Topic-specific policies
ISO/IEC 27566


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems  [threee parts, all DRAFT]

 

July status update Introduction

Although this project originally intended to develop a single part standard, two further parts were added later.

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Part 1 Framework [DRAFT]

Abstract

This document establishes core principles, including privacy, for the purpose of enabling age related eligibility decisions, by setting out a framework for indicators of confidence about age or an age range of a natural person.”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

 

Introduction

This standard will lay out the core principles and a framework for determining someone’s age or age-range independently of their identity, for use in age-related eligibility decisions.

 

Scope of the standard

[TBA]

 

Content of the standard

May more info The main clauses cover:

  1. Age assurance attributes - various ways to ascertain someone’s age.
  2. Indicators of confidence - ways to check and confirm the ascertained age.
  3. Privacy objectives - some people are unwilling to disclose their age.
  4. Security objectives - controls to protect age information.
  5. System attack and contraindicators - resisting attempts to subvert or compromise.

Annex - guiding principles for practice statements

 

Status

The drafting started in 2022.

May status update It is at Committee Draft stage.

 

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Part 2: Technical approaches and guidance for implementation [PROPOSAL]

Abstract

July status update This document describes different technical approaches suitable in different ecosystems for age assurance systems and guidance for their implementation.”
[Source: PROPOSAL]

 

Introduction

[TBA]

 

Scope of the standard

July status update “Enable developers and users of age assurance systems to understand various technical components that may lie behind them, how they communicate with each other, with relying parties and with individuals that are being subject to an age assurance process [and] Provide guidance for stakeholders of age assurance systems to assist with implementing systems in accordance with the Framework set out in Part 1”
[Source: PROPOSAL]

 

Content of the standard

[TBA]

 

Status

July status update Part 2 is at proposal stage - yet to be confirmed as a new SC 27 project.

 

 

ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Part 3 Benchmarks for benchmark analysis [DRAFT]

Abstract

July status update This document establishes benchmarks for benchmarking analysis in the context of age assurance.”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

 

Introduction

[TBA]

 

Scope of the standard

[TBA]

 

Content of the standard

[TBA]

 

Status

The drafting started in 2023/4. 

July status update This was originally destined to become part 2, then shifted to part 3.

It is at Working Draft stage.

 

 

Personal comments

Whereas self-assertion (e.g. “Click here if you are an adult”) is a simple and commonplace but clearly very weak control, the standard aims to standardise and where necessary strengthen the process of determining someone’s age or age-range without (necessarily) requiring them to disclose their identity and thereby risk compromising their privacy.

The plan is to develop and incorporate appropriate assurance controls into the framework indicating confidence in the determined age or age-range, giving policy- and law-makers options when defining age-related criteria for various purposes. In situations where age is particularly important, additional confidence in the age determination is warranted, even if that implies completing a more involved and lengthy process of age verification, perhaps utilising a third party age-verification service or aggregating multiple age indicators taking account of any contraindications, inconsistencies or doubts.

Spoofing (e.g. where an older person pretends or claims to be, and completes the age-verification process on behalf of, someone else, or someone presents a fake credential) is just one of the challenges for this project. There are also identities, credentials, tokens and age-verification subsystems and services, plus individual rights and freedoms to protect.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights