ENISA’s How-to-Guide for Trust Service Providers’ Auditing
April 2015 by Marc Jacob
ENISA has published a report providing guidelines on the auditing framework for Trust Service Providers (TSPs). These guidelines can be used by Trust Service Providers (preparing for audits) and Conformity Assessment Bodies (auditors) having to undergo regular auditing - as set by the eIDAS regulation - and offer a set of good practices which can be used at an organizational level.
The report gives an overview of a typical three-stage audit methodology, listing all relevant requirements for the off-site (documentation level) and on-site (implementation level) assessment procedure, which is finalised with a conformity assessment report.
The main areas discussed are:
• Obligations, warranties and liability of TSPs
• Standards applicable to TSPs and Conformity Assessment Bodies
• Methodology of auditing TSPs (off-site,on-site)
• TSPs documentation (plans, policies and procedures)
• Implementation of TSPs services
The Executive Director Udo Helmbrecht commented: “It is important to secure services with the appropriate means. Conformity assessment schemes ensure that the level of services corresponding both to the infrastructure (network and physical) and the human resources, meet security requirements, minimising exposure to risks and security incidents. ENISA’s recommendations provide a comprehensive reference document towards the implementation of trusted services”.
Trust services must abide to certain criteria, namely legal requirements, standards (ETSI/CEN/ISO), terms and conditions and the state of the technology. Trust Service Providers (TSPs) are required to comply with these obligations within the framework of the eIDAS (electronic ID, Authentication and Signature) Regulation, adopted by the EU Parliament and the Council of the European Union, for electronic transactions in the internal market.
For full report: Auditing Framework for TSPs