ETSI EN 319 401 Trust Service Applicability Workflow

The first applicability question is whether the organization is providing one or more trust services. EN 319 401 defines a TSP as an entity that provides one or more trust services, and its examples include public key certificates, time-stamps, remote electronic signature generation, validation services, preservation services, and registered delivery services.

Do not start by copying every clause into a generic checklist. Create a short scope record that names the service, the trust service token or output, the subscribers and relying parties, the systems used to provide the service, and any trust service components supplied by another party.

Once a service appears to be in scope, identify the trust service policy that explains where the service is intended to apply. EN 319 401 treats the trust service policy as the set of rules indicating the applicability of a trust service to a community or class of application with common security requirements.

The output of this gate is a policy mapping, not a conclusion sentence. The mapping should show the policy name, service type, customer or relying-party community, use limitations, and any service-specific ETSI standard that adds requirements beyond EN 319 401.

The practice statement is where applicability becomes operational. EN 319 401 requires the TSP to specify policies and practices appropriate for the trust services it provides, approve and communicate those policies, and maintain a practice statement that addresses all requirements of the applicable trust service policy.

For an applicability review, the practice statement evidence should show which service is covered, which external organizations support the service, how subscribers and relying parties can obtain relevant documentation, who approves the statement, and how changes are reviewed.

Applicability is not complete until the public-facing service terms match the policy decision. EN 319 401 requires terms and conditions for services to be available to subscribers and relying parties, and it lists specific items that should be covered for each trust service policy supported by the TSP.

Use this gate to prevent hidden scope. The terms should identify the policy being applied, limitations on service use, subscriber obligations, relying-party information, event-log retention, liability limits, legal system, complaint and dispute procedures, conformity assessment scheme if one is claimed, contact information, and any availability undertaking.

If the service remains in scope after the policy, practice-statement, and terms gates, map EN 319 401 baseline areas to concrete evidence. The standard covers risk assessment, information security policy, internal organization, segregation of duties, personnel, assets, access control, cryptographic controls, physical security, operation security, network security, vulnerabilities and incidents, evidence collection, continuity, termination, compliance, and supply chain.

A useful evidence map should avoid vague labels such as compliant or implemented. For each baseline area, name the owner, control, evidence artifact, review trigger, and source requirement. Where a control is conditional, state the condition that made it applicable or not applicable.

Use this table in an independent review note, procurement intake, or audit-prep file. Keep the assigned role and evidence linkage explicit for every gate so scope decisions are auditable and reproducible.

Step | Owner | Evidence | Decision

1. Service identification | Product Security Lead (service owner) | service-boundary diagram + evidence record ID for token, subscribers, relying parties, supporting systems | Is the activity a trust service or a supporting component?

2. Policy applicability | Compliance/Policy Lead (TSP policy owner) | trust-service-policy mapping, scope definition, and service-specific standard list | Which policy and application community/class defines the service?

3. Practice statement mapping | TSP Operations Lead | practice-statement version + external-organization obligation matrix + approval evidence | Does the practice statement cover every requirement in the selected policy?

4. Terms review | Legal Counsel and Customer Terms Owner | published terms artifact ID, terms-change history, complaint channel, assessment-scheme reference, liability and retention clauses | Are public terms aligned with the chosen policy and scope?

5. Baseline evidence map | CISO and Internal Audit Leads | control-level evidence map IDs, review dates, control owners, and retention decision for each EN 319 401 clause group | Can EN 319 401 baseline controls be demonstrated for this exact service boundary?

6. Change trigger | Change Manager and Policy Owner | change-impact log, reclassification notes, notification evidence, evidence-retention adjustments | Does a service, policy, supplier, component, or security change require reassessment or external notice?