We align your PKI with global and sector regulations, translating control requirements into concrete PKI designs, policies, and operating procedures. Where possible, we default to customer‑managed keys (BYOK) and HSM‑backed CA hierarchies, with full audit evidence.
What we cover
- Regulatory scopes: GDPR/UK GDPR, NIS2, PCI DSS 4.0, ISO/IEC 27001:2022 & 27002, FIPS 140‑3 (and legacy 140‑2 footprints), eIDAS/PSD2 qualified/non‑qualified use cases, HIPAA (PHI protection), SOX change/audit requirements.
- Domains: Public‑trust TLS, private enterprise PKI, device/IoT identities (mTLS), code signing, document signing, email (S/MIME), VPN/Wi‑Fi (EAP‑TLS).
- Environments: On‑prem, multi‑cloud, OT/IIoT networks, air‑gapped and regulated facilities.
Controls mapping (what we implement)
| Control Area | What it means for PKI | Our Implementation |
| Key Protection | CA keys must be generated, stored, and used in certified modules | HSM-backed root & issuing CAs; dual control, M of N, tamper‑evident logs; FIPS 140‑3 validated modules where mandated |
| Governance | Formal CP/CPS, roles & responsibilities, separation of duties | Author, review, and baseline CP/CPS; RACI, duty segregation, privileged access model (RBAC with Entra ID) |
| Crypto Policy | Approved algorithms, key sizes, lifetimes, curves, digest rules | Standardised policy packs (RSA/ECDSA today, PQC roadmap); enforcement via CLM control plane |
| Issuance Controls | Identity vetting, RA processes, workflow approvals | RA procedures, ACME/EST/SCEP with policy gates, evidence trails in ITSM |
| Revocation & OCSP/CRL | Timely revocation and status services availability | Incident playbooks, SLA/SLO for CRL/OCSP, monitored endpoints, stapling guidance |
| Logging & Audit | Immutable logs, time sync, retention, review | Centralised logging (SIEM), signed audit trails, time‑source hardening, evidence packs |
| Change Management | Documented changes with approval | Change templates, CAB artefacts, GitOps/Infra‑as‑Code for PKI configs |
| Business Continuity | Backup, recovery, disaster tests | HSM backup strategy, offline root procedures, ceremony records, DR runbooks |
| Data Residency | Keys & data stored in region | Managed HSM / on‑prem HSM placement, geo‑fencing, residency statements |
Deliverables (evidence you can hand to auditors)
- Certificate Policy (CP) and Certificate Practice Statement (CPS) with versioning and change log
- Key Management Standard (algorithms, key sizes, validity, rotation, escrow policy)
- HSM & Key Ceremony pack: scripts, video/stills checklist, witness statements, key component custody forms
- RA/Issuance SOPs: identity proofing, approval workflow, exception handling
- Revocation & Incident Runbooks with comms templates and SLA triggers
- Logging & Monitoring Standard: events, retention, SIEM dashboards, alerting thresholds
- BC/DR Plan: offline root handling, CA rebuild, CRL/OCSP continuity
- Compliance Traceability Matrix mapping regulations/controls to PKI artefacts
Regional & sector focus
- UK/EU: NIS2 alignment; eIDAS/PSD2 for qualified trust service touchpoints; GDPR/UK GDPR DPIA inputs
- Financial services: PCI DSS 4.0 strong cryptography mapping, cryptographic inventory for audit
- Healthcare: HIPAA safeguards with PHI‑adjacent cert use; mTLS for clinical systems, audit evidence retention
- Industrial/OT: Purdue‑model aware PKI, constrained networks, offline RA options, device lifecycle at scale
Policy & naming conventions (compliance shortcodes)
We tag every policy with a compliance shortcode to simplify change control:
POL‑CRYPTO‑Std/v3 → Algorithms & key sizes
POL‑ISSUANCE‑TLS/v2 → Server TLS issuance rules
SOP‑RA‑Enroll/v1 → RA identity verification steps
RUN‑REVOC‑IR/v2 → Revocation incident response
EVD‑CEREMONY‑RKG/v1 → Root Key Generation evidence pack
These are referenced alongside the platform shortcodes (e.g., KF‑EJBCA, VEN‑TLSP, AZ‑MHSM) in all tickets and pipelines.
Audit support & readiness
- Pre‑audit gap assessment, evidence curation, and control owner interviews
- Mock auditor Q&A and control walkthroughs
- Remediation backlog with risk ratings and owners
Crypto‑agility & PQC roadmap
- Track deprecated algorithms/ciphers; enforce retirement via CLM
- Prepare hybrid/PQC profiles for high‑value assets; impact assessment for clients and devices
Outcomes
- Faster audits with ready‑made evidence packs
- Reduced non‑compliance risk and clearer accountability
- Stronger key custody and incident response
FAQ: PKI Compliance — Common Questions
Do I need FIPS 140‑3? Only where mandated (e.g., certain public sector/regulated contexts). We’ll document your position and implement validated modules when required.
How do you prove GDPR compliance for keys? Residency controls, data‑flow mapping, and DPA language; HSM location statements and access logs.
What if we have legacy 140‑2 HSMs? We maintain them with compensating controls and plan a risk‑based upgrade path to 140‑3.
Can you support eIDAS qualified use cases? We design the PKI elements and coordinate with QTSPs where necessary, aligning CP/CPS and audit evidence.