Scope |
On the request of CIBG, Uitvoeringsorganisatie van het ministerie van Volksgezondheid, Welzijn en Sport (hereafter referred to as: CIBG), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in CIBG’s statement of applicability (dated 24 August 2023) and the Overview of applicability.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service (p);
-,,Certificate Generation Service (c);
-,,Dissemination Service (p);
-,,Revocation Management Service (p);
-,,Revocation Status Service (c);
-,,Subject Device Provision Service (c);
The TSP component services are performed, partly (p) or completely (c) by subcontractors under the responsibility of CIBG.
These TSP component services are being provided for the qualified trust service as defined in EU Regulation 910/2014 (eIDAS):
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the ETSI-policy: QCP-n-qscd.
The certificates are issued through the issuing Certification Authorities, as specified below:
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domein CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
-,,Issuing CA: UZI-register Zorgverlener CA G3
Sha256 Fingerprint (2017):
3EAD4F72F06F1054881D2728DE033A8E13FADE6BD165084018EB943C17378DAA
Sha256 Fingerprint (2019):
507DB60D263D3D09D283DE2E3AA435DFD8775E52BC335702E3832BBB57EC1CBD
+,,Non-repudiation (2.16.528.1.1003.1.2.5.2), in accordance with policy: QCP-n-qscd
-,,Issuing CA: UZI-register Medewerker op naam CA G3
Sha256 Fingerprint (2017):
D8553A2880E96B7AA4C7413DD903AFD3D580504695DD26A168FD48CCE7B1474A
Sha256 Fingerprint (2019):
D28DB435E31212A3BDCCF87620F6544B99A9C02328BF983E882FD0627A1D130F
+,,Non-repudiation (2.16.528.1.1003.1.2.5.2), in accordance with policy: QCP-n-qscd
The Certification Authority processes and services are documented in the following documents:
-,,Certification Practice Statement (CPS) UZI-register, version 11.6, 1 March 2023 (OID: 2.16.528.1.1007.1.1)
-,,Certification Practice Statement (CPS) ZOVAR, version 6.4, 1 March 2023 (OID: 2.16.528.1.1007.5.1.1)
-,,PKI Disclosure Statement (PDS) UZI-Register, version 11.6, 1 March 2023 (published at: https://www.zorgcsp.nl/pds/pds.html)
Our annual certification audit was performed in August and September 2023. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit for the period from 1 September 2022 through 31 August 2023, the areas assessed for:
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policy: QCP-n-qscd
were generally found to be effective, based on the applicable requirements defined in CIBG’s statement of applicability (dated 24 August 2023) and the Overview of applicability.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, OVCP
-,,ETSI EN 319 411-2 v2.4.1 (2021-11) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates;- Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policy: QCP-n-qscd
-,,CA/Browser Forum - Network and Certificate System Security Requirements v1.7 (April 5, 2021)
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III - Trust Services
-,,PKIoverheid - Programma van Eisen v4.11 (2023), part 3 Basiseisen, part 3 Aanvullende eisen and the requirements from parts 3a, 3b, 3h
Audit Period of Time:
1 September 2022 - 31 August 2023
Audit performed:
August and September 2023
Information and Contact:
BSI Group the Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
|