PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: pkioverheid, Assigned: pkioverheid)
Details
(Whiteboard: [ca-compliance] [audit-finding])
Preliminary Incident Report
Summary
- Incident Description:
- Minor Non-conformity: Internal Audit at subcontractor
- Relevant Policies:
- ETSI 319 401 (REQ-7.1.1-01, REQ-7.13-01, REQ-7.14.3-06X)
- ETSI 319 403-1 (7.9d)
- Source of incident disclosure:
- Annual ETSI Audit
|
||
Updated•5 months ago
|
|
Assignee | |
Comment 1•4 months ago
|
||
Full Incident Report - ETSI Finding #3 – Internal Audit
Summary
-
CA Owner CCADB unique ID: A000068
-
Incident description: The CAB noted that a required internal audit had not been performed at a KPN subcontractor. This was filed a minor non-conformity.
-
Timeline summary:
-
Non-compliance start date: N/A
-
Non-compliance identified date: 11-Jul-2025
-
Non-compliance end date: Ongoing.
-
-
Relevant policies:
-
ETSI 319 401 REQ-7.1.1-01: The TSP organization shall be reliable.
-
ETSI 319 401 REQ-7.13-01: The TSP shall ensure that it operates in a legal and trustworthy manner.
-
ETSI 319 401 REQ-7.14.3-06X [CONDITIONAL]: When the TSP makes use of a trust service component provided by another party it shall ensure that the security and functionality required by the trust service component meet the appropriate requirements of the applicable policy and practices
-
ETSI 319 403-1 7.9 (..) The following activities shall be part of surveillance audit: (..) d) review of internal audits and security management systems in place;
-
-
Source of incident disclosure: Finding by CAB during annual ETSI audit.
Impact
-
Total number of certificates: N/A
-
Total number of "remaining valid" certificates: N/A
-
Affected certificate types: N/A
-
Incident heuristic: N/A
-
Was issuance stopped in response to this incident, and why or why not?: N/A (see point below).
-
Analysis: N/A
-
Additional considerations: KPN only operates legacy S/MIME-capable CAs, which have not issued any S/MIME certificates since 1 August 2023. At that time this was changed due to updated S/MIME regulations, under which email addresses and the EKU
emailProtectionwere no longer included in publicly trusted certificates.
Timeline
-
11-07-2025: CAB identifies finding
-
17-07-2025: KPN created a Corrective Action Plan to remediate the audit finding
-
12-08-2025: Corrective Action Plan Approved by auditor
Related Incidents
N/A
Root Cause Analysis
Contributing Factor 1: Agreements with subcontractor didn’t contain clauses regarding audit responsibility
-
Description: The internal audit at the supplier was not conducted due to a lack of clear agreements with the external party regarding audit responsibility.
-
Timeline: See main timeline.
-
Detection: Audit finding by CAB.
-
Interaction with other factors: No.
-
Root Cause Analysis methodology used: N/A
Contributing Factor 2: Internal audit schedule
-
Description: The audit was not included in the internal audit schedule, as supplier audits were not formally embedded in the planning process.
-
Timeline: See main timeline.
-
Detection: Audit finding by CAB.
-
Interaction with other factors: No.
-
Root Cause Analysis methodology used: N/A
Lessons Learned
-
What went well: N/A
-
What didn’t go well: N/A
-
Where we got lucky: N/A
-
Additional: N/A
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Execute specific internal audit | Mitigate | Root Cause #1 | Check content | 2025-10-11 | Ongoing |
| Formalize agreements with external parties regarding audit responsibilities. | Prevent | Root Cause # 1 | Check | 2025-10-11 | Ongoing |
| Ensure supplier audits are explicitly included in the internal audit schedule going forward. | Prevent | Root Cause # 2 | Check | 2025-09-30 | Ongoing |
Appendix
N/A
|
|
Assignee | |
Comment 2•4 months ago
|
||
In the Action items above an error had occured while pasting the information from internal systems to markdown, so an updated version with the right Evaluation Criteria is provided below. In the meantime, PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have.
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Execute specific internal audit | Mitigate | Root Cause #1 | Report back when audit has been concluded | 2025-10-11 | In progress |
| Formalize agreements with external parties regarding audit responsibilities. | Prevent | Root Cause # 1 | Report back when agreements have been updated | 2025-10-11 | In progress |
| Ensure supplier audits are explicitly included in the internal audit schedule going forward. | Prevent | Root Cause # 2 | Report back when this has been implemented | 2025-09-30 | In progress |
|
|
Assignee | |
Comment 3•3 months ago
|
||
After discussing matters with the involved subcontractor, the decision has been made to execute a full external audit on the subcontractor in question. Since this required a longer lead time than the original plan to execute an internal audit (performed by a KPN internal auditor) the remedation will take longer. The expected due date of the external audit is now 01-01-2026. With that, the status of the action item is as follows:
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Execute specific internal audit | Mitigate | Root Cause #1 | Check content | 2025-10-11 | Won't do |
| Formalize agreements with external parties regarding audit responsibilities. | Prevent | Root Cause # 1 | Report back | 2025-10-11 | In progress |
| Ensure supplier audits are explicitly included in the internal audit schedule going forward. | Prevent | Root Cause # 2 | Report back | 2025-09-30 | Won't do |
| Execute external audit by subcontractor. Subcontractor reports results back to KPN and Logius | Prevent | Root Cause #1 | Report back results | 01-01-2026 | In progress |
|
|
Assignee | |
Comment 4•2 months ago
|
||
Action items 2 has been completed. We erroneously reported action item #3 as a won't do above, KPN has updated the internal audit schedule with regards to supplier audits in general.
As such, only action item #4 is still open.
This report has gone stale.
You may request a next update that's beyond the normal weekly cadence but, absent that being accepted, you are required to provide an update on a weekly basis.
|
||
Comment 6•24 days ago
|
||
The visits of the external auditor at the subcontractor now has been scheduled, but was not possible earlier than the last week of January and first week of February. The expected due date of the external audit therefore has shifted to 2026-02-09. With that, the status of the action item is as follows:
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Execute specific internal audit | Mitigate | Root Cause #1 | Check content | 2025-10-11 | Won't do |
| Formalize agreements with external parties regarding audit responsibilities. | Prevent | Root Cause # 1 | Report back | 2025-10-11 | Completed |
| Ensure supplier audits are explicitly included in the internal audit schedule going forward. | Prevent | Root Cause # 2 | Report back | 2025-09-30 | Completed |
| Execute external audit by subcontractor. Subcontractor reports results back to KPN and Logius | Prevent | Root Cause #1 & #2 | Report back results | 2026-02-09 | In progress |
|
|
||
Comment 7•10 days ago
|
||
This report has gone stale. As a reminder, CA Owners may request the “Next update” Whiteboard field be set by a Root Store Operator to align with a specific date related to an open Action Item.
|
|
||
Comment 8•9 days ago
|
||
Implementation is on schedule. No further updates.
|
|
Assignee | |
Updated•5 days ago
|
Description
•