Identity Standards: ISO 24760-1

I’m currently looking at international identity standards and thought that I might post some thoughts about them as I look at them. The first that I have looked at is ISO/IEC FDIS 24760-1:2011(E) “A framework for identity management – Part 1: Terminology and concepts”. This standard is supposed to define key terms for identity management and specify core concepts in identity and identity management. My view is that it should be avoided. The reasons for this are many: it is confused, it is unclear, and doesn’t use terms in the way that they are standardly used in the identity industry.

The definitions are mostly unclear and imprecise:

  • In many cases they use terms that are just as unclear as the one they are trying to define (e.g. a “domain” is an “environment” – which is undefined – you might as well tell me a domain is a domain).
  • Synonyms are given for terms that are clearly incorrect (e.g. “unique identity” is clearly not a synonym for “identifier” which is an attribute, not an identity).
  • They sometimes confuse different concepts (“verification” is confused with “validation” for instance).
  • They redefine commonly used terms in the industry (authentication is redefined to mean a form of verification).
  • They are inconsistent in their use of other terms defined in the standard.

The section on concepts is if anything, even more problematic.

  • It is entirely ICT focused (though at other times it claims otherwise) which is unhelpful in the context of a general framework for identity.
  • The discussion of concepts seems very specific. It seems to favour particular implementations and approaches to identity instead of being entirely general.
  • The concepts slip from being descriptive (this is what the concept means) to being normative (this is how a system should behave).
  • It seems to be a somewhat idiosyncratic discussion – not in line with other ones I’ve seen on the same topic.

These were among the reasons that a nmber of key countries voted against this standard. Unfortunately it was adopted. In short, avoid this standard. There are other ones out there which do a better job of describing the key concepts of identity and identity management. I’ll be describing some of those in other posts.


2 Comments to “Identity Standards: ISO 24760-1”

  1. Hi Doug, funny that I should come across your blog first when looking into advice onto adhering to this standard. It seems to me that major vendors are more interested in ISO 27001 when it comes to IdAM than they are ISO 24760, which tells you about the applicability of the standard. The only place I see is reference to it from other standards.

  2. Hi Doug, I was wondering whether you ever got around to sharing other standards and resources that do a better job of describing the concepts and terminology around identity. Stating that “ISO 24760-1 is bad” deserves a follow-up.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: