Goto Main Content
:::

Chapter Law Content

Chapter 4  Non-Technical Security Controls
Article 24
A certification service provider shall specify the physical, procedural, and personnel security controls it adopts.
Article 25
A certification service provider shall specify the following particulars in respect of archival records:
1.Types of records that are archived, which shall include all data information necessary for certificate verification
2.Retention period for an archive
3.Protection of an archive
4.Archive backup procedures
5.Requirements for time-stamping of records
6.Management frequency of archived record
Article 26
A certification service provider shall specify the following procedures for key changeover:
1.For certificate verification, the procedures of certifying the new public key with the old public key
2.The methods to provide a new public key
Article 27
A certification service provider shall specify the plan relating to the recovery procedures in the event of compromise or disaster.
Article 28
A certification service provider shall specify the following procedures for termination of any certification service:
1.Procedures for notification and publication
2.Arrangements for the currently valid certificates
3.The transfer of archival records or the retention period