List of categories

The following categories are recognized as part of the PKI maturity assessment:

1Strategy and visionResponsible for the PKI management and strategy. Includes alignment with organizational goals and requirements, risk management, and policy decisions.
2Policies and documentationFormal policies and practice statements for supported PKI services and use-cases. Formal management of agreements between parties involved in the PKI.
3ComplianceAdherence to standards and applicable regulations and requirements for the PKI and trust services. Standards and regulations may be internal or external, country specific or purpose specific.
4Processes and proceduresProcesses and procedures related to PKI management tasks and operational activities. This includes also the supply chain procedures and processes that includes acceptance or receipt of the HW and SW related to the PKI.
5Key ManagementKey management policy and procedures related to PKI cryptographic keys and its lifecycle. Inventory of cryptographic keys. Secure and trusted key ceremonies. Key escrow and key recovery if applicable.
6Certificate ManagementCertificate management policy and lifecycle. Inventory of certificates. Definition of the certificate profiles and supported states of the certificate including the transitions between the states. Proper validation fo the certificates.
7InteroperabilityInteroperability between applications, implementations, and technologies. Application of interoperable protocols and standards. Transparency and vendor lock avoidance strategy.
8Infrastructure ManagementAvailability of the PKI services, infrastructure setup to achieve availability goals. PKI continuity testing and infrastructure recovery. Infrastructure security controls.
9Change Management and AgilitySecure and controlled process for the change management. Formal process to request changes in the PKI, approval, staging, roll-back.
10SourcingAvailability of skilled resources to manage PKI. Processes and procedures to maintain the required resources in time, monitoring of the skills.
11Knowledge and TrainingEducation of people and continuously gathering required knowledge and skills to manage PKI. Training plans and improvement.
12Monitoring and AuditingMeasurement of the PKI metrics, collecting evidence, monitoring and alerting of relevant issues, including references to incident response management.
13AutomationAutomation of certificate lifecycle management. Technology and tools for the automation. Monitoring of automated certificate operations.
14AwarenessProviding awareness about the PKI in the organization and its purpose. Awareness how to apply the PKI in a trusted and secure way.
15ResilienceQuickly respond to potential attack and unavailability of the PKI services or other related resources.
Participate in our community discussions and/or join the consortium