A certification service provider shall specify the physical, procedural, and personnel security controls it adopts.

A certification service provider shall specify the following particulars in respect of archival records:
1.Types of records that are archived, which shall include all data information necessary for certificate verification
2.Retention period for an archive
3.Protection of an archive
4.Archive backup procedures
5.Requirements for time-stamping of records
6.Management frequency of archived record

A certification service provider shall specify the following procedures for key changeover:
1.For certificate verification, the procedures of certifying the new public key with the old public key
2.The methods to provide a new public key

A certification service provider shall specify the plan relating to the recovery procedures in the event of compromise or disaster.

A certification service provider shall specify the following procedures for termination of any certification service:
1.Procedures for notification and publication
2.Arrangements for the currently valid certificates
3.The transfer of archival records or the retention period