Frequently asked questions

Below you can find answers to frequently asked questions about the PKI maturity model.

How can I benefit from PKI MM?

PKI MM (Public Key Infrastructure Maturity Model) provides guidance on how to improve the maturity of your PKI, including best practices, recommendations, and resources to help you address the identified areas for improvement. It can be used as a roadmap to guide your organization through the process of enhancing the maturity of your PKI.

PKI MM offers a structured framework to assess and improve the maturity of an organization’s PKI implementation. By utilizing PKI MM, you can identify areas for improvement, enhance the security and efficiency of your PKI, mitigate risks, and align your PKI practices with industry standards and best practices.

As a service provider, you can use PKI MM to evaluate the maturity of your PKI and demonstrate the quality of your PKI services to your customers. As a consultant or auditor, you can use PKI MM to evaluate the maturity of your clients’ PKI and provide recommendations for improvement.

You can also use PKI MM to benchmark your PKI against other organizations and gain insights into the best practices and trends in PKI management. The PKI MM is designed to be flexible and adaptable to different types of organizations and PKI implementations, and it can be used to assess and improve the maturity of both internal and external PKIs.

Who is the intended audience for PKI MM?

The intended audience for PKI MM includes organizations that operate or rely on a PKI, including enterprises, government agencies, service providers, and other entities that use digital certificates and cryptographic keys to secure their digital assets and communications.

The consulting organizations, auditors, and other professionals who provide PKI-related services are using PKI MM to assess and improve the maturity of their clients’ PKI implementations.

Is undertaking the PKI maturity assessment mandatory?

Undertaking the PKI maturity assessment is typically not mandatory but highly recommended to ensure the optimal functioning and security of your PKI infrastructure. However, specific regulatory requirements or organizational policies may mandate conducting assessments periodically.

Growing importance of PKI maturity assessment is also reflected in the increasing number of industry standards and regulations that require organizations to demonstrate the maturity of their PKI. For example, the European Union’s eIDAS regulation requires qualified trust service providers to undergo regular conformity assessments to demonstrate the maturity of their PKI.

Where can I access the assessment tools?

Available assessment tools and resources can be found in the Tools section of the PKI MM documentation. The tools include the PKI maturity assessment questionnaire, guidance on conducting the assessment, and templates for reporting the assessment results.

The tools are designed to help organizations assess the maturity of their PKI and identify areas for improvement and are updated regularly to reflect the latest best practices and industry standards.

Do I need to report PKI maturity level?

Reporting the PKI maturity level is not mandatory, but it is recommended to document the results of the assessment and use them to guide the improvement of your PKI. Reporting the maturity level can help you communicate the status of your PKI to stakeholders, identify areas for improvement, and track progress over time.

Reporting the PKI maturity level may also be necessary depending on organizational requirements, regulatory obligations, or as part of improvement initiatives.

In what ways can I contribute to the PKI MM initiative?

You can contribute to the PKI MM initiative by providing feedback, sharing your experiences, and contributing to the development of the PKI MM framework and resources. You can also contribute by sharing your PKI maturity assessment results, best practices, and case studies to help other organizations improve the maturity of their PKI.

Sharing your experiences and insights with the community, participating in discussions, and advocating for the adoption of PKI MM within your organization and industry can help promote the use of PKI MM and contribute to its continuous improvement.

To actively participate in the PKI MM initiative, you can join PKI Consortium and participate in the working groups and activities related to PKI MM.

Having completed the assessment, how should I prioritize improvement areas?

Prioritizing improvement areas should be based on the assessment results, considering factors such as the criticality of identified weaknesses, potential impact on security and operations, available resources, and alignment with organizational goals and priorities. The PKI MM documentation may provide guidance on prioritizing improvement areas based on best practices and industry standards.

Each category and module of the PKI MM framework may have different implications for the security, efficiency, and reliability of your PKI based on the associated weight. It is recommended to prioritize improvement areas that have the highest weight and therefore the most significant impact on the overall maturity of your PKI.

Our PKI adheres to standards and audits; what implications does this hold within the PKI MM framework?

Adhering to standards and undergoing audits can positively impact your PKI maturity level within the PKI MM framework, as it demonstrates a commitment to best practices, compliance with industry standards, and a proactive approach to security and governance. However, it is important to note that adherence to standards and successful audits are not the only factors that determine the maturity of your PKI.

The PKI MM framework considers various aspects of PKI management, including governance, key management, certificate management, interoperability, infrastructure management, and other categories and modules. Therefore, it is essential to assess and improve all relevant areas of your PKI to achieve a higher maturity level, even if your PKI adheres to standards and undergoes audits.

How does my PKI’s status compare to that of others?

Comparing your PKI’s status to others can provide valuable insights into industry benchmarks, best practices, and areas for improvement. However, it’s essential to consider the unique context, requirements, and constraints of your organization when evaluating comparisons. You can benchmark your PKI’s status against industry reports, case studies, and peer-reviewed publications to gain insights into its relative performance.

The PKI Consortium currently does not store or publish PKI maturity assessment results from individual organizations. However, you can participate in the PKI Consortium’s working groups and activities to share your experiences and learn from others in the community.

How frequently should I conduct the assessment?

The frequency of conducting the PKI maturity assessment depends on various factors, including the rate of change in your organization, the criticality of your PKI, the complexity of your PKI infrastructure, and the availability of resources. It is recommended to conduct the assessment periodically, such as annually or biennially, to track the progress of your PKI maturity and identify areas for improvement.

Who is authorized to perform the official assessment?

The PKI Consortium does not mandate specific individuals or organizations to perform the official assessment, although the assessment program may be introduced in the future.

The assessment should be performed by individuals or teams with the necessary expertise, knowledge, and authority to evaluate the maturity of your PKI. The assessment team may include PKI administrators, security professionals, auditors, consultants, or other individuals with relevant experience and qualifications.

It is essential to ensure that the assessment is conducted objectively, independently, and in accordance with the PKI MM framework and guidelines. The assessment team should have access to the necessary resources, tools, and documentation to perform the assessment effectively.

Do I need to assess all modules and categories?

The scope of the assessment should be determined based on the specific requirements, objectives, and context of your organization. It is not mandatory to assess all modules and categories of the PKI MM framework, although it is recommended to evaluate the areas that are most relevant to your PKI and have the most significant impact on its maturity.

For more information on the scope of the assessment and guidance on selecting the modules and categories to assess, refer to the Assessment process.

Where can I post questions and discuss the PKI MM?

You can post questions and discuss the PKI MM in the PKI maturity model community discussion, where you can engage with other PKI professionals, share your experiences, and learn from others in the community. The community forums are a valuable resource for asking questions, seeking advice, and participating in discussions related to PKI MM.

To actively participate in the PKI MM initiative, you can join PKI Consortium and participate in the working groups and activities related to PKI MM.

Participate in our community discussions and/or join the consortium