Presentation for Identiverse conference, Boston, 2018. Walks through overall structure of ISO standardization and presents current work areas of interest to IDM industry.

1. (Exciting) ISO Standards for
Identity management and privacy
Andrew Hughes CISSP, CISM
ITIM Consulting Corp. 🇨🇦
Presented at Identiverse — 2018-06-24

2. Andrew Hughes — @IDIMAndrew 2

3. Why do I help to build standards?
• Standards bring order to systems
• Standards define the ‘rules’
• Standards codify and propagate advances in the state of the art
• Standards help raise the level of good practice widely
• Satisfaction in contribution to the world-wide community
Andrew Hughes — @IDIMAndrew 3

4. The International Organization
for Standardization (ISO)
Andrew Hughes — @IDIMAndrew 4

5. “ISO creates documents
that provide requirements, specifications,
guidelines or characteristics that can
be used consistently to ensure that
materials, products, processes and services
are fit for their purpose.”
Andrew Hughes — @IDIMAndrew 5

6. ISO –The Organization
• International Organization for Standardization
• Not-for-profit organization created in 1947
• The members are national standards bodies (National Bodies – NB)
• 161 Members (1 per country)
• Experts (You!) participate through the National Bodies & Liaisons
• Strategic partnership with theWorldTrade Organization (WTO)
• ISO is one of three global sister organizations (IEC, ISO, ITU) that
develop International Standards for the world.
Andrew Hughes — @IDIMAndrew 6

7. TheValue of ISO Standards?
• WTO Technical Barriers toTrade agreement
• “It aims to ensure that regulations, standards, testing and certification
procedures do not create unnecessary obstacles to trade”
• WTO-ISO strategic partnership
• The use of international standards is a positive activity to avoid creating a
Technical Barrier toTrade
• Nations encouraged to align standardization with ISO Standards
Andrew Hughes — @IDIMAndrew 7

8. The ISO Brand
• ISO brand recognition
• IEC/ISO 27001 – Information security management
• ISO 9001 – Quality management
• ISO 22000 – Food safety management
• ISO 14001 – Environmental management
Andrew Hughes — @IDIMAndrew 8

9. Users of ISO Standards
Andrew Hughes — @IDIMAndrew 9
Compliance
Pages of Four
Large SaaS
Providers

10. ISO/IEC JTC 1/SC 27/WG 5
Andrew Hughes — @IDIMAndrew 10

11. ISO –Working Structure
• ISO/IEC JointTechnical Committee 1
• “… worldwide Information and CommunicationTechnology (ICT) standards
for business and consumer applications…”
• Sub-committee 27 – IT SecurityTechniques
• “The development of standards for the protection of information and ICT.”
• Working Group 5 - Identity management & privacy
technologies
• “… standards and guidelines addressing security aspects of identity
management, biometrics and the protection of personal data”
Andrew Hughes — @IDIMAndrew 11

12. ‘SC 27’Working Groups
• Working Group 1: Information Security Management Systems
• Working Group 2: Cryptography and Security Mechanisms
• Working Group 3: Security Evaluation,Testing and Specification
• Working Group 4: Security Controls and Services
• Working Group 5: Identity Management and PrivacyTechnologies
Andrew Hughes — @IDIMAndrew 12

13. ‘SC 27’
Topic
Areas
Andrew Hughes — @IDIMAndrew 13

14. The Exciting Stuff!
Andrew Hughes — @IDIMAndrew 14

15. Why is Standards Development exciting?
• The thrill of endless meetings at odd hours of the day, with people
around the world, debating the merits of word choices?
• ‘Fast’ development is 24-36 months?
• Learning advanced document library management skills?
• Woohoo!
(Just Kidding!)
Andrew Hughes — @IDIMAndrew 15

16. Why is Standards Development exciting?
• Standards bring order to systems
• Standards define the ‘rules’
• Standards codify and propagate advances in the state of the art
• Standards help raise the level of good practice widely
• Satisfaction in contribution to the world-wide community
• Negotiating consensus amongst experts in the field is complex
Andrew Hughes — @IDIMAndrew 16

17. SC 27WG 5 Standards Projects
Andrew Hughes — @IDIMAndrew 17

18. ‘WG 5’ Projects
• 32 Standards Projects
• 11 Identity Management-related
• 14 PrivacyTechnologies-related
• 7 Biometrics-related
• 5 Study Periods underway
• Each project is at one of six stages
• Proposal, Preparatory, Committee, Enquiry, Approval, Publication
• Lots of info at ISO/IEC SC 27 – Official ISO site
https://www.iso.org/committee/45306.html
Andrew Hughes — @IDIMAndrew 18

19. Reorganization of IDM ‘Assurance’ standards
• 29115 ‘Entity authentication assurance framework’ published 2013
• 29003 ‘Identity proofing’ published as aTechnical Specification 2018
(was to become International Standard, but low consensus)
• Gap exists on front end: ‘Assessment of identity management-
related risk’
• Mis-matches to some 24760 ‘A framework for identity management’
concepts and terms
Andrew Hughes — @IDIMAndrew 19

20. Why does this matter?
• ISO standardization is a ‘forcing function’ to
• ‘De-nationalize’ national standards
• Ensure that the text is understandable and translatable into many languages
• Simplify cross-mappings between national, regional and sector schemes
• The world of authentication has changed since 2010-2013 (when
29115 / 29003 were in heavy development)
Andrew Hughes — @IDIMAndrew 20

21. What is changing?
• Entity authentication assurance framework
• Alignment with NIST 800-63-3 (B+C), UK IDAP, Canada, others
• ‘Levels of assurance’ concept moving out of main body, into Examples
annexes
• Affirmation of credential management and credential authentication focus
• Note: ITU-T updating their version of 29115 in parallel
• Creation of risk assessment standard to feed into controls selection
• Study period on ID proofing and verification
Andrew Hughes — @IDIMAndrew 21

22. WG 5 Project Listing
Andrew Hughes — @IDIMAndrew 22

23. Project highlights
• Entity Authentication Assurance framework – new revision
• Study period for an Identity Assurance Framework
• Risk assessment guidance to go with the assurance frameworks
• Enhancement to 27001 for privacy management
• Guidelines for online privacy notices and consent
Andrew Hughes — @IDIMAndrew 23

24. Biometrics-Related Projects
17922:2017 Telebiometric authentication framework using biometric hardware security module
24745:2011 Biometric information protection
NP 24745 Biometric information protection
24761:2009 Authentication context for biometrics
24761:2009/Cor 1:2013 Authentication context for biometrics -- Technical Corrigendum 1
DIS 24761 Authentication context for biometrics
NP 27553 Security requirements for authentication using biometrics on mobile devices
Andrew Hughes — @IDIMAndrew 24

25. PrivacyTechnologies-related Projects
Andrew Hughes — @IDIMAndrew 25
FDIS 20889 Privacy enhancing data de-identification terminology and classification of techniques
27018:2014 Code of practice for protection of PII in public clouds acting as PII processors
PDTR 27550 Privacy engineering
CD 27552 Enhancement to ISO/IEC 27001 for privacy management -- Requirements
NP 27555 Establishing a PII deletion concept in organizations
AWI TS 27570 Privacy guidelines for Smart Cities
29100:2011 Privacy framework
29101:2013 Privacy architecture framework
FDIS 29101 Privacy architecture framework
29134:2017 Guidelines for privacy impact assessment
29151:2017 Code of practice for personally identifiable information protection
CD 29184 Guidelines for online privacy notices and consent
29190:2015 Privacy capability assessment model

26. Identity Management-Related Projects
Andrew Hughes — @IDIMAndrew 26
24760-1:2011 A framework for identity management -- Part 1: Terminology and concepts
24760-2:2015 A framework for identity management -- Part 2: Reference architecture and requirements
24760-3:2016 A framework for identity management -- Part 3: Practice
AWI 27551 Requirements for attribute-based unlinkable entity authentication
NP 27554 Application of ISO 31000 for assessment of identity management-related risk
TS 29003:2018 Identity proofing
29115:2013 Entity authentication assurance framework
NP 29115 Entity authentication assurance framework
29146:2016 A framework for access management
29191:2012 Requirements for partially anonymous, partially unlinkable authentication.

27. Open Study Periods
Andrew Hughes — @IDIMAndrew 27
Framework of user-centric PII handling based on privacy preference management by users
Identity assurance framework
Privacy consideration in practical workflows
Additional privacy-enhancing data de-identification standards
Development of identity standards landscape Standing Document

28. Why is Standards Development exciting?
• Standards bring order to systems
• Standards define the ‘rules’
• Standards codify and propagate advances in the state of the art
• Standards help raise the level of good practice widely
• Satisfaction in contribution to the world-wide community
• Negotiating consensus amongst experts in the field is complex
Andrew Hughes — @IDIMAndrew 28

29. Get in touch
• AndrewHughes3000@gmail.com
• Twitter: @IDIMAndrew
• LinkedIn: www.linkedin.com/in/andrew-hughes-682058a
Andrew Hughes — @IDIMAndrew 29

30. Links
ISO Pages
• ISO/IEC SC 27 – Official ISO site
https://www.iso.org/committee/45306.html
• ISO/IEC SC 27 – Secretariat site
http://www.din.de/go/jtc1sc27
• Information on the ISO standards development process
https://www.iso.org/stages-and-resources-for-standards-development.html
Compliance and Certification Pages
• https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings
• https://aws.amazon.com/compliance/programs/
• https://trust.salesforce.com/en/compliance/
• Example of a Certificate for ISO/IEC 27001 conformity
https://services.google.com/fh/files/misc/iso_27001_certificate.pdf
Andrew Hughes — @IDIMAndrew 30