← Certigna cases
Bugzilla #1973032
Audit Related
Certigna: Finding #2 ETSI Audit - Risks regarding the certification of device not described
RESOLVED
FIXED
Certigna
AI Summary
The ETSI audit for Certigna identified that the business risks associated with the potential loss of certification for a cryptographic device were inadequately described in their risk assessment. Although the risks are managed, the lack of detail hindered the evaluation of their real business impact. Certigna has since updated their risk management procedures and enriched their risk assessment to include more comprehensive descriptions of these risks. All action items related to this incident have been completed, and the case is now resolved.
Chronology
- Annual update of risk assessment.
- Auditor identifies lack of description of business risks.
- Risk management procedure updated.
- Validation of deviation resolution by auditor.
Participants
Josselin Allemandou
R. Delval
External References
Similar Local Cases
Certigna: Findings in 2024 ETSI Audit – Audit Incident Report
Audit info for Certigna
SwissSign: recommendation on CA-specific risk assessment
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #5 – CMDB
certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #3 – Missing certSIGN OID on Terms and Conditions
PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #8 – Human Resources Management
certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #2 – Add test certificates in CPS
Telekom Security: Failure to file a bug for two findings from the 2024 Audit