Skip to main content

ISO 27001

Our entire security program is underpinned by ISO 27001 that is supplemented by multiple organizational, regional and functional security assurance certifications for our environments and our products. 

ISO 27001 is one of the most widely recognized and internationally accepted information security standards. It identifies requirements for a comprehensive Information Security Management System (ISMS), and defines how organizations should manage and handle information in a secure manner, including appropriate security controls. 

Our entire organization is certified to ISO 27001:2013. In order to achieve the certification, Entrust's compliance was validated by an independent audit firm after demonstrating an ongoing and systematic approach to managing and protecting company and customer data. This certification guarantees that Entrust meets an exacting framework of policies and procedures that includes legal, physical and technical controls involved in an organization’s risk management system. Achieving this certification is an exacting task, considering that it covers no less than 14 specific control objectives: 

  • Information Security Policies 
  • Organization of Information Security 
  • Human Resources Security 
  • Asset Management 
  • Access Control 
  • Cryptography 
  • Physical and Environmental Security 
  • Operations Security 
  • Communications Security
  • Systems acquisition, development and maintenance 
  • Supplier Relationships 
  • Information Security Incident Management 
  • Information Security aspects of Business Continuity Management 
  • Compliance 

Our ISO 27001 certification for Entrust builds on our long-standing compliance with multiple security assurance certifications that are recognized around the globe.

Organizational, Regional, and Functional Certifications

Common Criteria (CC)

Common Criteria is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. 

Our certified products include: 

  • Security Manager 
  • nShield HSMs 
  • KeyOne 
  • TrustedX

FIPS - 140-2

The Federal Processing Standard (FIPS) Publication 140-2 is a US government computer security standard used to approve cryptographic modules FIPS provides four security levels, each adding functions to the previous level. 

Our certified products include: 

  • nShield HSMs 
  • FIPS 140-2 Level 2 and Level 3

ICP Brazil

ICP Brazil is a PKI certification supporting National Basic Infrastructure for Electronic Identification projects in Brazil. 

Our certified products include: 

  • nShield HMSs ICP

FIPS - 201 (PIV)

FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. 

Our certified products include: 

  • Identity Guard

NATO Information Assurance Product Catalogue

The NATO Information Assurance Product Catalogue (NIAPC) established under Directive AC/322-D(2010)0042 (22-09-2010), provides NATO nations, and NATO civil and military bodies with a catalogue of Information Assurance (IA) products, Protection Profiles and Packages that are in use or available for procurement to meet NATO operational requirements. 

Our certified products include: 

  • KeyOne

AIS 31

Application Notes and Interpretation of the Scheme (AIS) 31 – Functionality Classes and Evaluation Methodology for Physical Random Number Generators, Version 1 (25.09.2001. 

Our certified products include: 

  • Solo XC

QSCD (Qualified Signature Creation Device)

QSCD eIDAS certification according to the article 30.3.b) of the eIDAS Regulation. 

Our certified products include: 

  • TrustedX 
  • Entrust HSMs

Environmental, Enclave, or System Certifications

PCI Card Production (CP)

Our Financial Instance Issuance Managed Services Offering (FII MSO), being a Payment Card Industry (PCI) Card Production and Provisioning Security Requirements, may perform Data Preparation activities in our approved facilities. Data preparation is the process by which credit card issuer and cardholder data are manipulated and configured for subsequent personalization by the issuer or different certified facility.

US Federal Approval to Operate

Our EDC US Federal environment is certified to NIST 800-53 (r4). NIST 800-53 is a catalog of security and privacy control for federal information systems and organizations for selecting controls to protect organization operations, organizational assets, individual, other organization, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.

Tscheme

tScheme is the self-regulatory body for electronic trust service approval in the UK. https://www.tscheme.org/certificate-factory-entrust-datacard-europe-ltd

ETSI 1

The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the telecommunications industry (equipment makers and network operators) in Europe, headquartered in Sophia-Antipolis, France, with worldwide projection. Our “ETSI 1” addresses eIDAS EN 319 401 v2.1.1 General TSP requirements and EIDAS EN 319 411 pt 1 v.1.1.1 eIDAS policy for Cas.

ETSI 2

The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the telecommunications industry (equipment makers and network operators) in Europe, headquartered in Sophia-Antipolis, France, with worldwide projection. Our “ETIS 2” addresses Electronic Signatures and Infrastructures (ESI);Trust Service Provider Conformity Assessment -Requirements for conformity assessment bodies assessing Trust Service Providers. of the European Parliament and Council). The certificate has been issued by the A-SIT Certification Body (Austrian Secure Information Technology Center), as the eIDAS conformity assessment body, according to the article 20.2) of the eIDAS Regulation. Based on this certification, the TrustedX eIDAS product can be used with total guarantees for the generation of qualified remote signature, with legal validity in all member states of the European Union. The mentioned certificate can be found in the following site: https://www.a-sit.at/downloads/1071.

ISO/IEC 5504

We are granted level 3 of ISO/IEC 5504 Certification by AENOR (www.aenor.es): body accredited by the Spanish National Accreditation Body (ENAC) for certifying products and services. This certification provides a solid base for the evaluation and improvement of the Quality Systems involved in developing software. 

UNE 166002 and standard CEN / TC 166555-1 – This is a certification for the activities of Research, Development and Innovation of security software for the areas of identity and trust, by AENOR (www.aenor.es): body accredited by the Spanish National Accreditation Body (ENAC) for certifying products and services. This certification ensures an R+D+I management system highly effective and efficient, resulting this in a differential factor of competitiveness and excellence of the products of the Company. On the basis on this certification, Aenor has issued a certificate of compliance with the European Standard CEN/TC 16555-1:2013 Innovation Management. Part 1: Innovation Management System. 

PrivacyMark – PrivacyMark System is a system set up to assess private enterprises that take appropriate measures to protect personal information. Such private enterprises are granted the right to display "PrivacyMark" in the course of their business activities. The System is in compliance with Japan Industrial Standards (JIS Q 15001: [Personal Information Protection Management System - Requirements]).

PCI-DSS

The Payment Card Industry Data Security Standards, or PCI-DSS, outlines strict requirements for securing payment card information while it is stored, processed or transmitted.

Our certified products include:

  • nShield as a Service Direct (United States region)

Responsible Disclosure Programs

Vendor Information Security Addendum

Security Disclosure Practices

To ensure the continued security of Entrust’s environment and in alignment with contractual obligations, the following highly sensitive, confidential, and proprietary documentation is not shared with external parties, including customers, unless there is a legal or regulatory requirement: 

  • Detailed Penetration Test Results 
  • Detailed Vulnerability Assessments 
  • Information Security Policies and Procedures