PKI Maturity Model

The objective of this document is to provide a definition of the PKI maturity model and what is the maturity assessment process and procedures in order to rate the current maturity level according the model and track progress.

Maturity Model

The maturity model is based on the Capability Maturity Model Integration (CMMI) developed by Carnegie Mellon University. It should provide the following::

  • Quickly understand the current level of capabilities and performance of the PKI
  • Support comparison of PKI maturity with similar organizations based on size or industry (anonymized)
  • Action plans on how to improve the capabilities of the current PKI
  • Improve overall PKI performance

Maturity Levels

The maturity model consists of several categories which are directly associated with the PKI and covers all aspects and activities (people, processes, technology). Based on the maturity model parts, the overall maturity level is determined as a single value representing the current state of capabilities and performance.

Each category can be separately assessed for its maturity level. Maturity levels are generally defined as follows:

Maturity levelShort description (general)
InitialUnpredictable process with poor control and always reactive
BasicProcess is characterized by each particular case or project and controls are often reactive
AdvancedProcess is characterized by organizational standards and controls are proactive
ManagedProcesses are measured and controlled, proactive approach
OptimizedContinuous improvement of the processes and procedures, proactive approach for future technology improvement


There are 4 modules defined for the maturity model. Each of the module is focused on the specific parts of the PKI.

GovernanceConsist of the leadership, overall structures, and processes to enable organization using the PKI in a sustainable way. In also consists of having strategy and objectives and proper decision making
ManagementTranslates the governance into actions that support the PKI, management of the resources to maintain the required level of trust
OperationsIncludes day to day business as usual activities that lead to secure and future-proof PKI in accordance with the organization goals
ResourcesEnsures that the activities related to the PKI are performed with a proper knowledge and experience, with enough capacities, and that it provides complete and accurate information to relying parties

Categories and weights

The following categories of the PKI maturity model are defined with the appropriate weight based on the applicability and importance:

Strategy and vision5
Policies and documentation4
Processes and procedures3
Key Management4
Certificate Management4
Infrastructure Management2
Change Management and Agility3
Knowledge and Training3
Monitoring and Auditing2

For more information on categories, please refer to the Categories Maturity Evaluation.

The weights of the categories are used to calculate the overall maturity level of the PKI.

Modules and categories

Each module consists of specific categories related to them:

Strategy and visionPolicies and documentationComplianceProcesses and proceduresKey ManagementCertificate ManagementInfrastructure ManagementChange Management and AgilityResilienceAutomationInteroperabilityMonitoring and AuditingSourcingKnowledge and TrainingAwareness

Overall maturity level

Based on the nature of PKI part, these maturity levels are described accordingly. Overall maturity level is calculated as weighted average of maturity level of PKI categories.

There are defined the following overall maturity levels for the PKI Maturity Model:

Maturity levelIndicatorsAssociated risks
1 – InitialPKI is ad-hoc managed, reactive There are minimum processes and procedures, which are typically not followed and There is no approach how to address certificate related issues PKI does not take into account any industry standards or regulations Insufficient resources and knowledgeHigh probability of compromise High probability of operational issues No trust
2 - BasicPKI is ad-hoc managed, often reactive There are defined processes and procedures which are followed PKI is not managed according industry standards and regulations Insufficient knowledgeHigh probability of operational issues Medium probability of compromise No trust
3 – AdvancedCertificate services are not consistent Procedures are defined and followed CP and CPS partially exist Partially available resources and knowledgeMedium probability of operational issues Low probability of compromise
4 – ManagedPKI is consistently managed Well defined CP and CPS for provided services Available skilled resources Documented processes and procedures to manage certificates and related keys Inconsistent approach to certificate related activitiesLow probability of operational issues Low probability of compromise and loosing trust
5 – OptimizedWell defined CP and CPS Effective procedures for certificate management exists Resources with knowledge and experience available Consistent PKI with alignment to current practice and regulation Future proofMinimal probability of operational issues Minimal probability of compromise and loosing trust
Participate in our community discussions and/or join the consortium