TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

Transcription

1 TTP.NL Scheme for management system certification of Trust Service Providers issuing Qualified Certificates for Electronic Signatures, Public Key Certificates, Website Certificates and / or Time-stamp tokens October 2014 TTP.NL Scheme - version 10 Page 1 of 26

2 PURPOSE This document provides the criteria and procedures for auditing and certification of management systems operated by Trust Service Providers issuing qualified certificates for electronic signatures, public key certificates, and/or time-stamp tokens. The TTP.NL Scheme may only be used by management system Certification Bodies that have concluded a usage agreement with Scheme owner. Copyright Scheme owner 2015 October 2014 TTP.NL Scheme - version 10 Page 2 of 26

3 CONTENTS 1 INTRODUCTION BACKGROUND OF THE SCHEME Certification and accreditation Trust Service Providers issuing qualified certificates Trust Service Providers issuing public key certificates Service Providers issuing time-stamp tokens ACHIEVING MANAGEMENT SYSTEM CERTIFICATION IN ACCORDANCE WITH THE SCHEME REQUIREMENTS FOR TRUST SERVICE PROVIDERS Trust Service Providers General Requirements Trust Service Providers issuing Qualified Certificates Trust Service Providers issuing Public Key Certificates Trust Service Providers issuing Time-stamp tokens Trust Service Providers delivering component services Partial certification REQUIREMENTS FOR MANAGEMENT SYSTEM CERTIFICATION BODIES Agreement with the Scheme owner Accreditation Competence of management and personnel Personnel involved in the certification activities Use of individual external auditors and external technical experts MANAGEMENT SYSTEM CERTIFICATION OF TRUST SERVICE PROVIDERS Level of assurance Definitions Request for management system certification Audit time Multiple sites Access to records Review of documentation Implementation audit Corrective action Certification decision Management system certificate Certification of Trust Service Providers delivering component services Surveillance Recertification Suspending, withdrawing or reducing scope of certification Appeals against Certification Body decisions Complaints against the Certification Body Complaint and disputes handling by the Trust Service Provider October 2014 TTP.NL Scheme - version 10 Page 3 of 26

4 6.19 Applying new versions of the ETSI standards Transition from version 8 to version 9.2 of the scheme SCHEME MANAGEMENT REGISTER OF CERTIFIED TRUST SERVICE PROVIDERS REFERENCES AUTHOR(S) DATE VERSION DETERMINED PUBLICATION MARK HOEVERS, PATRICK PALING EN RENÉ DECEMBER 2013 VAN DEN ASSEM MARK HOEVERS DECEMBER 2013 MARK HOEVERS JANUARY 2014 ANDRÉ VAN HECKE JANUARY 2014 MARK HOEVERS JANUARY PA PKIOVERHEID JULY 2014 MARK HOEVERS AUGUST 2014 MARK HOEVERS EN RENÉ VAN DEN ASSEM SEPTEMBER 2014 MARK HOEVERS OCTOBER October 2014 TTP.NL Scheme - version 10 Page 4 of 26

5 1 INTRODUCTION Internet has led to the widespread deployment of e-business and e-government. However, the technological infrastructure that supports e-business and e-government is liable to a number of risks since the Internet is an open computer network that is susceptible to fraud and misuse. Important threats are e.g. system penetration, violation of authorization, monitoring of and tampering with communications, repudiation, and denial of service. Consumers, citizens, companies and governmental institutions will trust the use of e-commerce as they perceive e-business and e-government to be secure. Therefore legal and technological safeguards have to be put in place to prevent threats to e-commerce. An important legal safeguard is the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Directive 1999/93/EC provides a legal framework for the use of electronic signatures thus reducing security threats. Electronic signatures make use of public key cryptography. A public key cryptosystem uses a pair of related keys, one key for encryption and the other key for decryption. One key, the private key, is kept secret. The other key, the public key, can be made publicly known. However, it is critical that the public key user knows for certain that the public key used is the correct public key of the other party he/she is communicating with (digital signatures can be forged if intruders can substitute non-authentic public keys). A Trust Service Provider, also called Certification Authority (CA), certifies that a particular public key corresponds to a particular private key by issuing a digital (public key) certificate. Such electronic certificates establish the identity of a person, company or server on the Internet. Electronic certificates make secure communication on the Internet possible. Data encrypted by a key with an electronic certificate can be decrypted with the corresponding private key. Data signed with a private key can be verified with the corresponding public key to which an electronic certificate is attached. The Trust Service Provider is the Trusted Third Party in a public-key cryptography system. Therefore Trust Service Providers need to be independent, neutral, reliable, and acceptable to all communicating parties. These parties comprise: Subject: entity identified in a certificate as the holder of the private key associated with the public key given in the certificate; Subscriber: entity subscribing with the Trust Service Provider on behalf of one or more subjects (the subject may be a subscriber acting on his own behalf); Relying party: recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate. The service of issuing electronic certificates is broken down in the present document into the following component services for the purposes of classifying requirements: Registration service: verifies the identity and, if applicable, any specific attributes of a subject. The results of this service are passed to the certificate generation service. Certificate generation service: creates and signs certificates based on the identity and other attributes verified by the registration service. Dissemination service: disseminates certificates to subjects, and if the subject consents, makes them available to relying parties. This service also makes available to subscribers and relying parties the Service Provider's terms and conditions, and any published policy and practice information. Revocation management service: processes requests and reports relating to revocation to determine the necessary action to be taken. The results of this service are distributed through the revocation status service. Revocation status service: provides certificate revocation status information to relying parties. This may be based upon certificate revocation lists or a real time service which provides status information October 2014 TTP.NL Scheme - version 10 Page 5 of 26

6 on an individual basis. The status information may be updated on a regular basis and hence may not reflect the current status of the certificate. and optionally: Subject device provision service: prepares and provides a signature-creation device to subjects. Directive 1999/93/EC states that electronic signatures based on qualified certificates will have the same legal validity as hand-written signatures and will be admissible as evidence in legal proceedings. Annex II of Directive 1999/93/EC defines the requirements Service Providers must meet when issuing qualified certificates. These requirements are formulated in an abstract manner and are not suitable for auditing and certification of a Service Provider. The European Commission mandated the European standardization bodies CEN, CENELEC and ETSI to develop standards for products and services in the area of electronic signatures. This work resulted in standards for qualified certificates as meant in the Directive, but also in additional standards e.g. for public key certificates and time-stamp tokens. To assess the reliability and competence of Trusted Third Parties issuing certificates for electronic signatures, the TTP.NL Scheme for Certification of Certification Authorities was initially published in December The Scheme covered management system auditing and certification of Trust Service Providers issuing qualified certificates for electronic signatures. Parties involved in the TTP.NL project commented on the Scheme, resulting in version 2 (July 2000). Since then the Scheme has been adapted to developments in European standardization and to market demands in the Netherlands, resulting in a version 3 (December 2000), version 4 (August 2001), version 5 (November 2002) and version 6 (March 2006). Version 7, issued in March 2008, was based on experiences with accreditation and certification in this field. New requirements for management system Certification Bodies as published in ISO/IEC were reason for the Dutch Council for Accreditation, RvA, to introduce the notion of scheme owner. Requirements for scheme owners are specified in document RvA-R13 and the requirements for certification schemes developed and maintained by scheme owners are laid down in document RvA-T33. These developments made it necessary to update the TTP.NL Scheme and publish version 8. At the same time, the Scheme has been extended. The current version covers auditing and certification of management systems of Trust Service Providers issuing qualified certificates, public key certificates, and/or time-stamp tokens. In addition, requirements for component services such as Registration, Certificate Generation, Dissemination, etc. have been specified in the annexes of version 8 allowing auditing and certification of management systems of Trust Service Providers delivering such services. ETSI has started work on rationalizing the standards on Trust Services under standardization mandate M/460 (2009), and have extended the reach from Qualified Certificates, Public Key Certificates and Timestamp tokens to a broader set of Trust Services. At the same time, standards are progressing from ETSI Technical Specifications to ETSI European Standards (EN). In this move, the ETSI TS has been replaced by the ETSI EN For some applications ETSI TS has been replaced by ETSI EN (non qualified PKI-certificates, not being website certificates). For use with website certificates ETSI TS is still in use, but will be superseded by ETSI EN The basis for version 9.2 of the TTP.NL scheme was: Replacement of ETSI TS by ETSI EN ; Changes in the structure of the scheme, specifically chapter 4, to reflect the change in the structure of the relevant ETSI standards; Amongst other things, a section of general requirements was introduced for all classes of Trust Service Providers. October 2014 TTP.NL Scheme - version 10 Page 6 of 26

7 General requirements such as Network and Certificate System Security Requirements (originating from the CA Browser Forum) and an information obligation have been added to this general requirement section. Last summer references to the ETSI TS were replaced by references to ETSI EN Also references to the ETSI TS on time-stamp tokens have been replaced by references to ETSI EN These changes are now included in this scheme version 10. General background on certification, accreditation, and Trust Service Provider typology is found in section 2. An overview of the steps to be taken by Trust Service Providers to achieve management system certification is given in section 3. The requirements for Trust Service Providers are specified in section 4. The requirements for Certification Bodies and the process for auditing and certification of Trust Service Providers are documented in sections 5 and 6. Sections 7 and 8 describe the management of the Scheme and the Register of certified Trust Service Providers, while section 9 lists the reference documents used for this Scheme. October 2014 TTP.NL Scheme - version 10 Page 7 of 26

8 2 BACKGROUND OF THE SCHEME 2.1 Certification and accreditation Anyone buying a product or a service expects these products and services to meet certain requirements. However, a customer is not always able to judge the quality of the offered product or service. In those cases certification can provide a solution. Certification is defined as those activities that an independent body uses to proclaim that there is justifiable trust that a certain specifically described subject meets certain requirements. In many cases these requirements have been written down in a standard, but they can also be part of statutory regulations, or they can be the requirements agreed upon by interested parties. Among the topics that are often certified today, are products, services, management systems (e.g. quality, safety, environment, and information security), processes, professional skills and education. A well-known example of product certification is safety certification of electrical devices. After a device has been tested to determine whether it meets specific requirements, the Certification Body will give the manufacturer a certificate for electrical safety. The manufacturer is then allowed to put a quality mark on the device. This quality mark guarantees the customer that the product is safe. Examples of the certification of management systems are quality systems in organizations, certified in accordance with international ISO 9000-standards. Customers can be sure that those companies use, produce or provide services in an appropriate way. The same is true for organizations that have received certification for their information security in accordance with ISO These companies have regulated the process of the handling, storing and transporting information in such a way that users of the services can be sure of the confidentiality, integrity and availability of the information. The customary period of validity of a certificate for a management system is three years. There has to be at least one interim check per year during that period. After three years a recertification audit takes place, after which the certificate can be renewed for a new period of three years. The business processes of Trust Service Providers are strongly based upon the use of computer systems, software and telecommunications. Applications for the provision of qualified certificates for electronic signatures, public key certificates, and time-stamps are received electronically and dealt with through computer screen and keyboard. The verification of data for the main part takes place with the help of external databases (personal registration, credit registration, Chamber of Commerce), the results of the service provision are sent to the customers electronically and are stored in databases that are accessible to the public (public keys). The processes used for handling data and the management system used for information security have to be in accordance with applicable international standards. In this Scheme the standards that are applied to the processes and the security of the Trust Service Providers are documented in section 4. If processes and security have received certification, customers can put a justifiable trust in the service provision. With certification, the problem of the reliability of the product, service, management system or process is transferred to the trustworthiness of the body giving out the certificate of conformity. Is the Certification Body independent, impartial, competent and objective? When certification takes place on the basis of a statutory regulation, things are clear: the responsible authority has appointed the body after an official investigation. Such authority provides the trust in the certification. Many certificates of conformity however, are not subject to statutory regulations; companies are free to have their products, services and management systems, information security processes etc. subjected to certification. In those cases it is advisable that there is clarity about the trustworthiness of the Certification Body. October 2014 TTP.NL Scheme - version 10 Page 8 of 26

9 Since 1980, accreditation organizations have been set up in various countries with the purpose of assessing the reliability of testing, inspection, and certification. By accrediting organizations that provide testing, inspection and certification, their independence, impartiality, competence and objectivity is guaranteed. The criteria for accreditation are specified in the ISO/IEC series of standards. The period of validity for accreditation is four years. Interim checks are held every year, after four years a complete re-assessment takes place. Accreditation is an activity that in many countries is dealt with by the government or an organization in which the government is a major participant. Government, industrial partners and consumers are represented in governing of accreditation bodies. The Dutch accreditation body is the Raad voor Accreditatie (Dutch Council for Accreditation, RvA), located in Utrecht. The various European accreditation bodies are united in the EA (European co-operation for Accreditation). On the basis of treaties regulating the mutual recognition of one another s accreditations, the EA-members regularly use the mechanism of "peer evaluation" to test the reliability of the accreditation. On an international level Accreditation Bodies, Certification Bodies and large industrial enterprises meet in the International Accreditation Forum (IAF). In this Scheme it is required that Certification Bodies certifying the processes, security and organizational reliability of Trust Service Providers obtain and hold a valid accreditation for such certification activities (see section 5). 2.2 Trust Service Providers issuing qualified certificates Directive 1999/93/EC has two objectives: 1) to facilitate the use of electronic signatures and 2) to contribute to their legal recognition. The Directive distinguishes two types of electronic signatures, 'advanced electronic signatures' and 'electronic signatures'. Advanced electronic signatures are based on a qualified certificate and are created by a secure signature creation device (Directive, article 5.1). A qualified certificate meets the requirements laid down in Annex I of the Directive and is issued by a Trust Service Provider that fulfills the requirements laid down in Annex II. Advanced electronic signatures are lawful and admissible as evidence in legal proceedings. Electronic signatures can be lawful and admissible as evidence in legal proceedings; the national court will determine the lawfulness of electronic signatures (Directive, article 5.2). Trust Service Providers issuing qualified certificates enable companies for example to use an advanced electronic signature for a tax return. Trust Service Providers issuing qualified certificates enable citizens to use an advanced electronic signature to apply for a grant or a construction license. Consumers can use advanced electronic signatures to sign contracts online with companies supplying goods and services. This Scheme describes the requirements for certification of the management system of Trust Service Providers issuing qualified certificates. Such certification is based on conformity with the ETSI EN Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates. For more details, refer to section 4 of this document. 2.3 Trust Service Providers issuing public key certificates Electronic commerce is a way of doing business across public and private networks. An important requirement of electronic commerce is the ability to identify the originator and protect the confidentiality of electronic exchanges. This is commonly achieved by using cryptographic mechanisms which are supported by a Trust Service Provider issuing public key certificates. For participants of electronic commerce to have confidence in the security of these cryptographic mechanisms they need to have confidence that the Trust Service Provider has properly established October 2014 TTP.NL Scheme - version 10 Page 9 of 26

10 procedures and protective measure in order to minimize the operational and financial threats and risks associated with public key cryptographic systems. This has lead to the use of public key certificates that provide mechanisms for secure authentication and encryption. An authentication certificate can be a personal certificate or a service certificate. The first is for persons to provide identification on the Internet e.g. while using a banking application. It is in fact the digital equivalent of an identity card. The latter is used for identifying computer services / systems on the Internet before exchanging information. Encryption certificates can be used to protect the exchange of sensitive information over the Internet. This Scheme describes the requirements for certification of the management system of ETSI EN Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 3: Policy requirements for certification authorities issuing public key certificates. For more details, refer to section 4 of this document. 2.4 Trust Service Providers issuing website certificates Certificates issued to websites constitute a specific type of public key certificates. Additional requirements to this type of certificate are drafted by organizations such as the CA/Browser Forum. ETSI TS contains stipulations based on these requirements. This Scheme describes the requirements for certification of the management system of Trust Service Providers issuing website certificates based on CA/Browser Forum Requirements. Such certification is based on conformity with the Technical Specification ETSI TS Policy requirements for certification authorities issuing public key certificates and the standards referenced in the requirement clauses of ETSI TS For more details, refer to section 4 of this document. 2.5 Service Providers issuing time-stamp tokens In creating reliable digital evidence it is necessary to have an agreed method of associating transactions and documents with time so that transactions and documents can be compared later to establish in which sequence they appeared. An example is the verification of an electronic signature, where it may be necessary to prove that the digital signature from the signer was applied to an electronic document at a time when the signer's certificate was indeed valid. This can be done by using a time-stamp which allows proving that certain information existed before a particular time. Time-stamps are created by binding time information to the hash of electronic document and signing this bound data with the electronic signature of the Service Provider. The resulting time-stamp token is defined as a data object that binds a representation (i.e. a hash) of a datum (i.e. a piece of information, a document, a transaction) to a particular time, thus establishing evidence that the datum existed before that time. This Scheme describes the requirements for certification of the management system of Service Providers issuing time-stamp tokens. Such certification is based on conformity with the Technical Specification ETSI TS Policy requirements for time-stamping authorities and the standards referenced in the requirement clauses of ETSI TS For more details, refer to section 4 of this document. October 2014 TTP.NL Scheme - version 10 Page 10 of 26

11 3 ACHIEVING MANAGEMENT SYSTEM CERTIFICATION IN ACCORDANCE WITH THE SCHEME Achieving management system certification is a step-by-step process. Trust Service Providers that submit an application for certification of their management system have to fulfill the requirements of one or more of the relevant ETSI standards. The Trust Service Provider should take the following steps: Step 1: Formulate the Qualified Certificate Policy, Public Key Certificate Policy and/or Time-Stamping Policy as applicable; Formulate the Certification Practice Statement that describes the issuance of electronic certificates and/or the Time-Stamping Practice Statement for issuing time-stamp tokens. (Note: the Policies, CPS and/or TPS will usually undergo many changes during the development of practices and the experiences of risk evaluations and internal / external audits.) Step 2: Formulate detailed internal procedures for issuing electronic certificates and/or time-stamp tokens in accordance with the requirements of the applicable ETSI standard(s); Draw up the management system documentation for the processes, implement the management system within the organization in accordance with the Plan-Do-Check-Act methodology (refer to ISO 9001) and verify its operation by conducting internal audits and management reviews against the applicable requirements of the ETSI standard(s). Step 3: Conduct an information security risk evaluation on the organization and operations, and document its results; Based on the outcome of the risk evaluation, draw-up a security policy and specify the controls that have to be implemented. These controls must include the deployment of the relevant products that have been tested, evaluated and certified in relation to their security aspects. Draw up the management system documentation for information security, implement the management system within the organization in accordance with the Plan-Do-Check-Act methodology (refer to ISO/IEC 27001) and verify its operation by conducting internal audits and management reviews against the applicable requirements of the ETSI standard(s). Step 4: Have an IT Audit conducted on the ICT systems used for the issuing of qualified certificates, public key certificates, and/or time-stamp tokens to ensure that these are Trustworthy systems as required by the ETSI standard(s). Step 5: Apply for a management system certificate from an accredited Certification Body; The Certification Body conducts an audit of the documentation and implementation of the management system against the applicable ETSI standard(s) for issuing qualified certificates, public key certificates, and/or time-stamp tokens. The requirements for Trust Service Providers are described in section 4. The requirements for Certification Bodies and the certification process are described in sections 5 and 6. October 2014 TTP.NL Scheme - version 10 Page 11 of 26

12 4 REQUIREMENTS FOR TRUST SERVICE PROVIDERS 4.1 Trust Service Providers General Requirements Trust Service Providers that wish certification either for issuing qualified certificates, public key certificates, website certiifcates or time stamp tokens must comply with the following: a) The requirements of the CA Browser Forum document Network and Certificate Management System Security Requirements. b) TSPs must keep themselves informed on a continuous basis of the latest developments in relevant threats in their specific field. c) TSPs must inform their Certification Body of security breaches that have occurred and that could potentially compromise or have already compromised one or more of the CA component services as described in chapter 1. Furthermore, TSPs must inform their Certification Body of any other developments that could harm the trust in their services or organization. d) Continue to fulfill the requirements for management system certification during the term of validity of the management system certificate. Any change in organization, management, activities and/or management system during the validity of the certificate must be reported to the Certification Body without delay. 4.2 Trust Service Providers issuing Qualified Certificates Trust Service Providers that wish certification of their management system for issuing Qualified Certificates must comply with the following: a) The requirements of ETSI EN Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates. b) The legal requirements for Trust Service Providers issuing qualified certificates and being established in the Netherlands, especially the requirements in Besluit van 8 mei 2003, houdende de vaststelling van eisen voor het verlenen van diensten voor elektronische handtekeningen (Besluit elektronische handtekeningen). c) Be in possession for the relevant services of documented evidence concerning the use of Trustworthy Systems. An example of documented evidence is an IT Audit statement for conformity of the ICT systems for issuing qualified certificates with the requirements of CWA Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements, issued in accordance with the guidance documented in CWA EESSI Conformity Assessment Guidance - Part 3: Trustworthy systems managing certificates for electronic signatures. Other kinds of documented evidence are possible; refer to ETSI EN , clause (Note: TTP.NL uses the term "IT Audit" while CWA uses "EDP Audit". These terms are fully equivalent.) d) In case the Trust Service Provider issues secure signature-creation devices (SSCDs), the SSCDs must be certified against the Protection Profile specified in CWA Secure signature-creation devices EAL4+ or equivalent criteria. e) Conduct periodic, at least annual, internal audits and management review of the management system against the requirements of ETSI EN In case the organization comprises a large number of sites where Registration Services are performed such that performing internal audits at all sites within one year becomes demonstrably impossible, the Trust Service Provider shall ensure performing annually internal audits at one third of the number of sites at least. October 2014 TTP.NL Scheme - version 10 Page 12 of 26

13 f) Ensure that external organizations (subcontractors) supporting the services of issuing qualified certificates meet the applicable requirements of ETSI EN (see also section 4.6). g) Present on demand of the Certification Body documentation regarding the legal status of the Trust Service Provider, the Certificate Policy or Policies, the Certification Practice Statement, agreements with subcontractors if applicable, documentation of the management system for the processes and for information security, a cross-reference list in the order of the requirements of ETSI EN , indicating for each requirement the detailed reference (by title and/or number of the document, chapter, and section) of the place in the Trust Service Provider s documentation where this requirement is responded to, and reports of internal audits and management system reviews. 4.3 Trust Service Providers issuing Public Key Certificates Trust Service Providers that wish certification of their management system for issuing Public Key Certificates must comply with the following: a) The requirements of ETSI EN Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 3: Policy requirements for certification authorities issuing public key certificates.. b) For NCP/NCP+ certificate policies, be in possession of documented evidence concerning the use of Trustworthy Systems, e.g. an IT Audit statement for conformity of the ICT systems for issuing public key certificates with the requirements of CWA Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements, issued in accordance with the guidance documented in CWA EESSI Conformity Assessment Guidance - Part 3: Trustworthy systems managing certificates for electronic signatures. c) For LCP certificate policy, be in possession of evidence that Trustworthy Systems are used for issuing public key certificates. d) Conduct periodic, at least annual, internal audits and management review of the management system against the requirements of ETSI EN In case the organization comprises a large number of sites where Registration Services are performed such that performing internal audits at all sites within one year becomes demonstrably impossible, the Trust Service Provider shall ensure performing annually internal audits at one third of the number of sites at least. e) Ensure that external organizations (subcontractors) supporting the services of issuing public key certificates meet the applicable requirements of ETSI EN (see also section 4.6). f) Present on demand of the Certification Body documentation regarding the legal status of the Trust Service Provider, the Certificate Policy or Policies, the Certification Practice Statement, agreements with subcontractors if applicable, documentation of the management system for the processes and for information security, a cross-reference list in the order of the requirements of ETSI EN indicating for each requirement the detailed reference (by title and/or number of the document, chapter, and section) of the place in the Trust Service Provider s documentation where this requirement is responded to, and reports of internal audits and management system reviews. 4.4 Trust Service Providers issuing Website Certificates Trust Service Providers that wish certification of their management system for issuing Website Certificates must comply with the following: a) The requirements of ETSI TS Policy requirements for certification authorities issuing public key certificates. b) For NCP/NCP+ certificate policies, be in possession of documented evidence concerning the use of Trustworthy Systems, e.g. an IT Audit statement for conformity of the ICT systems for issuing public October 2014 TTP.NL Scheme - version 10 Page 13 of 26

14 key certificates with the requirements of CWA Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements, issued in accordance with the guidance documented in CWA EESSI Conformity Assessment Guidance - Part 3: Trustworthy systems managing certificates for electronic signatures. c) For LCP certificate policy, be in possession of evidence that Trustworthy Systems are used for issuing public key certificates. d) Conduct periodic, at least annual, internal audits and management review of the management system against the requirements of ETSI TS In case the organization comprises a large number of sites where Registration Services are performed such that performing internal audits at all sites within one year becomes demonstrably impossible, the Trust Service Provider shall ensure performing annually internal audits at one third of the number of sites at least. e) Ensure that external organizations (subcontractors) supporting the services of issuing public key certificates meet the applicable requirements of ETSI TS (see also section 4.6). f) Present on demand of the Certification Body documentation regarding the legal status of the Trust Service Provider, the Certificate Policy or Policies, the Certification Practice Statement, agreements with subcontractors if applicable, documentation of the management system for the processes and for information security, a cross-reference list in the order of the requirements of ETSI TS indicating for each requirement the detailed reference (by title and/or number of the document, chapter, and section) of the place in the Trust Service Provider s documentation where this requirement is responded to, and reports of internal audits and management system reviews. 4.5 Trust Service Providers issuing Time-stamp tokens Trust Service Providers that wish certification of their management system for issuing Time-stamp tokens must comply with the following: a) The requirements of ETSI TS Policy requirements for time-stamping authorities. b) Be in possession of documented evidence that Trustworthy Systems are used for issuing time-stamp tokens. c) Conduct periodic, at least annual, internal audits and management review of the management system against the requirements of ETSI TS d) Ensure that external organizations (subcontractors) supporting the services of issuing time-stamp tokens meet the applicable requirements of ETSI TS e) Present on demand of the Certification Body documentation regarding the legal status of the Trust Service Provider, the TSA Practice Statement and the TSA disclosure Statement, agreements with subcontractors if applicable, documentation of the management system for the processes and for information security, a cross-reference list in the order of the requirements of ETSI TS indicating for each requirement the detailed reference (by title and/or number of the document, chapter, and section) of the place in the Trust Service Provider s documentation where this requirement is responded to, and reports of internal audits and management system reviews. 4.6 Trust Service Providers delivering component services In ETSI EN , ETSI EN and ETSI TS the services of issuing certificates are broken down in the following component services: Registration service Certificate generation service Dissemination service Subject device provision service October 2014 TTP.NL Scheme - version 10 Page 14 of 26

15 Revocation management service Revocation status service Some Trust Service Providers deliver one or more (parts of) component services to Trust Service Providers who issue qualified and/or public key certificates. Certification Bodies may apply the requirements of the TTP.NL Scheme to perform management system audit and certification of Trust Service Providers delivering component services. Trust Service Providers delivering component services must fulfill as applicable the requirements for Trustworthy Systems, SSCDs, internal audit and management review, external organizations (subcontractors), documentation, and continued compliance with the certification requirements as specified in sections 4.2 and 4.3 above. Certification Bodies performing audit and certification of Trust Service Providers issuing qualified and/or public key certificates should avoid duplication of audits by accepting that these Trust Service Providers make use of services delivered by Trust Service Providers whose management systems are certified for the subcontracted component services. 4.7 Partial certification Trust Service Providers are allowed to subcontract certification activities to third parties. Obviously the subcontracting Trust Service Provider has the final responsibility for the outsourced activities and that the subcontracting is legally sound. The outsourcing agreement will state which activities will be carried out by the subcontractor and how the quality of the activities is managed and documented. When certification activities are outsourced there are two possibilities. 1. All certification activities, including those of the subcontractor, are stated on the certificate of the responsible Trust Service Provider; 2. Parties work with partial certificates. A partial certificate states the activities that are carried out by the subcontractor on behalf of one or more Trust Service Providers. The first condition is that in an annex to the partial certificate will be declared which organization is responsible for which requirement of the standard. The second condition is that the division of responsibilities in the agreement corresponds to the Annex to the certificate. October 2014 TTP.NL Scheme - version 10 Page 15 of 26

16 5 REQUIREMENTS FOR MANAGEMENT SYSTEM CERTIFICATION BODIES 5.1 Agreement with the Scheme owner Certification Bodies that want to apply this Scheme must conclude an agreement with its owner. The Scheme may not be used by bodies not having an agreement with the Scheme owner. The use of the Scheme is not exclusive: in principle, any management system Certification Body can conclude an agreement with the Scheme owner. The Scheme usage agreement between the Scheme owner and the Certification Body shall stipulate for which type of Trust Service Providers the Scheme can be used: Trust Service Providers issuing Qualified Certificates, Trust Service Providers issuing Public Key Certificates, Trust Service Providers issuing Timestamp tokens, and/or Trust Service Providers delivering component services. The Scheme usage agreement between the Scheme owner and the Certification Body shall stipulate that the provisions of this Scheme shall be used by the management system Certification Body in full, i.e. no more no less. 5.2 Accreditation The Scheme usage agreement between the Scheme owner and the Certification Body stipulates that the Certification Body must seek accreditation against ISO/IEC with the national Accreditation Body for management system certification activities against the requirements of this Scheme. The agreement will automatically expire after two years if accreditation is not obtained. In case the accreditation of the Certification Body is suspended or withdrawn by the Accreditation Body, the right to use the Scheme terminates automatically on the day the decision to suspend or withdraw is made known by the Accreditation Body. In this chapter additional requirements and normative references are stated for specific areas of the ISO/IEC Competence of management and personnel The group or individual that takes the decision on granting, maintaining, renewing, extending, reducing, suspending or withdrawing management system certification shall have appropriate knowledge of the applicable ETSI standards and certification requirements, and shall have demonstrated competence to evaluate the audit processes and related recommendations of the audit team. The requirements from ISO/IEC 17021:2011, Clause 7.1 apply. In addition, the following ETSI-specific requirements and guidance apply General considerations The essential elements of competence required to perform ETSI certification are to select, provide and manage those individuals whose skills and collective competence is appropriate to the activities to be audited and the related applicable ETSI standards Competence analysis and contract review The certification body shall ensure that it has knowledge of the technological and legal developments relevant to the applicable ETSI standards and certification of the client organization, which it assesses. The certification body shall have an effective system for the analysis of the competencies in ETSI management which it needs to have available, with respect to all the technical areas in which it operates. October 2014 TTP.NL Scheme - version 10 Page 16 of 26

17 For each client, the certification body shall be able to demonstrate that it has performed a competence analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector prior to undertaking the contract review. The certification body shall then review the contract with the client organization, based on the results of this competence analysis. In particular, the certification body shall be able to demonstrate that it has the competence to complete the following activities: a) understand the areas of activity of the client organization and the associated business risks; b) define the competencies needed in the certification body to certify in relation to the identified activities, c) confirm the availability of the required competencies Resources The management of the certification body shall have the necessary processes and resources to enable it to determine whether or not individual auditors are competent for the tasks they are required to perform within the scope of certification in which they are operating. The competence of auditors may be established by verified background experience and specific training or briefing The certification body shall be able to communicate effectively with all those clients it provides services to Determination of competence criteria Additional information on knowledge and skills is provided in paragraph 6 of ETSI TS to support the competence criteria of ISO/IEC Personnel involved in the certification activities The requirements from ISO/IEC 17021:2011, Clause 7.2 apply. In addition, the following ETSI-specific requirements and guidance apply Competence of certification body personnel Certification bodies shall have personnel competent to a) select and verify the competence of ETSI auditors for audit teams appropriate for the audit; b) brief ETSI auditors and arrange any necessary training; c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications; d) set up and operate an appeals and complaints process Pre-requisite levels of education, work experience, auditor training and audit experience for auditors conducting ETSI audits The criteria that shall be applied for each auditor in the ETSI audit team is detailed in paragraph 6.2 of ETSI TS Use of individual external auditors and external technical experts The requirements from ISO/IEC 17021:2011, Clause 7.3 apply. In addition, the following ETSI-specific requirements and guidance applies Guidance on the use of technical experts In order to ensure that the audit team has at its disposal all the necessary expertise, Technical Experts may be used, as long as this is in compliance with the guidance provided in paragraph 6.3 of ETSI TS October 2014 TTP.NL Scheme - version 10 Page 17 of 26

18 6 MANAGEMENT SYSTEM CERTIFICATION OF TRUST SERVICE PROVIDERS 6.1 Level of assurance The management system certificate should give customers of the Trust Service Provider and parties relying upon the issued qualified certificates, public key certificates, and/or time-stamp tokens justified confidence that the Trust Service Provider complies with the requirements stated in section Definitions Minor nonconformity: a single identified lapse or minor omission, which would not in itself lead to the organization s management system failing to achieve its intended output. Major nonconformity: a breakdown or failure to fulfil one or more requirements of the management system standard to effectively control the processes for which it was intended, or a situation where nonconforming product or service would be delivered, or a situation that raises significant doubt about the ability of the organization s management system to achieve its intended outputs. 6.3 Request for management system certification Trust Service Providers complying with the requirements set out in section 4 can apply for management system certification at a Certification Body of their choice. The Certification Body shall process the application in accordance with their ISO/IEC compliant procedures. Upon agreeing the conditions, the Certification Body and the Trust Service Provider shall conclude an agreement for the provision of the management system certification activities. 6.4 Audit time The Certification Body shall allow auditors sufficient time to undertake all activities relating to an initial audit, surveillance audit or recertification audit. The time allocated should be based on factors such as: a) The size of the Trust Service Provider s organization (e.g. number of employees, number of information systems used); b) Complexity of the information and communication systems infrastructure (e.g. criticality of information systems, risk situation); c) The component services performed; d) Extent and diversity of technology utilized in the implementation of the various components of the trust services (such as the implemented controls, documentation and/or process control, corrective/ preventive action, etc); e) Number of sites where the services are provided; f) In case of surveillance and recertification audits, the previously demonstrated performance of the Trust Service Provider; g) Extent of outsourcing and third party arrangements used within the scope of the services; h) The applicable ETSI standard(s) and legal requirements. The audit of the Service Provider s management system would usually be performed by a team of two or three auditors possessing knowledge and experience in the areas of PKI processes, Information Security, and Service Provider management. In general, the initial audit of a Service Provider whose organization performs all service components for issuing qualified or public key certificates would require an effort of 10 to 15 person-days. To this should be added 1 person-day for application handling, a maximum of 2 person-days for audit reporting (stage 1 audit report, and stage 2 audit report), and 2 person-days for review of audit reports, October 2014 TTP.NL Scheme - version 10 Page 18 of 26

19 certification decision, and administrative follow-up. The total number of person-days required for the initial certification of a full scope CSP (all component services are in scope) would usually be in the order of 15 to 20 person days. Deviations from this guidance should be properly justified and recorded based on acceptable factors that may increase or reduce assessment duration (see above). An annual surveillance audit would take 5 to 7 person days including assessment preparation, and reporting. The Certification Body should consider carefully the requirements for audit and certification of small Trust Service Provider organizations performing only one or a few service components that would require less effort than indicated above. This is equally valid for organizations of Trust Service Providers with a complex structure that could require visiting many locations with associated travel and extra reporting time. The Certification Body should document the reasons for the number of person-days in its proposals to Trust Service Providers and should be able to present such information on request to the Accreditation Body. 6.5 Multiple sites Trust Service Providers issuing qualified certificates and/or public key certificates often provide customer registration services at multiple sites. The Certification Body may use a sample-based approach in auditing the multiple sites, provided that the following requirements are fulfilled by the Trust Service Provider: All sites of the Trust Service Provider are operating under the same management system that is centrally administered, internal audited, and subject to central management review; Before the initial certification audit, all sites have undergone internal auditing in accordance with the Trust Service Provider s internal auditing procedures; In the case of a nonconformity being observed either at the head office or at a single site, the Trust Service Provider s corrective action procedure shall apply to the head office and all sites of the organization. The Certification Body shall use the following method of sampling sites for auditing: A representative number of sites will be sampled, taking into account the following: - The results of Trust Service Provider s internal audits of head office and the sites; - The results of Trust Service Provider s management review; - Variations in the size of the sites; - Variations in the business purpose of the sites; - Complexity of the Trust Service Provider s management system; - Complexity of the information systems at the different sites; - Variations in working practices; - Variations in activities undertaken; - Potential interaction with critical information systems or information systems that process sensitive information; - Any differing legal requirements (e.g. in different countries). The sample shall be partly selective based on the above. At least 25% of the sample shall be selected at random. Every site of the Trust Service Provider that is subject to significant threats to assets, vulnerabilities or impacts shall be included in the sampling program. The sample size for the initial certification audit shall be the square root of the number of sites (y= x), rounded to the upper whole number. The central office shall be audited in addition. October 2014 TTP.NL Scheme - version 10 Page 19 of 26

20 The audit team shall ensure during the audit that indeed a single management system applies to all sites and that the Trust Service Provider s head office delivers central operational management to all sites. 6.6 Access to records Before the certification audit, the Certification Body shall ask the Trust Service Provider to report if any records cannot be made available for review by the audit team because they contain confidential or sensitive information. The Certification Body shall determine whether the management system can be adequately audited in the absence of these records. If the Certification Body concludes that it is not possible to adequately audit the management system without reviewing the identified confidential or sensitive records, it shall advise the Trust Service Provider that the certification audit cannot take place until appropriate access arrangements are granted. 6.7 Review of documentation The Trust Service Provider shall make the relevant documentation (refer to section 4) available to the Certification Body for review by the audit team against the requirements of the relevant ETSI standard(s). The observations are documented in a report that is presented to the Trust Service Provider. The review of documentation can be followed immediately by the implementation audit in case the audit team did not reveal any major nonconformity in the documentation. If major nonconformities have been found, the Certification Body shall require that the Trust Service Provider takes corrective action before the start of the implementation audit. 6.8 Implementation audit The audit team shall perform the implementation audit in accordance with the relevant guidance provided in ISO The audit shall take place against the applicable criteria specified in section 4. The audit team shall also verify possible corrective action by the Trust Service Provider of nonconformities in the documentation. The Certification Body shall report on the audit conform the ISO section In addition to the ISO 17021, adequate reporting shall include: 1. The CSP areas and processes assessed, and the underlying control objectives; - Audit findings, at least per area and process assessed: - positive findings - non-conformities - suggestions for improvement 2. A high-level description of the evidence observed during the audit, for each area and process assessed 3. A more detailed description of the evidence for non-conformities. 6.9 Corrective action The Certification Body shall require the Trust Service Provider to eliminate detected nonconformities within a defined time and to submit corrective action reports describing the following: An analysis of the root-cause and the extent of any nonconformity; Actions focused on removing the root-cause; Recall and correction of nonconforming products or services that were provided. The Certification Body shall inform the Trust Service Provider if an additional full audit, an additional limited audit, or documented evidence (to be confirmed during future surveillance audits) will be needed to verify effective correction and corrective actions. October 2014 TTP.NL Scheme - version 10 Page 20 of 26