • Revocation information
  • Valid CA certificates
  • Vulnerability reports
  • Audit reports
  • Contact information
  • Obligations of the PKI participants
  • Legal liability of the PKI participants
  • Warranty information
  • Disclaimer information
  • Privacy and data protection information
  • Other relevant information


  • Review disclosure statement content to ensure that it is contains relevant information
  • Disclosure statement is approved and communicated to all PKI participants
  • Information is available to all PKI participants
  • Information is up-to-date


Establish single point of contact


The single point of contact (SPOC) provides a convenient way for any PKI participant to contact the organization and responsible personnel of the PKI implementation. The single point of contact should be available 24/7 and should be able to provide relevant information and trigger appropriate procedures if needed based on the situation.

Contact information for the SPOC should be disclosed to all PKI participants. The SPOC may be reached through different communication channels, such as:

  • Email
  • Phone
  • Web site form
  • Other


  • Contact SPOC to ensure that it is available and responds in a timely manner
  • Review that the SPOC communicates according to the awareness plan
  • Review that the SPOC is able to provide relevant information and trigger appropriate procedures if needed based on the situation


Timely communication of important information


In the event of an incident with high impact to the security and established trust of the PKI implementation, the organization should communicate the information to the PKI participants in a timely manner to avoid increased escalation of the event and inform participants of further actions that may be required to execute.

Example of events that require timely communication may be:

  • Compromise of the private key
  • Changes in the Certificate Policy
  • Changes in the Certification Practice Statement
  • Security breach
  • Other events that may require immediate action by the PKI participants


  • Documented procedures to timely inform PKI participants about high impact events
  • Review that the procedures are followed
  • Interview personnel to ensure that they are aware of the procedures and know how to communicate the information


Participate in our community discussions and/or join the consortium