Singapore Government Online Homepage
Security Guidelines for Certification Authorities
The BS7799 Standard is a comprehensive set of controls comprising the best practices in information security. It is an internationally recognised generic information security standard.

The BS7799 comprises of two parts, namely:

  • BS 7799-1:2000 (Information Technology - Code of practice for information security management) and;
  • BS 7799-2:2002 (Information Security Management - Specification for information security management systems)

The BS7799 Standard is intended as a single point of reference for identifying a range of controls needed for most situations where information systems are used in industry and commerce. It establishes the basic framework for implementing adequate IT security that preserves and protects the quality of an organisation's informational assets.

The "Security Guidelines for CAs " document defines the security guidelines for the management, systems and operations of a certification authority (licensed or potential licensee). It is intended for use by the management, security, technical and operational personnel of a certification authority.

Together, the documents provide the holistic security framework for managing and operating a CA and protecting its informational assets and general IT systems and operations at the same time.

Potential licensees and licensed CA's may obtain a copy of the BS7799 from its official website.

Other economies have similarly set out electronic commerce regimes with specifications for the operations of CAs. Two such examples of the specifications are the WebTrust Program for CA version 1.0 used in Canada and United States of America, as well as the European Telecommunications Standards Institute (ETSI) TS 101 456 requirements used within Europe. In recognition that many entities operate across international boundaries and may wish to have a comparision of the different regimes, the Controller of CA has commissioned a study that compares the audit requirements for a licensed CA in Singapore, against the audit requirements of these regimes. Interested parties could obtain a copy of the report which highlight with explanation the areas of comparison.

The report is conducted by a third party consultant, and the Controller of CA and IDA would not owe a duty of care to any party to whom the report is distributed. The Controller of CA and IDA do not assume any responsibility or liability for any losses suffered by any party as a result of the circulation, publication, reproduction or other use of the report.