Topic-specific policies
ISO/IEC 27566


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems  [three parts, all DRAFT]

 

Introduction

Although this project originally intended to develop a single part standard, two further parts were added later.

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Part 1 Framework [DRAFT]

Abstract

[ISO/IEC 27566-1] establishes core principles, including privacy, for the purpose of enabling age related eligibility decisions, by setting out a framework for indicators of confidence about age or an age range of a natural person.”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

 

Introduction

This standard will lay out the core principles and a framework for determining someone’s age or age-range independently of their identity, for use in age-related eligibility decisions.

 

Scope of the standard

[TBA]

 

Content of the standard

Oct update The main clauses are expected to cover:

  1. Overview
  2. Functional characteristics (~functional requirements)
  3. Performance characteristics (~assurance and metrics)
  4. Privacy characteristics (~privacy requirements)
  5. Security characteristics (~information/cyber-security requirements)
  6. Acceptability characteristics (~nondiscrimination requirements)
  7. Practice statements (~documenting the arrangements)

 

Status

The standard development project set out in 2022.

Oct update Part 1 has been restructured and is already at Draft International Standard stage, likely to hit the streets in 2025.

 

---------

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Part 2: Technical approaches and guidance for implementation [PROPOSAL]

Abstract

[ISO/IEC 27566-2] describes different technical approaches suitable in different ecosystems for age assurance systems and guidance for their implementation.”
[Source: PROPOSAL]

 

Introduction

[TBA]

 

Scope of the standard

“Enable developers and users of age assurance systems to understand various technical components that may lie behind them, how they communicate with each other, with relying parties and with individuals that are being subject to an age assurance process [and] Provide guidance for stakeholders of age assurance systems to assist with implementing systems in accordance with the Framework set out in Part 1”
[Source: PROPOSAL]

 

Content of the standard

[TBA]

 

Status

Part 2 is at an early stage.

Sept status update The first Working Draft is to be reconsidered and rewritten.

 

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Part 3 Benchmarks for benchmark analysis [DRAFT]

Abstract

[ISO/IEC 27566-3] establishes benchmarks for benchmarking analysis in the context of age assurance.”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

 

Introduction

[TBA]

 

Scope of the standard

[TBA]

 

Content of the standard

[TBA]

 

Status

The standard development project set off in 2023.

This was originally destined to become part 2, then shifted to part 3.

Part 3 is at Working Draft stage.

 

 

Personal comments

Whereas self-assertion (e.g. “Click here if you are an adult”) is a simple and commonplace but clearly very weak control, the standard aims to standardise and where necessary strengthen the process of determining someone’s age or age-range without (necessarily) requiring them to disclose their identity and thereby risk compromising their privacy.

The plan is to develop and incorporate appropriate assurance controls into the framework indicating confidence in the determined age or age-range, giving policy- and law-makers options when defining age-related criteria for various purposes. In situations where age is particularly important, additional confidence in the age determination is warranted, even if that implies completing a more involved and lengthy process of age verification, perhaps utilising a third party age-verification service or aggregating multiple age indicators taking account of any contraindications, inconsistencies or doubts.

Spoofing (e.g. where an older person pretends or claims to be, and completes the age-verification process on behalf of, someone else, or someone presents a fake credential) is just one of the challenges for this project. There are also identities, credentials, tokens and age-verification subsystems and services, plus individual rights and freedoms to protect.

The DIS version of Part 1 does not reflect ISO’s plain English. For example, here’s the very first paragraph of the Introduction:

“This document sets out a framework and core characteristics for age assurance systems deployed for the purpose of enabling age-related eligibility decisions by anybody for any reason in any location through any type of relationship between an individual and the provider of any goods, content, services, venues or spaces that has policy requirements for acquiring assurance about the age or age range of persons (such as the supply of alcohol, tobacco, weapons or online content).”

That sentence has nearly ten times the ISO-recommended number of words.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights