The third principle is—The certification authority maintains effective controls to provide reasonable assurance that:
The establishment and maintenance of a trustworthy CA environment is essential to the reliability of the CA’s business processes. Without strong CA environmental controls, strong key and certificate life cycle management controls are severely diminished in value. CA environmental controls include CPS and CP management, security management, asset classification and management, personnel security, physical and environmental security of the CA facility, operations management, system access management, systems development and maintenance, business continuity management, monitoring and compliance, and event journaling.