ETSI EN 319 401 Personnel, asset, and access controls

Scope the page around three connected control areas: clause 7.2 human resources, clause 7.3 asset management, and clause 7.4 access control. EN 319 401 treats these as operating controls for the TSP, so the record should name the trust service, the trustworthy systems, the facilities or networks involved, and the personnel groups that can affect the service.

Do not reduce the topic to an HR checklist or a password rule. The useful question is whether the TSP can prove that people in trusted roles are appointed and checked, assets are identified and classified, and access to critical functions is authorized, restricted, reviewed, and changed when employment or function changes.

Clause 7.2 requires personnel and contractors to apply information security according to the TSP's established information security policy, topic-specific policies, and procedures. It also requires staff and applicable subcontractors to have expertise, reliability, experience, qualifications, and training appropriate to the offered service and job function.

The visitor-facing artifact should therefore point to records that prove suitability and role control: job descriptions, security responsibilities, training records, screening or check completion before trusted-function access, formal appointment to trusted roles, role acceptance, conflict-of-interest checks for trusted roles, and remote-working conditions where remote work is allowed.

Clause 7.3 requires an appropriate level of asset protection, including information assets, and extends protection to assets provided through the supply chain. The inventory is not optional housekeeping: EN 319 401 describes it as a prerequisite for effective technical vulnerability management and requires classification consistent with the risk assessment.

For each asset or asset group, collect the fields the standard names when applicable: unique asset ID, description, owner, location, asset type, information processed or stored and its information classification, last update or patch date and version, classification level, and end-of-life information.

Storage media evidence belongs with asset management because clause 7.3.3 requires media to be managed across acquisition, use, transportation, and disposal according to the TSP classification scheme and handling requirements. The record should also show protection from damage, theft, unauthorized access, obsolescence, and deterioration for the required retention period.

Clause 7.4 then turns the asset and role model into access-control evidence. System access is limited to authorized individuals; operators, administrators, other privileged accounts, and system auditors are administered using least privilege; privileged accounts are used only when needed for the activity; and strong identification, authentication, and authorization procedures are used for privileged accounts.

Use this checklist before audit, conformity-assessment preparation, internal assurance review, or a major service change. Each item should point to a named record rather than a generic statement that the TSP has controls.

The checklist is intentionally narrow: it only covers personnel, asset, storage-media, and access controls grounded in EN 319 401. Incident handling, continuity, supplier control, and legal-operation evidence should be handled in their own EN 319 401 artifacts unless they are directly needed to explain a personnel, asset, or access decision.