ISO 21188-2018 PDF

Full title and description

ISO 21188:2018 — Public key infrastructure for financial services — Practices and policy framework. This International Standard specifies a framework of requirements, control objectives and supporting procedures to manage a public key infrastructure (PKI) through certificate policies and certification practice statements applicable to the financial services industry.

Abstract

ISO 21188:2018 defines operational practices, risk controls and policy frameworks that enable the use of public key certificates in financial services environments. It addresses the generation and lifecycle management of public key certificates for uses such as digital signatures, remote authentication, key establishment and data encryption, and distinguishes requirements for PKI deployments in closed, open and contractual environments. The document defines baseline control objectives and procedures for certificate policy and certification practice statements; it does not prescribe authentication methods, non-repudiation mechanisms or specific key management protocols.

General information

• Status: Published; under review for revision (work item ISO/AWI 21188 registered).
• Publication date: April 2018 (Edition 2). Document confirmed in 2023.
• Publisher: International Organization for Standardization (ISO).
• ICS / categories: 35.240.40 (financial services — information systems / PKI).
• Edition / version: Edition 2 (2018).
• Number of pages: 108.

Scope

This standard provides a practices-and-policy framework to manage a PKI for financial services. It covers requirements for defining certificate policies and certification practice statements, control objectives and operational procedures to reduce PKI-related risks in contractual, open and closed environments. The scope includes support for certificates used for digital signatures, remote authentication, key exchange and data encryption. It excludes specification of authentication methods, non-repudiation requirements and detailed key management protocols.

Key topics and requirements

• Framework for certificate policies (CP) and certification practice statements (CPS) tailored to financial services.
• Control objectives and operational procedures for PKI lifecycle management (issuance, renewal, revocation, suspension).
• Risk management and governance requirements for PKI operators and relying parties.
• Distinction of requirements for closed, open and contractual PKI environments.
• Baseline technical and organisational controls to support digital signatures, remote authentication, key establishment and encryption.
• Guidance for drafting CP/CPS to enable interoperable, auditable PKI deployments in financial ecosystems.
• Explicit exclusions: authentication methods, non-repudiation legal frameworks and specific key-management protocols are out of scope.

Typical use and users

Primary users include business managers and analysts evaluating PKI for financial services, technical designers and implementers drafting certificate policies and certification practice statements, operational managers responsible for day-to-day PKI operations, and auditors assessing compliance with PKI operational controls. Typical uses are: establishing contractual PKI arrangements between financial institutions and service providers, defining interoperable CP/CPS documents, and setting baseline operational controls for certificate-based services.

Related standards

Previous and related documents include the earlier edition ISO 21188:2006 (withdrawn) and other PKI and certificate-profile specifications. An approved work item (ISO/AWI 21188) is in progress to develop a further edition. Users typically reference RFCs and regional PKI profiles alongside ISO 21188 when implementing operational details and protocol choices.

Keywords

PKI, public key infrastructure, financial services, certificate policy, certification practice statement, digital signature, remote authentication, key establishment, certificate lifecycle, revocation, control objectives, governance.

FAQ

Q: What is this standard?

A: ISO 21188:2018 is an International Standard that defines a practices-and-policy framework for public key infrastructure (PKI) specifically tailored to the financial services industry.

Q: What does it cover?

A: It covers requirements and guidance for certificate policies and certification practice statements, control objectives and operational procedures for PKI lifecycle management in closed, open and contractual financial environments; it does not specify authentication mechanisms, non-repudiation legal rules or low-level key-management protocols.

Q: Who typically uses it?

A: Business managers, technical architects and implementers, PKI operators, operational teams and auditors within banks, payment processors, financial marketplaces and third-party service providers who need an industry-focused PKI framework.

Q: Is it current or superseded?

A: The 2018 Edition (Edition 2) is the current published edition. The document was confirmed in 2023 and a revision work item (ISO/AWI 21188) is registered to develop a later edition.

Q: Is it part of a series?

A: ISO 21188 is a standalone standard focused on PKI for financial services; it replaces the earlier ISO 21188:2006 edition and is used alongside other PKI and security standards and regional/country-specific PKI profiles.

Q: What are the key keywords?

A: PKI, certificate policy (CP), certification practice statement (CPS), financial services, digital signature, authentication, key establishment, revocation, governance.