Topic-specific policies
ISO/IEC 27566

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27566 — Information security, cybersecurity and privacy protection — Age assurance systems Framework [DRAFT]



“This document establishes core principles, including privacy, for the purpose of enabling age related eligibility decisions, by setting out a framework for indicators of confidence about age or an age range of a natural person.”
[Source: ISO/IEC JTC 1/SC 27 SD11]



This standard will lay out the core principles and a framework for determining someone’s age or age-range independently of their identity, for use in age-related eligibility decisions.


Scope of the standard



Content of the standard




The drafting project set out in 2022.

A preliminary draft is available to SC 27.


Personal notes

Whereas self-assertion (e.g. “Click here if you are an adult”) is a simple and commonplace but clearly very weak control, the project team aims to standardise and where necessary strengthen the process of determining someone’s age or age-range without (necessarily) requiring them to disclose their identity and so risk compromising their privacy.

The team plans to develop and incorporate appropriate assurance controls into the framework indicating confidence in the determined age/age-range, giving policy- and law-makers options when defining age-related criteria for various purposes. In situations where age is particularly important, additional confidence in the age determination is warranted, even if that implies completing a more involved/lengthy process of age verification, perhaps utilising a third party age-verification service or aggregating multiple age indicators taking account of any contra-indications, inconsistencies or doubts.

Spoofing (e.g. where an older person pretends/claims to be, and completes the age-verification process on behalf of, someone else, or someone presents a fake credential) is just one of the challenges for this project. There are also identities, credentials, tokens and age-verification subsystems/services, plus individual rights and freedoms to protect.



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights