Guidelines on the auditing framework for Trust Service Providers
A new ENISA report provides guidelines on the auditing framework for Trust Service Providers (TSPs). These guidelines can be used by TSPs (preparing for audits) and Conformity Assessment Bodies (auditors) having to undergo regular auditing – as set by the eIDAS regulation – and offer a set of good practices which can be used at an organizational level.
The report gives an overview of a typical three-stage audit methodology, listing all relevant requirements for the off-site (documentation level) and on-site (implementation level) assessment procedure, which is finalized with a conformity assessment report.
The main discussed areas are:
- Obligations, warranties and liability of TSPs
- Standards applicable to TSPs and Conformity Assessment Bodies
- Methodology of auditing TSPs (off-site,on-site)
- TSPs documentation (plans, policies and procedures)
- Implementation of TSPs services.
The Executive Director Udo Helmbrecht commented: “It is important to secure services with the appropriate means. Conformity assessment schemes ensure that the level of services corresponding both to the infrastructure (network and physical) and the human resources, meet security requirements, minimizing exposure to risks and security incidents. ENISA’s recommendations provide a comprehensive reference document towards the implementation of trusted services”.
Trust services must abide to certain criteria, namely legal requirements, standards (ETSI/CEN/ISO), terms and conditions and the state of the technology. TSPs are required to comply with these obligations within the framework of the eIDAS (electronic ID, Authentication and Signature) Regulation, adopted by the EU Parliament and the Council of the European Union, for electronic transactions in the internal market.