Best practices and guidance on required processes for initial establishment and subsequent confirmation of an entity’s identity for parties are expected to use ITU-T X.1254, ISO/IEC IS 29115 or other similar standards. The material is used to establish and/or confirm identity and thus should give greater confidence in an entity’s identity prior to delivery of a service to that entity, by or for that entity.
• The development of identity proofing and verification (IPV) processes to be used as a national body standard in support of enrolment of entities. Definitions are provided for IPV principles, risk assessment, and controls sufficient to meet the requirements of ISO identity management standards for entities, notably ITU-T X.1254 l ISO/IEC IS 29115. These controls shall take account of threats, counter-fraud requirements and best practice guidance described by national policy specifications from government organisations.
• Entities that require to be authenticated in accordance with ISO standards, for which they need to be enroled: o Persons, particularly citizens, consumers, government employees and industry employees.
o Devices or Security Modules, particularly (but not limited to) for computer and telecommunication use cases, including e.g. Trusted Platform Module (TPM), Mobile Trusted Module (MTM) and similar approved standards
o Software applications.
o Organisations. For the purposes of trust, all persons, devices and software have a relationship with one or more organisations for reasons of ownership, issuance and management. Each organisation must be trustworthy to the same Level of Assurance as any credentials being issued or asserted, or higher.
A resulting International Standard that is sufficient for:
o Nations and industry to have confidence in using them
o Nations and industry to have confidence in the results of each others’ national IPV systems and the credentials
o Certification bodies to develop assessment and audit criteria against which certified auditors can successfully conduct Trusted Third Party (TTP) audit and assurance of IPV service providers.
Existing and emerging ISO standards for identity management focus primarily on the policy and technical standards for the operation of identity management and access management systems. They describe the use of credentials and make reference to processes for the issuance of identity credentials. These issuance processes are dependent upon entity Identity Proofing and Verification (IPV) processes for which no reference standards exist. An ISO standard for IPV is required to which other identity management standards can refer, based on the four Levels of Assurance described in ISO/IEC 29115.